Method and apparatus for transaction and identity verification

Abstract

A method and apparatus whereby the senders and receivers of messages sent over a transmission system including a Host CPU may guarantee the integrity of the data content of the message and also the absolute identity of the sender. Each user of the system as well as the Host CPU contains an identical key-controlled block-cipher cryptographic device with data chaining for encrypting and decrypting messages as required, wherein each user has knowledge of only his own cryptographic key and wherein the Host CPU has access to the unique cryptographic keys of all users of the system stored in a high security storage area available only to said CPU. Stated very generally, the originator of a message A sends a message to a receiver B which includes a transaction or message portion X and a unique digital signature portion Y which is a function both of the message and the senders unique cryptographic key K.sub.A. The receiver then communicates with the CPU for verification of the signature Y. The CPU accesses the sender's key K.sub.A from a secure memory and computes the digital signature Y utilizing the message portion X received from B and the key K.sub.A. Upon a successful verification of the signatures by the CPU, the CPU notifies B via an additional message that the signature of A is valid based on the data content of the message and the key K.sub.A. Based on the information received from the CPU, B may be certain that the signature and message originated with A and A may not later deny having sent the message as it would be virtually impossible for the signature to be forged since it is a complex function of the message content itself. A may also be assured that B cannot alter the message as the signature would no longer be valid. According to other aspects of the invention the interrupting of communications between A and B by an eavesdropper and the subsequent sending of stale messages is prevented. As a still further feature of the invention, an eavesdropper is prevented from sending the "forged" approval from the CPU to the receiver B.

Claims

Having thus described my invention, what I claim as new, and desire to secure by Letters Patent is:

1. A method for effecting a high security transaction verification operation in a computer based communications system comprising a central Host CPU which includes a high security Verify Unit (VAULT) therein said system including at least two remotely located terminals selectively connectable to said Host CPU and wherein said Verify Unit and each of said terminals includes substantially identical key-controlled block cipher cryptographic devices with block chaining included therein said method comprising:

User A (originator) at a first terminal sending User B (receiver) at a second terminal a message M having a data portion (X) and a signature portion (Y) said signature portion being a block cipher function of A's key K.sub.A and the data portion (X), such that M=(X,Y);

User B on receipt of the message (X,Y) reencrypting same under his own key K.sub.B to form a message U, sending said message U to the Host CPU together with the identities of User A and User B (originator, receiver), and requesting a verification operation from said Host CPU,

the Host CPU, after receiving said message, obtaining the keys K.sub.A and K.sub.B from a secure storage means and decrypting U under key K.sub.B to obtain message U which presumptively comprises a message portion U.sub.1 and a signature portion U.sub.2 ;

the Host CPU then forming a signature utilizing U.sub.1 as the data input and K.sub.A as the key input to the cryptographic device and comparing this signature with the signature value U.sub.2 received from User B, and

the Host CPU returning an accept/reject signal to User B depending upon whether or not the two signatures are identical.

2. A method as set forth in claim 1 wherein, after determining the validity of the received signature U.sub.2 the Host CPU then generating a new signature V for the received message U which is a predetermined function of the key K.sub.B and the previously decrypted message U depending upon the result of said signature comparison operation, and

sending the message V to User B;

User B on receipt of the message V computing a signature V' which is a predetermined function of his own key K.sub.B and the message (X,Y) initially received from User A and comparing same with the message V for correspondence.

3. A transaction verification method as set forth in claim 2, including said Verify Unit utilizing the data .about.U (the logical complement of U) for generating the signature message V when a valid signature from User A is to be acknowledged and utilizing the data U to produce the signature V when the signature for User A is found to be incorrect, and said User B utilizing the data .about.(X,Y) (the logical complement of X,Y) to produce the signature message V' and comparing V' with the signature message V received from Host CPU.

4. A transaction verification method as set forth in claim 2 whereby the security of the individual user keys K.sub.Z is maintained by storing all said individual user keys in the Host CPU under a master system key K.sub.HV and accessing a particular encrypted key K.sub.Z * belonging to an identified User Z from the Host CPU memory and decrypting same under said master key K.sub.HV in the said Verify Unit.

5. A transaction verification method as set forth in claim 4 including utilizing a master system transmission key K.sub.T for all communications between Users and between any User and the Host CPU subject to eavesdropping and wherein said transmission encryption operation is superimposed upon all messages between such system entities wherein all messages must first be encrypted under the system transmission key K.sub.T before transmission and decrypted under said transmission key K.sub.T upon receipt from another unit.

6. A method for transaction verification as set forth in claim 4 including forming all signatures in the present system by selecting as said signatures a predetermined final number of bytes of the block chained encryption of the full data input to said key controlled block-cipher cryptographic device with chaining wherein said signature is a direct function of and fully dependent upon the entire content of the data input to said cryptographic device.

7. A transaction verification method as set forth in claim 2 including the User A forming the initial message M utilizing the unique counter value from his own terminal (CT.sub.orig) a unique counter value (CT.sub.rec) obtained from the receiver's (User B) terminal and, the current date and utilizing this information as a header on the message (X) and said User B, upon receiving said initial message, checking the date, and the value of the counter CT.sub.rec for correspondence with a stored value which was previously sent User A upon the initial contact between User A and User B and aborting said transaction if either of said values fails to agree.

8. A transaction verification method for use in a computer based communication system comprising a central Host CPU which includes a high security Verify Unit therein said system including a plurality of remotely located terminals selectively connectable to each other and to said Host CPU via said communications system and wherein said Verify Unit and each of said terminals includes substantially identical key-controlled block-cipher cryptographic devices with block chaining, said method comprising User A (originator), at a first terminal sending User B (receiver) at a second terminal a message M having a data (X) portion and a signature portion (Y) said signature portion being a block-cipher function of User A's key K.sub.A and the data portion (X) such that: M=(X,Y);

User B on receipt of said message M reencrypting said entire message M under his own key K.sub.B to form a message U, sending said message U to the Host CPU together with the identities of User A and User B and requesting a verification operation from said Host CPU;

the Host CPU, upon receipt of said message from User B, requesting a verify operation from its associated Verify Unit and providing the message information U to said Verify Unit;

said Verify Unit obtaining the keys K.sub.A and K.sub.B from a secure storage means located in said Host CPU and decrypting U under key K.sub.B to obtain message U which comprises a data portion U.sub.1 and a signature portion U.sub.2, the Verify Unit then forming a signature utilizing the data portion U.sub.1 as the data input and the key K.sub.A as the key input to its associated cryptographic device and comparing the signature so generated with the signature value U.sub.2 received from User B, said Verify Unit after determining the validity of the received signature U.sub.2 then generating a new signature V for the message U which signature is a predetermined function of the key K.sub.B and the previously decrypted message U the particular function being dependent upon the result of said signature comparison operation and sending the message V to User B;

User B upon receipt of the message V computing a signature V' which is a predetermined function of his own key K.sub.B and the message (X,Y) initially received from User A and comparing same with the message V for correspondence; and

wherein all signature generation operations in the previous enumerated signature generating steps comprise selecting as said signatures a predetermined final number of bytes of the block chained encryption of the full data input to said associated key-controlled block-cipher cryptographic devices with chaining wherein each said signature is a direct function of and fully dependent upon the entire data content supplied to said cryptographic device.

9. A transaction verification method as set forth in claim 8 wherein the individual User keys K.sub.Z are stored in the Host CPU system memory in encrypted form under a Verify Unit master key K.sub.HV and said individual keys are obtained from said Host CPU by the Verify Unit by accessing said Host at addresses derived from the identities of the Users A and B supplied to said Verify Unit, and decrypting said keys under the master key K.sub.HV to obtain the original User's keys K.sub.A and K.sub.B.

10. A transaction verification method as set forth in claim 9 including User B supplying to User A a counter value CT.sub.rec when User B is first contacted for a transaction by User A, and User B concurrently storing in a local memory said counter value CT.sub.rec, User A forming the initial message M utilizing the unique counter value from his own terminal CT.sub.orig, the counter value CT.sub.rec previously obtained from User B's terminal and the current date as a header on the transaction message (X) and said User B, upon receiving said initial message M, checking the date and the value of the counter CT.sub.rec for correspondence with said stored value and aborting such transaction if either the date or the counter values fail to agree.

11. A computer based communications system having a high security transaction verification feature incorporated therein, said system comprising a Host CPU which includes a high security Verify Unit therein, said system further including a plurality of remotely located terminals including means for selectively connecting each terminal to said Host CPU or to another terminal via the communications network associated therewith, said Verify Unit and each of said terminals including substantially identical key-controlled block-cipher cryptographic devices equipped with a block chaining feature, each terminal including means actuable when said terminal is used as an originating device (Terminal A) in a transaction to send a message M to another terminal acting as a receiver (Terminal B) said message M having a data portion (X) and a signature portion (Y), means for actuating the cryptographic device located in said terminal to form said signature (Y) as a block-cipher function of Terminal A's key K.sub.A and the data portion (X) such that M=(X,Y);

means in the receiving terminal (Terminal B) actuable on receipt of the message M from (Terminal A) for reencrypting said message under the terminal's own key K.sub.B to form a message U and means for sending said message U to the Host CPU together with the identities of the originating and receiving terminals (Terminal A and Terminal B) and means for requesting a verification operation from said Host CPU;

means in said Host CPU actuable upon the receipt of said message for obtaining the keys K.sub.A and K.sub.B from memory and for requesting a verify operation from the Verify Unit associated therewith;

means in said Verify Unit for decrypting the message U under terminal B's key K.sub.B to obtain a decrypted message U which comprises a message portion U.sub.1 and a signature portion U.sub.2, means in said Verify Unit for forming a signature utilizing U.sub.1 as a data input and the originating terminal's key K.sub.A as the key input to the cryptographic device contained therein and means for comparing the signature so generated with the signature value U.sub.2 received from terminal B;

means in said Verify Unit for returning an accept/reject signal to receiving terminal B depending upon whether the two signatures are identical.

12. A communication system as set forth in claim 11 wherein said means in said Verify Unit for returning an accept/reject signal to the receiving terminal B comprises means for generating a signature V including means for supplying the decrypted data message U, previously received from terminal B as the data input to the cryptographic device in the Verify Unit, and for supplying the key K.sub.B as the key input to said cryptographic device and means for transmitting said derived signature V to the terminal B;

means in said terminal actuable on receipt of the signature V to generate a signature V' using the logical complement of the original message M as the data input to said terminal's cryptographic device and the terminal B's key K.sub.B as the key input to said device and means for comparing the generated signature V' with the signature V received from the Verify Unit.

13. A communication system as set forth in claim 12 wherein said means for generating the signature V within the Verify Unit comprises means actuable in response to the comparison between the signatures U.sub.2 and that generated from U.sub.1 and K.sub.A to supply the logical complement of U to the encryption device in the Verify Unit upon a successful comparison and for supplying the true value of U to said encryption device if said comparison is unsuccessful.

14. A communication system as set forth in claim 13 including key storage means in the Host CPU for storing all of the individual user keys K.sub.Z in system memory in encrypted form under a master storage key K.sub.HV which is resident in a high security storage means within the Verify Unit;

means for generating key storage addresses based on the identity of the particular terminals involved in a given transaction and for transmitting accessed, encrypted keys K.sub.Z to the Verify Unit and means operative therein to decrypt said keys to obtain the actual keys for use in the transaction verification operations.

15. A communication system as set forth in claim 14 including transmission encryption means resident in all terminals of said system and in the Host CPU for encrypting all messages transmitted between terminals and between a terminal and the Host CPU under a master transmission key K.sub.T and means for decrypting all received messages under said same encryption key K.sub.T.

16. A communication system as set forth in claim 14 including means associated with the cryptographic device in said terminals and said Host CPU for forming all signatures utilized within the system by selecting a predetermined final number of bytes of the encrypted output of said cryptographic devices said output being derived from the entire data message input to said cryptographic device whereby said signatures are dependent upon the entire data message being encrypted.

17. A communication system as set forth in claim 12 including counter means resident in each terminal for producing a time dependent count value and means for including a predetermined current count value of the counters in both the originating and receiving terminals as a part of a message header which is incorporated in the data portion (X) of the message M transmitted from the originating terminal A to the receiving terminal B, means resident in each terminal for placing a quantity indicative of the date of a particular transaction as a portion of the header in any message M transmitted to another terminal, and means within each terminal for verifying the proper relationship of the count values and date for any received message wherein a transaction verification is to be requested.

Description

DESCRIPTION

1. Technical Field

The present invention relates to a high security communication system including a plurality of users or terminals connected to each other via a common communication link which is in turn connected to a Host CPU. By means of the present system it is possible for a sender A to communicate a specific transaction to a user B with an extremely high degree of integrity or confidence in the transaction. Utilizing the present system the following threats to transaction integrity may be substantially eliminated.

The first threat is reneging, wherein the sender engages in a transaction with a receiver sending data which he may subsequently attempt to disown. Thus, the receiver must know with certainty that the sender sent the specific message which fact may be proven subsequently.

A second possible threat to such a system is forgery, wherein the receiver may allege that he received a message from a given sender, which message is a fabrication, thus, it must be possible for the sender to prove that the supposed message was in fact a forgery.

A third threat is similar to forgery namely that of alteration, wherein the receiver might alter the message in a material way which would do some financial or other harm to the alleged sender. Thus, any alteration of such a message must be identifiable by the alleged sender.

A still further threat is where a sender or other person by penetrating the communication system would attempt to fool a receiver into accepting a transaction as valid from some sender by manipulation of the operating system, such as by eavesdropping and the capture and resending of stale messages or the fabrication of "approval" signals from the CPU, etc. The system must thereby guarantee B that such penetration is not possible. A final threat is masquerading, wherein a user on the system would attempt to masquerade as a different user to a third party. This would normally be done by means of a combination of the above threats.

It must be assumed that all users are linked to the host telecommunication system in common and that their messages are enciphered by a common encipherment process. Accordingly, the integrity of the communication's security, or lack of it, will play no role in the verification of transactions.

There are many potential uses for such a system in the modern business community. Potential applications are in the area of stock market transactions carried out over the communications systems, automatic banking transactions, electronic mail and/or any other system in which digitalized messages are sent and received over public communications channels and wherein the integrity of both the messages and the originators must be absolutely guaranteed.

It is accordingly a primary object of the present invention to provide such a high security communication system wherein both the transaction content and the signatures of senders may be completely verified and wherein all of the above enumerated threats may be substantially eliminated.

It is a further object to provide such a system utilizing readily available communications and computational hardware organized and operated in the manner set forth herein to produce such a system.

Other objects, features and advantages of the system will be apparent from the subsequent description of the system and claims.

2. Background Art

The following publications all relate to various types of electronic or digital signature systems generally using various types of approaches to achieve data and/or message integrity. The systems disclosed in these publications differ considerably in both approach and results to the system disclosed herein. (1) M. O. Rabin, "Signature and Certification by Coding," IBM Technical Disclosure Bulletin, Vol. 20, No. 8, pp. 3337-8, (January 1978). (2) W. Diffie, M. Hellman, "New Directions in Cryptography," IEEE Trans. on Information Theory (November 1976). (3) R. L. Rivest, A. Shamir and L. Adleman, "On Digital Signatures and Public-Key Crypto-Systems," M.I.T. Laboratory for Computer Science Report, MIT/LCS/TM-82 (April 1977).

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 comprises an overall block diagram of the high security communication system of the present invention.

FIG. 2 comprises a functional block diagram of a preferred embodiment of one of the terminal blocks illustrated in FIG. 1.

FIG. 3 comprises an organizational drawing for FIGS. 3A and 3B.

FIGS. 3A and 3B comprise a functional block diagram of the Verify Unit block attached to the Host CPU block shown in FIG. 1.

FIG. 4 comprises an organizational drawing for FIGS. 4A and 4B.

FIGS. 4A and 4B comprise a detailed functional block diagram of the Verify Unit Controller block shown in FIG. 3B.

FIG. 5 comprises an organizational drawing for FIGS. 5A through 5G.

FIGS. 5A through 5G comprise a detailed operational flow chart illustrating the operation of the herein disclosed high security communications system.

DISCLOSURE OF INVENTION

For a better comprehension of the invention there will follow a general discussion of the underlying principles, first of a general transaction and identity verfication system, and then, a discussion of the broad application of these principles to the presently disclosed system. Finally there will follow a detailed description of the presently disclosed hardware which constitutes the best mode configuration.

As stated generally above, a transaction verification system having a high degree of integrity or security must incorporate a number of particular features. Suppose a User A (the originator of the transaction) wishes to send a data block D to a User B (the recipient of the transaction), the architectural requirements of the transaction verification system and the protocols which said system must follow must include the following features. The User A must provide with the message D some information, which is referred to herein as the signature (S), which signature must be dependent both on the data and the particular user. The system must be such that a valid signature S based on data D by User A must be essentially impossible for User B to construct. Similarly, no other person having access to the system should be able to construct said signature. Further, the system must include a mechanism whereby the User B can verify that S is a proper signature for the data D by the User A. The system must also provide a mechanism whereby the data content of a message validly received by B cannot subsequently be denied by the originator A. Further, the verification process must be uneffected by penetration of the operating system. Finally, the verification process must have some time dependence to prevent the reuse of stale messages obtained validly by, for example, the recipient B, or by some third party eavesdropping on the system.

The following describes a system architecture and protocol which accomplishes the above enumerated features.

It should first be understood that the present system utilizes a key-controlled block-cipher cryptographic system referred to hereinafter as DES and in the formulas and drawings by the symbol .pi.. A preferred embodiment of such an encryption device is that set forth in the National Bureau of Standards Federal Information processing standard entitled, "Encryption Algorithm for Computer Data Protection." The standard together with a complete technical description is contained in the publication, "Data Encryption Standard," Federal Information Processing Standard (FIPS), Publication 46, National Bureau of Standards, U.S. Department of Commerce (January 1977). While other key-controlled block-cipher cryptographic systems could be utilized in the invention, the above-referenced system is preferred.

Further, the particular cryptographic system used must incorporate data chaining. Chaining is introduced to make each bit of the signature S functionally dependent upon each bit of the data. For the description of such a block-chaining system, reference is made to U.S. Pat. No. 4,078,152 of L. B. Tuckerman entitled, "Block-Cipher Cryptographic System with Chaining."

The encryption algorithm or the operation performed by the .pi. block utilized in the present embodiment performs an operation represented by the formula:

cleartext D.fwdarw..pi.(K,D) ciphertext

This denotes the encipherment of the (cleartext) data D (of a fixed length of at least 8 bytes) by the DES encryption system using chaining with the key K. In the following description the subscript A in (K.sub.A) denotes the particular private key of the User A. The inverse operation or decipherment (.pi..sup.-1) is denoted by the following formula:

ciphertext .pi.(K,D).rarw..pi..sup.-1 (K,.pi.(K,D))=D cleartext

The following description is essentially a description of the protocol involved or method by which the present invention is realized. For purposes of this description FIG. 1 may be referred to. It will be noted that the overall system shows a number of terminals or users connected over a data communication network to a Host CPU. It will further be noted that the Host CPU is partitioned into the Host and a Verify Unit which is a high security device accessible only to the operating system and high security personnel who would be authorized to handle the various User Keys K.sub.X as well as the master Verify Unit key which will be denoted subsequently as K.sub.HV.

At the system initialization time, the Host operating system enciphers each user key according to the following formula:

K.sub.A .rarw..pi.(K.sub.HV,K.sub.A)=K.sub.A.sup.*

In the above formula symbol K.sub.A refers to User A's personal key and K.sub.HV is the Verify Unit master key as indicated above. The result of all computations are stored in the regular Host CPU's memory in the following format:

    ______________________________________
    A           .rarw.   .fwdarw. K.sub.A *
    B           .rarw.   .fwdarw. K.sub.B *
                .
                .
                .
    Z           .rarw.   .fwdarw. K.sub.Z *
    ______________________________________
     *TABLE-

    ______________________________________
    VERIFY UNIT CONTROL POINT
    FUNCTIONAL DEFINITION TABLE
          Func-
          tional
    Con-  Unit
    trol  Con-
    Signal
          trolled  Operation Controlled
    ______________________________________
    C1    CP1      INPUT BUS .rarw. HOST CPU DATA
    C2    CP2      A-REG .rarw. INPUT BUS DATA
    C3    CP3      B-REG .rarw. INPUT BUS DATA
    C4    CP4      RWM .rarw. INPUT BUS DATA
    C5    CP5      S-REG .rarw. INPUT BUS DATA
    C6    CP6      C-D BUS .rarw. A-REG DATA
    C7    CP7      CLEAR A-, B-REGS TO ZERO
    C8    CP8      C-D BUS .rarw. B-REG DATA
    C9    CP9      READ/WRITE MODE AND ENABLE
                   CONTROL
    C10   CP10     PASS/INVERT RWM OUTPUT DATA
    C11   CP11     C-D BUS .rarw. RWM DATA
    C12   CP12     C-D BUS .rarw. K.sub.HV REG DATA
    C13   DES      LOAD DES KEY BUFFER FROM C-D
                   BUS
    C14   DES      LOAD DES DATA BUFFER FROM C-D
                   BUS
    C15   DES      CONVERT DATA (CRYPTOGRAPHIC
                   PROCESSING)-SELECT MODE -
                   INITIATE OPERATION
    C16   CP16     INPUT BUS .rarw. DES OUTPUT DATA
    C17   CP17     OUTPUT BUS .rarw. S-REGISTER DATA
                   COMPARATOR .rarw. S-REGISTER DATA
    C18   CP18     HOST CPU .rarw. OUTPUT BUS DATA
    ______________________________________

    ______________________________________
    HOST CPU/VERIFY UNIT INTERFACE
    DEFINITION TABLE
    Handshake
    Signal     Function
    ______________________________________
    RQVRF      Inform VU of request for verification
    RQV        Inform VU of request for derived sig-
               nature V
    KA*RDY     Inform VU that KA* data are ready for
               transfer
    KB*RDY     Inform VU that KB* data are ready for
               transfer
    URDY       Inform VU that U data are ready for
               transfer
    BUSY       A flag indicating Verify Unit status
    RQKA*      Inform CPU of request for KA* data
    RQKB*      Inform CPU of request for KB* data
    RQU        Inform CPU of request for U data
    VRDY       Inform CPU derived signature V is ready
               for transfer
    ______________________________________

    ______________________________________
    DEFINITION OF TERMS TABLE
    ______________________________________
    1.     M: message (i.e., Busy 50 shares RDQ common . . .)
    2.     D:data: (A, B, date, CT.sub.orig, CT.sub.rec, M)
    3.     S(K.sub.A, D): Signature of data D: S(K.sub.A, D): last
           eight bytes of the chained encipherment of D
           by DES using the key K.sub.A.
    4.     (X,Y): the message received from User A,
           presumptively equal to (D,S(K.sub.A,D).
    5.     CT: a current counter value at a particular
           terminal (orig/rec)
    6.     K.sub.A : User A's key - K.sub.B : User B's key
    7.     K.sub.HV : Verify Unit's master key
    8.     K.sub.Z *: .pi.(K.sub.HV, K.sub.Z), i.e., for any user Z
    9.     .pi./.pi..sup.-1 : encryption/decryption under an encryption
           key
    10.    U = .pi.(K.sub.B, (X, Y))
    11.     --U = .pi..sup.-1 (K.sub.B,U) = ( --U.sub.1, --U.sub.2)
    12.     --U.sub.1  =  --U[1,n]: -  --U.sub.2  =  --U[n + 1,n + 8]
    13.    V = S(K.sub.B, --Uor S(K.sub.B, .about. --U)  = last eight bytes
           of
           the chained encipherment of U by DES using the
           key K.sub.B
    14.    If S(K.sub.B, .about. --U) = S(K.sub.B .about.(X,Y)) then
           signature of A
           is valid for message X.
    ______________________________________

    ______________________________________
    Operational Sequence List
    for Verify Unit
    ______________________________________
    Definitions
    RWM:    Read/Write Memory
    RWMAG:  Read/Write Memory Address Generator
    IMPX:   Input Multiplexer
    DES Unit:
            Data Encryption Standard Unit
    (Ci):   i-th Control Point, activation of
    RESET:  RWMAG set to zero
    LOAD:   Contents of internal storage register are
            loaded into RWMAG
    COUNT:  Enables RWMAG to count
    U/--D:  Up (1) /down (0) count-mode control for RWMAG
    SAVE:   Contents of RWMAG are saved in internal storage
            register
    CLEAR:  All handshake control output lines are
            cleared to zero
    STEP
    1       CLEAR
    2       Set IMPX ADDRESS to 2
             TEST RQVRF:
             If 0, hold;
             If 1, continue
    3       Set BUSY to 1
    4       Set RQKA* to 1
    5       Set IMPX ADDRESS to 4
             TEST KA*RDY:
             If 0, hold
             If 1, continue
    6.1     Load A-Register with KA* from Host CPU. (C1,C2)
    6.2     Clear RQKA* to 0
    7       Set RQKB* to 1
    8       Set IMPX ADDRESS to 5
    9
    9.1     Load B-Register with KB* from Host CPU. (C1,C2)
    9.2     Clear RQKB* to 0
    10      Set RQU to 1
    11      Set IMPX ADDRESS to 6
            Test URDY:
             If 0, hold
             If 1, continue
    12
    12.1    RESET
    12.2    Set U/--Dto 1
    12.3    Set RWM for write operation (C9)
    12.4    Set IMPX ADDRESS to 6
    12.5    Load one data byte of U from Host CPU to RWM
            via Input-Bus (C1,C4)
    12.6    Test URDY:
             If 1, increment RWMAG and go to step 12.5;
             If 0, continue
    12.7    Clear RQU to 0
    12.8    SAVE
    13
    13.1    Load key KHV into DES Unit (C12,C13)
    13.2    Load data from A-Register (KA*) into DES Unit
            (C6,C14)
    13.3    Decipher data (C15)
    13.4    Read 7 bytes of data (KA) from DES Unit into
            A-Register (C16,C2)
    14
    14.1    Load key KHV into DES Unit (C12,C13)
    14.2    Load data from B-Register (KB*) into DES Unit
            (C8,C14)
    14.3    Decipher data (C15)
    14.4    Read 7 bytes of data (KB) from DES Unit into
            B-Register (C16,C3)
    15
    15.1    Load N + 8 into Microprogram Controller
    15.2    Load Key K.sub.B into DES Unit (C8,C13)
    15.3    Set U/--Dto 1
    15.4    RESET
    15.5    SAVE
    15.6    Set RWM for read operation (C9,C10)
    15.7    Load 8 bytes of U data from RWM into DES Unit
            (C11,C14)
    15.8    Decipher data (C15)
    15.9    LOAD
    15.10   Set RWM for write operation (C4, C9)
    15.11   Store 8 bytes of  --Udata from DES Unit in
            RWM (C16,C4)
    Repeat steps 15.5 through 15.11 as necessary
    until N + 8 bytes of U data have been processed.
    16
    16.1    Decrement RWMAG by 8 (RWMAG .rarw. N)
    16.2    SAVE
    16.3    Load N into Microprogram Controller
    16.4    RESET
    16.5    Set U/--Dto 1
    16.6    Load Key KA into DES Unit (C6,C13)
    16.7    Set RWM for non-inverting read operation
            (C9,C10)
    16.8    Load 8 bytes of  --U.sub.1 data from RWM into DES Unit
            (C11,C14)
    16.9    Encipher data (C15)
    Steps 16.8 and 16.9 are repeated as necessary until
    a total of N bytes of data ( --U.sub.1) have been processed
    from RWM. (A short block, if one occurs, and chain-
    ing linkages are handled internally by the DES Unit). -
      16.10     Read final 8 bytes of data from the DES Unit
      into the S-Register (C16,C5)
      [S-REGISTER .rarw. S(KA, --U)]
    17
    17.1
      LOAD (RWMAG .rarw. N)
    17.2
      Set U/-- D to 1
    17.3
      Set RWM for non-inverting read operation
      (C9,C14)
    17.4
      Set IMPX ADDRESS to 1
    17.5
      Increment RWMAG
    17.6
      Read data byte from RWM to comparator Q input
      (C11)
    17.7
      Read data byte from S-Register to comparator P
      input (C17)
    17.8
      Test S2 (S2 = O), go to step 17.5 if additional
      bytes of S(KA, --U.sub.1) remain to be tested; else,
      go to step 19
    18
    18.1
      LOAD (RWMAG .rarw. N)
    18.2
      Increment RWMAG by 8 (RWMAG .rarw. N + 8)
    18.3
      Load N + 8 into Microprogram Controller
    18.4
      RESET (RWMAG .rarw. 0)
    18.5
      Load Key KB into DES Unit (C8,C13)
    18.6
      Set RWM for non-inverting read operation
      (C9,C10)
    18.7
      Load 8 bytes of  --Udata from RWM into DES Unit
      (C11,C14)
    18.8
      Encipher data (C15)
    Steps 18.7 and 18.8 are repeated as necessary until
    N + 8 bytes of  --Udata have been processed. (A short
    block, if one occurs, and chaining linkages are
    handled internally by the DES Unit).
    18.9    Read final 8 bytes from DES Unit into the
            S-Register (C16,C5)
            [S-REGISTER .rarw. S(KB, --U)]
    19
    19.1    LOAD (RWMAG .rarw. N)
    19.2    Increment RWMAG by 8 (RWMAG .rarw. N + 8)
    19.3    Load N + 8 into Microprogram Controller
    19.4    RESET
    19.5    Set U/--Dto 1
    19.6    Load key KB into DES Unit (C8,C13)
    19.7    Set RWM for inverting read operation (C9,C10)
    19.8    Load 8 bytes of inverted  --Udata from RWM into
            DES Unit (C11,C14)
    19.9    Encipher data (C15)
    Steps 19.8 and 19.9 are repeated as necessary
    until N + 8 bytes of  --Udata have been processed.
    (A short block, if one occurs, and chaining
    linkages are handled internally by the DES
    Unit).
    19.10   READ FINAL 8 bytes from DES Unit into the
            S-Register (C16,C5)
            [S-REGISTER .rarw. S(KB,.about. -- U)]
    20      Set VRDY to 1
    21      Set IMPX ADDRESS to 3
            Test RQV:
             If 0, hold
             If 1, continue
    22      Read 8 bytes of V data from S-Register to
            Host CPU (C17,C18)
    23      Clear A- and B-Registers (C7)
    24
    24.1    CLEAR (Handshake control output lines cleared
            to 0)
    24.2    Go to step 2
    ______________________________________

• Inventors
  Konheim, Alan G.;
• Assignee
  International Business Machines Corporation (Armonk, NY)
• Published
  Apr-28-1981
• Current US Classes:
  340/5.73
  380/277
  380/281
  380/37
  705/75
  713/170
  713/176
  713/200
• Application #
  053589
• International Classes
  H04L 009/00
• Field of Search
  178/22 340/149 375/2 364/200
• Examiner
  Birmiel; Howard A.
• Agent
  Schlemmer, Jr.; Roy R.
• US Patent References:
  4123747
  4182933
  4186871