EUROPEAN PATENT SPECIFICATION. (51) intci.e: H04L9/06, H04L9/08. (56) References cited: DE-A US-A

Transcription

1 Europaisches Patentamt (19) (12) European Patent Office Office europeen des brevets EP B1 EUROPEAN PATENT SPECIFICATION (45) Date of publication and mention of the grant of the patent: Bulletin 1999/44 (51) intci.e: H04L9/06, H04L9/08 (21) Application number: (22) Date of filing: (54) Method and apparatus for high bandwidth encryption/decryption using a low bandwidth cryptographic module Verfahren und Einrichtung zur breitbandigen VerVEntschlusselung unter Verwendung eines schmalbandigen kryptographischen Moduls Procede et dispositif pour ch iff rage/dech iff rage a large bande utilisant un module de cryptographie a faible bande (84) Designated Contracting States: DE FR GB NL (30) Priority: US (43) Date of publication of application: Bulletin 1996/40 (73) Proprietor: AT&T IPM Corp. Coral Gables, Florida (US) (72) Inventor: Blaze, Matthew A. Hoboken, New Jersey (US) (74) Representative: Buckley, Christopher Simon Thirsk et al Lucent Technologies (UK) Ltd, 5 Mornington Road Woodford Green, Essex IG8 0TU (GB) (56) References cited: DE-A US-A FR-A BLAZE MATT: "Key Management in an Encrypting File System", PROCEEDINGS OF THE SUMMER USENIX CONFERENCE, Boston, MA, USA, , vol., no., pages 27 to 35 BLAZE MATT: "Cryptographic file system for Unix", PROCEEDINGS OF THE 1ST ACM CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY, Fairfax, VA, USA, , vol., no., pages 9 to 16 Remarks: The file contains technical information submitted after the application was filed and not included in this specification DO 00 CO Iso a. LU Note: Within nine months from the publication of the mention of the grant of the European patent, any person may give notice to the European Patent Office of opposition to the European patent granted. Notice of opposition shall be filed in a written reasoned statement. It shall not be deemed to have been filed until the opposition fee has been paid. (Art. 99(1) European Patent Convention). Printed by Jouve, PARIS (FR)

2 Description [0001] This invention relates to methods of encrypting data, methods of decrypting data, cryptographic systems, hosts for encrypting data, hosts for decrypting data, and cryptographic modules. 5 [0002] Cryptographic modules, such as smartcards, are an important building block in many modern security applications. In particular, smartcards' tamper-resistant packaging, low cost, inherent portability, and loose coupling to a host make them especially attractive for use as secret key storage tokens when the host cannot be trusted to itself store a secret key. Unfortunately, these same attractive properties may also limit the utility of smartcards for certain applications. For example, the loose coupling and low cost properties of a smartcard typically imply that the card cannot 10 process data at nearly the speed of the host to which it is coupled. [0003] Because bandwidth requirements are minimal in some applications (such as digital signatures), the low bandwidth of smartcards is not an impediment to their implementation in those applications. Other applications, however, (such as, file encryption, encrypted real-time traffic, and encrypted multimedia and video) by their very bandwidthintensive nature, require the encryption and decryption of large amounts of data under the smartcard's secret key. For is those applications, the bandwidth of existing smartcards is a serious bottleneck because the speed of the entire system is limited by the latency and bandwidth of the card interface as well as the computational capability of the microprocessor embedded in those smartcards. [0004] In response to this problem, consideration has been given to engineer a smartcard (and its interface to the host or the card reader) so that its processing performance rivals the processing capability of the attached host. This 20 is not always technologically feasible when one considers the stringent dimension requirements of smartcards. More importantly, increasing the processing performance of a smartcard to match the processing capability of an attached host would significantly increase the total cost of the system, perhaps prohibitively for most applications. Other solutions propose limiting smartcards operations to key storage functions only, thereby shifting as much of the processing load as possible from the slow, computationally limited smartcard to the much faster and powerful processing capabilities 25 of the host. Those solutions defeat the purpose of using a smartcard for security purposes since implementation of those solutions requires making the key available to the host, prior to the performance of any cryptographic task. Hence, implementation of those solutions implies that the host processor is trusted with the key, which opens the door for a wide variety of security breaches. Thus, a problem of the prior art is the lack of a secure cryptographic system for encryption and decryption of large amounts of data using a smartcard's secret key. 30 [0005] FR-A is directed to a data communication/transfer system using a session key and a common key between two electronic apparatuses. Specifically, each electronic apparatus stores a predetermined common key used for encryption/decryption. The first apparatus encrypts the common key with a generated session key and transmits the encrypted session key to the second apparatus. The second apparatus decrypts the encrypted session key with the stored common key and uses the decrypted session key to encrypt data to be transferred to the first apparatus. 35 [0006] DE-A is directed to a method of encoding or decoding large data files using a server and a chip card, which contains two keys. The server and card first determine a random vector, related to the length of a block of data, which is stored in the server. Thereafter, a first key is sent to a server, which encodes the block of data according to an exclusive OR operation. Once all the blocks are encrypted using the first key, every kth block is sent to the chip card in which the block is encoded a second time with the second key. The twice encoded blocks are sent back to the 40 server to replace the corresponding once encoded blocks. Decoding is performed in a similar manner. [0007] Proceedings of the Summer Usenix Conference, pages 27-35, "Key Management in an Encrypting File System" is directed to a system based on cryptographic smartcards, for the temporary escrow of file encryption keys for critical files in a cryptographic file system. The smartcard acts as a self-contained decryption engine without assistance or cooperation of the file system, by trading speed for bandwidth. Similarly, encryption under such a scheme 45 cannot utilize the processing power of the file system and relies on the ability to trade off space for time in the smartcard resources only. [0008] 1st ACM conference on Computer and Communications Security, pages 9-15, "A Cryptographic File System for Unix" is directed to the design and implementation of a Cryptographic File System (CFS) under the Unix operating system. Such a CFS system pushes file encryption entirely into the client file system interface. Each directory, in such so a system, is protected by set of cryptographic keys, that may be stored on "smartcards". As such, the smartcard stores the key for the host computer to copy for user access. [0009] According to a first aspect of this invention there is provided a method as claimed in claim 1. [0010] According to a second aspect of this invention there is provided a method as claimed in claim 6. [0011] According to a third aspect of this invention there is provided a cryptographic system as claimed in claim [0012] According to a fourth aspect of this invention there is provided a cryptographic system as claimed in claim 11. [0013] According to a fifth aspect of this invention there is provided a host for encrypting data as claimed in claim 13. [0014] According to a sixth aspect of this invention there is provided a host for decrypting data as claimed in claim 14. [0015] According to a seventh aspect of this invention there is provided a cryptographic module as claimed in claim 15. 2

3 [0016] According to an eighth aspect of this invention there is provided a cryptographic module as claimed in claim 16. [0017] The invention may enable a trusted, but low-bandwidth, cryptographic module to serve as a high-bandwidth secret-key encryption/decryption engine that uses the processing power of an untrusted, but fast, host processor for performing a substantial amount of the encrypting/decrypting tasks without revealing the secret key to the host. The 5 cryptographic module may be, for example, a smartcard or a standard-conforming Personal Computer Memory Card International Association (PCMCIA) device. [0018] In an embodiment of the invention, a host processor derives a compact representation of a block of data that is received by the host. The compact data representation is then transmitted to the cryptographic module which encrypts the compact data representation under a cryptographic key stored therein, to form a block key that is returned to the 10 host. The host then encrypts the block of data under the block key. This process is repeated for every block of plain text data received by the host such that there is no useful correlation between the key for one block and the key for another. The compact representation of the block of plain text data may be included in the encrypted block of plain text data. Furthermore, the size of the resulting ciphertext may be equal to the size of the plain text data in order to make the encryption process transparent to other applications that may be running on the host. 15 [0019] Decryption of the encrypted data is accomplished by reversing the encryption process described above. Specifically, when the host receives a block of ciphertext in the form of encrypted data and a compact representation of that block of encrypted data, the host transmits the compact representation of that block of ciphertext to the cryptographic module. The cryptographic module uses its cryptographic key and the received compact representation of the block of ciphertext to recover the block key. The cryptographic module then returns the block key to the host which 20 uses that key to decrypt the block of ciphertext. Brief Description of the Drawings [0020] In the drawings: FIG. 1 is a block diagram of a system designed to use an encryption/decryption arrangement embodying the invention; and FIGs. 2, and 3, are flow diagrams of programmed instructions executed by some of the components of FIG. 1 to encrypt and decrypt data. Detailed Description [0021] FIG. 1 is block diagram of a system designed to use an encryption/decryption arrangement embodying the invention. The block diagram of FIG. 1 shows a portable encrypting module or smartcard 20, a card reader/writer and a host 42. Although card reader/writer 30 is shown in FIG. 1 as a separate, stand-alone component, it is to be understood that card reader/writer 30 may be included in host 42. [0022] Major components of smartcard 20 include a microprocessor 22, an analog interface chip 21, the inductive coil 24 of a transformer 29, and capacitive plates 25 through 28. All smartcard components are preferably laminated beneath the smartcard surface such that no external contacts are accessible to intruders. The microprocessor 22 has 40 a central processing unit and internal memory units that store some of the programmed instructions shown in FIGs. 2 and 3. The internal memory units of microprocessor 22 also store protocols and associated software programs that are executed by microprocessor 22 to transmit and receive data to and from host 42, respectively, via the card reader/ writer 30. Those software programs also include a block cipher algorithm, such as the well-known Data Encryption Standard (DES) algorithm that is used in conjunction with the programmed instructions shown in FIGs. 2 and 3 to 45 encrypt and decrypt data under a cryptographic key also stored in the internal memory units of microprocessor 22. [0023] Of particular significance among the attributes of smartcard 20 is a) the limited computational power of microprocessor 22 which allows smartcard 20 to encrypt and decrypt limited amount of data within a particular time period, and b) the limited bandwidth of the link between smartcard 20 and the host. [0024] All input to, and output from, smartcard 20 is channeled to analog interface chip 21 which transfers information so to and from microprocessor 22 and distributes electrical power from the card reader/writer 30 to the smartcard 20. Specifically, when analog interface chip 21 receives power through the mating of inductive coils 24 and 32 of transformer 29, analog interface chip 21 conditions the electrical power before distributing it to microprocessor 22. Likewise, clock recovery and signal conditioning is performed by analog interface chip 21 for data transferred thereto via the mating of capacitive plates 25, 26, 27 and 28 of smartcard 20 to capacitive plates 35, 36, 37 and 38 of card reader/writer Because of the limited dimensions of smartcard 20, capacitive plates 25, 26, 27 and 28 can only carry limited amount information from card reader/writer 30 to smartcard 20. Hence, smartcard 20 is bandwidth-limited in addition to being CPU-limited. [0025] I n addition to the components of card reader/writer 30 already described above with respect to electrical power 3

4 and data transfer features of smartcard 20, card reader/writer 30 also includes a power supply 31, a Universal Asynchronous Receiver Transmitter (UART) 41, a microprocessor 39 and analog interface circuit 40. Some of the components included in the smartcard 20 may also be used in the card reader/writer 30. For example, the same physical microprocessor can be used for both microprocessor 22 and 39. Similarly, the data transfer features of analog interface 5 chip 21 and 42 can be almost identical. Power supply 31 provides electrical power to card reader/writer 30 and smartcard 20 when the latter is coupled to the former. Power supply 31 also synchronizes a clock signal from the card reader/ writer 30 to the smartcard 20 through the transformer 29. The UART 41 is primarily a physical interface that is arranged to receive and transmit asynchronous data according to a specific standard. UART 41 communicates clock synchronization signals to power supply 31 and transfers data received from host 42 to microprocessor 39 and likewise, trans- 10 mits data received from microprocessor 39 to host 42. [0026] Host 42 is a general purpose computer that receives plain text data and/or ciphertext from a data source 50 which is shown in FIG. 1 as a data storage area. Alternatively data source 50 may be a communications network arranged to transmit to, and receive from host 42 data associated with diverse applications ranging from database management systems to multimedia applications. Host 42 stores in its memories software programs and some of the is programmed instructions shown in FIGs. 2 and 3. Chief among the software programs executed by host 42 is an encryption/decryption algorithm, such as the DES algorithm, that allows plain text (or ciphertext) data to be encrypted (decrypted) under one or more cryptographic keys. Instructions included in this algorithm allow host 42 to operate on large blocks of plain text data B and ciphertext C, each consisting of a series of n individual b bit blocks, denoted B1... Bn and C-,... Cn, respectively. 20 [0027] Also stored in the internal memories of host 42 are programmed instructions for a public function that returns a cryptographic hash of an arbitrary length bitstring. In this example, host 42 is trusted to process the plain text data received from source 50. However, host 42 is not allowed to know the cryptographic key stored in the internal memories of microprocessor 22 embedded in smartcard 20. Hence, host 42 is arranged to perform a single, low-bandwidth interaction with smartcard 20 to obtain enough information to encrypt or decrypt a single arbitrary length block. Without 25 smartcard 20 assistance and cooperation, however, host 42 cannot use the information received from smartcard 20 to encrypt or decrypt other blocks. [0028] FIG. 2 is flow diagram of programmed instructions executed by host 42 and smartcard 20 to implement the principles of the invention. When host 42 receives a block of plain text data from source 50, it divides the block of data into N sub-blocks B1 to Bn, as indicated in step 201. While the size of a received block of data is application-dependent, 30 the size of each sub-block, however, is determined by the cipher function. The division of the block of plain text data is performed to derive a compact representation of the block, a so-called message digest of the block. In this example, the compact representation of the block of plain text data is achieved by diffusing all the bits in the block. Specifically, the compact representation function is initiated when host 42, in step 202, selects one of the sub-blocks, such as subblock B-,, for example, to calculate the hash of the bits in that sub-block to produce the resulting hash H(B-,). Thereafter, 35 host 42, in step 203, performs an "exclusive or" operation on the remaining sub-blocks B2 to Bn with the value of the hash H(B- ) to produce intermediate sub-blocks l2 In.. Then, host 42, in step 204, calculates the hash value h of the intermediate sub-blocks l2 In... Intermediate sub-block I-, is then derived by host 42, in step 205, through an "exclusive or" operation of sub-block B-, with the hash value h. Host 42, in step 206, transmits to smartcard 20 intermediate subblock I-,. It will be appreciated that sub-block I-, contains indicia of all the bits in the block of plain text data as a result 40 of the hash and "exclusive or" operations described above. In other words, all the bits in the block of plain text data have been diffused to produce \v [0029] Upon receiving intermediate sub-block \v smartcard 20, in step 207 encrypts intermediate sub-block I-, under its cryptographic key K to produce encrypted sub-block C-,. Smartcard 20 proceeds, in step 208 to encrypt C-, under the cryptographic key K to produce block key Ks. Thereafter, smartcard 20, in step 209, sends encrypted sub-block C-, 45 to host 42 which encrypts the intermediate blocks l2 to ln under the block key Ks to produce ciphertext C2 to Cn for subblocks B2 to Bn. Optionally, this encryption may be performed with a chaining cipher, such as the cipher block chaining process defined in the Federal Information Processing Standards Publication 81, Government Printing Office, Washington, D.C., [0030] FIG. 3 presents, in flow diagram format, programmed instructions executed by host 42 and smartcard 20 to so decrypt a block of ciphertext data. [0031] When host 42 receives a block of ciphertext data, it divides that block of data into n sub-blocks C-, to Cn, as indicated in step 301. Host 42, sends the first ciphertext sub-block C-, to smartcard 20 which encrypts the data in the first ciphertext sub-block Cv in step 302 to derive the block key Ks. Thereafter, smartcard 20, in step 302, decrypts the first ciphertext sub-block C1 to derive the intermediate sub-block I-, which is sent to host 42 along with the block key 55 ks. Host 42, in step 303 uses the block key Ks to decrypt C2 to Cn to recover intermediate sub-blocks l2 to In. Host 42 proceeds in step 304 to calculate the hash value h for intermediate sub-blocks l2 to ln. Thereafter, host 42 recovers B-, by performing an "exclusive or" operation on the intermediate sub-block I-, received from smartcard 20 with the hash value h. Host 42, in step 305, calculates the hash of the bits in that sub-block B to produce the resulting hash H(B-,). 4

5 Host 42 then, in step 406, recovers sub-blocks B2 to Bn. Host 42 in step 407 assembles sub-blocks B to Bn to reconstruct the block of plain text data. Table I and Table II show illustrative programming code for the encryption and decryption process, respectively, for this example. Host Card do i - 2 to n Ii =Bi 0H(B ) h-h(i2...i ) I, -B, h send 1 1 to card C,=EK(I,) Ks-M(Ek(C,)) send C i, Ks to host 25 do i - 2 to n Ci-EjcdieCi.,) Table 1 : Encryption of B to obtain C 30 Host Card 35 send C to card 40 KS-M(EK(C,)) Ii -DK(C.) send Ks, 1 1 to host do i - 2 to n Ii -Dks (Ci) Ci_l h-h(i2...i ) B, - I, h do i - 2 to n Bj - Ij 8H(B,) Table 2: Decryption of C to obtain B [0032] It is worth noting that the decrypting process described above implicitly assumes that the compact representation of the encrypted block is included in the data contained in that block. However, the principles of the invention 5

6 can be implemented without this requirement. [0033] Optionally, an authentication process can be added to the encryption and decryption tasks to detect any tampering with the ciphertext. This authentication process may simply consist of setting the first bits of each block to some fixed value (say, all zeros). By checking those bits on decryption, any tampering with the ciphertext becomes 5 easily detectable. [0034] Advantageously, any size block can be encrypted or decrypted with one card interaction, with the card performing only two cipherblock operations for either encrypting or decrypting a block of data. Furthermore, host 42 can neither encrypt nor decrypt data without on-line access to smartcard 20. In other words, encryption and decryption without the card is no easier than breaking the underlying cipher even for hosts that have had prior interaction(s) with 10 the card. Claims is 1. A method of encrypting data, including the steps of receiving, by a cryptographic module (20), a characteristic of data from a host (42), encrypting the characteristic of data in the cryptographic module (20) with a cryptographic key stored 5 therein, and transmitting the encrypted characteristic of data back to the host (42); CHARACTERIZED IN THAT 20 the characteristic of data is a hash value representing a block of data; the encrypted characteristic of data forms a block key; and the method includes encrypting the block of data at the host (42) using the block key received from the cryptographic module (20) A method as claimed in claim 1 wherein the step of encrypting the block of data includes the step of encrypting the block of data such that a resulting encrypted block of data has an equal number of bits as its non-encrypted counterpart A method as claimed in claim 1 wherein said hash value is derivable from the encrypted block of data. 4. A method as claimed in claim 1 wherein said hash value is a block of data that is divided therein into sub-blocks from which at least one sub-block is selected, wherein each sub-block contains a plurality of bits of data, such that each bit in the at least one selected sub-block is dependent on every bit in the block of data A method as claimed in claim 4 wherein the block key is formed by a) a first encryption of said value to produce a ciphertext for the at least one selected sub-block, and b) a second encryption of said ciphertext to derive the block key. 6. A method of decrypting data, the method including the steps of receiving encrypted data and a characteristic of 40 the data at a host (42), transmitting the characteristic of the data to a cryptographic module (20) with a cryptographic key, decrypting the characteristic of the data at the cryptographic module (20), and transmitting the decrypted characteristic of the data back to said host (42); CHARACTERIZED IN THAT 45 the encrypted data is a block of ciphertext; the characteristic of the data is a message digest of the block of ciphertext; the decrypting step includes recovering a block key previously used to produce the block of ciphertext; said recovering being performed using the cryptographic key; and the method includes the step of decrypting the block of ciphertext at the host (42) using the block key A method as claimed in claim 6 wherein the message digest of the block of ciphertext is included in the block of ciphertext received by the host (42). 8. A cryptographic system, including a cryptographic module (20) with a cryptographic key stored therein and having 55 means for receiving (21, 25, 26, 27, 28) a characteristic of data from a host (42), means for encrypting (22, 20) the characteristic of data with the cryptographic key, and means for transmitting (21, 25, 26, 27, 28) the encrypted characteristic of data back to the host (42), the host (42) having means for receiving (40, 35, 36, 37, 38, 39, 41 ) the encrypted characteristic of data from the cryptographic module (20); 6

7 CHARACTERIZED IN THAT the characteristic of data is a hash value representing a block of data; the encrypted characteristic of data forms a block key; and 5 the system includes means for encrypting (42) the block of data using the received block key. 9. A system as claimed in claim 8 wherein said value is derivable from the encrypted block of data. 10. A system as claimed in claim 8 wherein said means for encrypting (42) said block of data includes means for 10 ensuring (42) that an encrypted data block has an equal number of bits as its non-encrypted counterpart. is 11. A cryptographic system, including a host (42) having means for receiving (42) encrypted data and a characteristic of the data, means for transmitting (42) the characteristic of the data to a cryptographic module (20) with a cryptographic key stored therein, the cryptographic module (20) having means for decrypting (22) the characteristic of the data with the cryptographic key, and means for transmitting (21, 25, 26, 27, 28) the decrypted characteristic of the data to the host (42); CHARACTERIZED IN THAT the encrypted data is a block of ciphertext; 20 the characteristic of the data is a message digest of the block of ciphertext; the means for decrypting includes means for recovering (22) a block key previously used to produce the block of ciphertext; said recovering being performed using the cryptographic key; and the system includes means for decrypting (42) at the host (42) the block of ciphertext using the block key A system as claimed in claim 11 wherein said message digest is included in the block of ciphertext received by the host. 13. A host (42) for encrypting data, including means for transmitting (41, 39, 40, 35, 36, 37, 38) a characteristic of data to a cryptographic module (20) that stores a first cryptographic key; 30 CHARACTERIZED IN THAT the characteristic of data is a hash value representing a block of data; the cryptographic module (20) serves to transmit a second cryptographic key to the host (42) that includes information transformed at least once under said first cryptographic key without being indicative of said first 35 cryptographic key; and the host includes means for encrypting (42) at least a portion of the data in said block of data under the second cryptographic key. 14. A host 42) for decrypting data, including means for receiving (42) encrypted data and a characteristic of the data, 40 and means for transmitting (41, 39, 40, 35, 36, 37, 38) the characteristic of the data to a cryptographic module; CHARACTERIZED IN THAT the encrypted data is a block of data previously transformed under a first cryptographic key, said block of data including a plurality of segments transformed under a second cryptographic key which is a function of said 45 first cryptographic key and data in said segments; the characteristic of the data is a message digest associated with data stored in a predetermined one of said segments in order to identify thereto said second cryptographic key; and the host includes means for decrypting (42) at least a subset of said segments using said second cryptographic key. so 15. A cryptographic module (20) including means for storing (22) a cryptographic key; means for receiving (21, 25, 26, 27, 28) a characteristic of data from a host (42); means for encrypting (22) the characteristic of data; and means for transmitting the encrypted characteristic of data to the host (42); CHARACTERIZED IN THAT 55 the characteristic of data is a hash value of a block of data as part of a block of plain text data; and the means for encrypting includes means for performing at least one transformation operation under said cryptographic key to derive a different cryptographic key that is transmitted to said host (42) in order for said 7

8 host (42) to encrypt the bits in said block under said different cryptographic key. 16. A cryptographic module including means for storing (22) a first cryptographic key means for receiving (21, 25, 26, 27, 28) encrypted data from a host, means for decrypting (22) data, and means for transmitting (21, 25, 26, 27, 28) data to a host (42); CHARACTERIZED IN THAT the encrypted data contains at least one message digest of a sub-block of ciphertext data from a group of such sub-blocks which were a) previously encrypted under a second cryptographic key that is a function of said first cryptographic key and data in said sub-blocks, and b) received by said host (42) as part of a block of ciphertext data; and the means for decrypting includes means for deriving from said message digest of encrypted data said second cryptographic key that is transmitted to said host (42) in order for said host (42) to decrypt the remaining subblocks of encrypted data without knowing said first cryptographic key. Patentanspriiche 1. Verfahren zur Verschlusselung von Daten, bei dem ein kryptographisches Modul (20) eine KenngroBe von Daten aus einem Host (42) empfangt, die KenngroBe von Daten in dem kryptographischen Modul (20) mit einem dort gespeicherten kryptographischen Schlussel verschlusselt werden und die verschlusselte KenngroBe von Daten zu dem Host (42) zuruckgesendet wird; dadurch gekennzeichnet, dal3 die KenngroBe von Daten ein Hashwert ist, der einen Datenblock darstellt; die verschlusselte KenngroBe von Daten einen Blockschlussel bildet; und das Verfahren das Verschlusseln des Datenblocks in dem Host (42) unter Verwendung des aus dem kryptographischen Modul (20) empfangenen Blockschlussels umfabt. 2. Verfahren nach Anspruch 1, wobei der Schritt des Verschlusselns des Datenblocks den Schritt des dergestaltigen Verschlusselns des Datenblocks umfabt, dab ein resultierender verschlusselter Datenblock eine gleiche Anzahl von Bit wie sein nicht verschlusseltes Gegenstuck aufweist. 3. Verfahren nach Anspruch 1, wobei der Hashwert aus dem verschlusselten Datenblock ableitbar ist. 4. Verfahren nach Anspruch 1, wobei der Hashwert ein Datenblock ist, der dort in Teilblocke aufgeteilt wird, aus denen mindestens ein Teilblock ausgewahlt wird, wobei jeder Teilblock eine Vielzahl von Datenbit enthalt, so dab jedes Bit in dem mindestens einen ausgewahlten Teilblock von jedem Bit in dem Datenblock abhangt. 5. Verfahren nach Anspruch 4, wobei der Blockschlussel durch a) eine erste Verschlusselung des Werts zur Erzeugung eines Chiffretexts fur den mindestens einen ausgewahlten Teilblock und b) eine zweite Verschlusselung des Chiffretexts zur Ableitung des Blockschlussels gebildet wird. 6. Verfahren zur Entschlusselung von Daten, mit den Schritten des Empfangens verschlusselter Daten und einer KenngroBe der Daten in einem Host (42), Senden der KenngroBe der Daten zu einem kryptographischen Modul (20) mit einem kryptographischen Schlussel, Entschlusseln der KenngroBe der Daten in dem kryptographischen Modul (20) und Zurucksenden der entschlusselten KenngroBe der Daten zu dem Host (42); dadurch gekennzeichnet, dab die verschlusselten Daten ein Chiffretextblock sind; die KenngroBe der Daten ein Komprimat des Chiffretextblocks ist; der Entschlusselungsschritt das Wiederherstellen eines zuvor zur Erzeugung des Chiffretextblocks verwendeten Blockschlussels umfabt; wobei das Wiederherstellen unter Verwendung des kryptographischen Schlussels durchgefuhrt wird; und das Verfahren den Schritt des Entschlusselns des Chiffretextblocks in dem Host (42) unter Verwendung des Blockschlussels umfabt. 7. Verfahren nach Anspruch 6, wobei das Komprimat des Chiffretextblocks in dem durch den Host (42) empfangenen 8

9 Chiffretextblock enthalten ist. 8. Kryptographisches System mit einem kryptographischen Modul (20) mit einem dort gespeicherten kryptographischen Schlussel und mit einem Mittel zum Empfangen (21, 25, 26, 27, 28) einer KenngroBe von Daten aus einem 5 Host (42), einem Mittel zum Verschlusseln (22, 20) der KenngroBe von Daten mit dem kryptographischen Schlussel und einem Mittel zum Zurucksenden (21, 25, 26, 27, 28) der verschlusselten KenngroBe von Daten zu dem Host (42), wobei der Host (42) ein Mittel zum Empfangen (40, 35, 36, 37, 38, 39, 41) der verschlusselten KenngroBe von Daten aus dem kryptographischen Modul (20) aufweist; dadurch gekennzeichnet, dab 10 die KenngroBe von Daten ein Hashwert ist, der einen Datenblock darstellt; die verschlusselte KenngroBe von Daten einen Blockschlussel bildet; und das System ein Mittel zum Verschlusseln (42) des Datenblocks unter Verwendung des empfangenen Blockschlussels enthalt System nach Anspruch 8, wobei der Wert aus dem verschlusselten Datenblock ableitbar ist. 10. System nach Anspruch 8, wobei das Mittel zum Verschlusseln (42) des Datenblocks ein Mittel zum Sicherstellen (42) enthalt, dab ein verschlusselter Datenblock eine gleiche Anzahl von Bit wie sein nicht verschlusseltes Ge- 20 genstuck aufweist. 11. Kryptographisches System mit einem Host (42) mit einem Mittel zum Empfangen (42) verschlusselter Daten und einer KenngroBe der Daten, einem Mittel zum Senden (42) der KenngroBe der Daten zu einem kryptographischen Modul (20) mit einem dort gespeicherten kryptographischen Schlussel, wobei das kryptographische Modul (20) 25 ein Mittel zum Entschlusseln (22) der KenngroBe der Daten mit dem kryptographischen Schlussel und ein Mittel zum Senden (21, 25, 26, 27, 28) der entschlusselten KenngroBe der Daten zu dem Host (42) aufweist; dadurch gekennzeichnet, dab die verschlusselten Daten ein Chiffretextblock sind; 30 die KenngroBe der Daten ein Komprimat des Chiffretextblocks ist; das Mittel zum Entschlusseln ein Mittel zum Wiederherstellen (22) eines zuvor zur Erzeugung des Chiffretextblocks verwendeten Blockschlussels enthalt; wobei das Wiederherstellen unter Verwendung des kryptographischen Schlussels durchgefuhrt wird; und das System ein Mittel zum Entschlusseln (42) des Chiffretextblocks in dem Host (42) unter Verwendung des 35 Blockschlussels enthalt. 12. System nach Anspruch 11, wobei das Komprimat in dem durch den Host empfangenen Chiffretextblock enthalten ist Host (42) zum Verschlusseln von Daten, mit einem Mittel zum Senden (41, 39, 40, 35, 36, 37, 38) einer KenngroBe von Daten zu einem kryptographischen Modul (20), das einen ersten kryptographischen Schlussel speichert; dadurch gekennzeichnet, dab die KenngroBe von Daten ein Hashwert ist, der einen Datenblock darstellt; 45 das kryptographische Modul (20) dazu dient, einen zweiten kryptographischen Schlussel zu dem Host (42) zu senden, der Informationen enthalt, die mindestens einmal unter dem ersten kryptographischen Schlussel transformiert wurden, ohne den ersten kryptographischen Schlussel anzuzeigen; und der Host ein Mittel zum Verschlusseln (42) mindestens eines Teils der Daten in dem Datenblock unter dem zweiten kryptographischen Schlussel enthalt Host (42) zum Entschlusseln von Daten, mit einem Mittel zum Empfangen (42) verschlusselter Daten und einer KenngroBe der Daten und einem Mittel zum Senden (41, 39, 40, 35, 36, 37, 38) der KenngroBe der Daten zu einem kryptographischen Modul; dadurch gekennzeichnet, dab 55 die verschlusselten Daten ein Block zuvor unter einem ersten kryptographischen Schlussel transformierter Daten sind, wobei der Datenblock eine Vielzahl von Segmenten enthalt, die unter einem zweiten kryptographischen Schlussel transformiert wurden, der eine Funktion des ersten kryptographischen Schlussels und von 9

10 Daten in den Segmenten ist; wobei die KenngroBe der Daten ein Komprimat ist, das in einem vorbestimmten der Segmente gespeichert wird, urn den zweiten kryptographischen Schlussel damit zu identifizieren; und der Host ein Mittel zum Entschlusseln (42) mindestens einer Teilmenge der Segmente unter Verwendung des 5 zweiten kryptographischen Schlussels enthalt. 15. Kryptographisches Modul (20) mit einem Mittel zum Speichern (22) eines kryptographischen Schlussels; einem Mittel zum Empfangen (21, 25, 26, 27, 28) einer KenngroBe von Daten aus einem Host (42), einem Mittel zum Verschlusseln (22) der KenngroBe von Daten; und einem Mittel zum Senden der verschlusselten KenngroBe von 10 Daten zu dem Host (42); dadurch gekennzeichnet, dab is die KenngroBe von Daten ein Hashwert eines Datenblocks als Teil eines Klartextdatenblocks ist; und das Mittel zum Verschlusseln ein Mittel zum Durchfuhren mindestens einer Transformationsoperation unter dem kryptographischen Schlussel zur Ableitung eines verschiedenen kryptographischen Schlussels enthalt, der zu dem Host (42) gesendet wird, damit der Host (42) die Bit in dem Block unter dem verschiedenen kryptographischen Schlussel verschlusseln kann. 16. Kryptographisches Modul mit einem Mittel zum Speichern (22) eines ersten kryptographischen Schlussels, einem 20 Mittel zum Empfangen (21, 25, 26, 27, 28) verschlusselter Daten aus einem Host, einem Mittel zum Entschlusseln (22) von Daten und einem Mittel zum Senden (21, 25, 26, 27, 28) von Daten zu einem Host (42); dadurch gekennzeichnet, dab die verschlusselten Daten mindestens ein Komprimat eines Teilblocks von Chiffretextdaten aus einer Gruppe 25 solcher Teilblocke enthalten, die a) zuvor unter einem zweiten kryptographischen Schlussel verschlusselt wurden, der eine Funktion des ersten kryptographischen Schlussels und von Daten in den Teilblocken ist, und b) durch den Host (42) als Teil eines Chiffretextdatenblocks empfangen wurden; und das Mittel zum Entschlusseln ein Mittel zum Ableiten des zu dem Host (42) gesendeten zweiten kryptographischen Schlussels aus dem Komprimat verschlusselter Daten enthalt, damit der Host (42) die ubrigen Teil- 30 blocke verschlusselter Daten ohne Kenntnis des ersten kryptographischen Schlussels entschlusseln kann. Revendications Methode de chiffrage de donnees, comportant les etapes de reception, par un module de cryptographie (20), d'une caracteristique de donnees provenant d'un hote (42), chiffrage de la caracteristique de donnees dans le module de cryptographie (20) avec une cle de cryptographie stockee dans celui-ci, et retransmission de la caracteristique de donnees chiffree a I'hote (42); CARACTERISEE EN CE QUE 40 la caracteristique de donnees est une valeur de total de controle representant un bloc de donnees ; la caracteristique de donnees chiffree forme une cle de bloc ; et la methode comporte le chiffrage du bloc de donnees au niveau de I'hote (42) en utilisant la cle de bloc recue du module de cryptographie (20) Methode selon la revendication 1, dans laquelle I'etape de chiffrage du bloc de donnees comporte I'etape de chiffrage du bloc de donnees de telle sorte qu'un bloc de donnees chiffre resultant ait le meme nombre de bits que son homologue non chiffre. so 3. Methode selon la revendication 1, dans laquelle ladite valeur de total de controle peut etre derivee du bloc de donnees chiffre. 4. Methode selon la revendication 1, dans laquelle ladite valeur de total de controle est un bloc de donnees qui est divise dans celle-ci en sous-blocs dont au moins un sous-bloc est selectionne, dans laquelle chaque sous-bloc 55 contient une pluralite de bits de donnees, de telle sorte que chaque bit dans le au moins un sous-bloc selectionne depende de chaque bit dans le bloc de donnees. 5. Methode selon la revendication 4, dans laquelle la cle de bloc est formee par a) un premier chiffrage de ladite 10

11 valeur en vue de produire un texte chiffre pour le au moins un sous-bloc selectionne, et b) un deuxieme chiffrage dudit texte chiffre en vue de deriver la cle de bloc. Methode de dechiffrage de donnees, la methode comportant les etapes de reception de donnees chiffrees et d'une caracteristique de donnees au niveau d'un hote (42), transmission de la caracteristique des donnees a un module de cryptographie (20) avec une cle de cryptographie, dechiffrage de la caracteristique des donnees au niveau du module de cryptographie (20), et retransmission de la caracteristique dechiffree des donnees audit hote (42) ; CARACTERISEE EN CE QUE les donnees chiffrees sont un bloc de texte chiffre ; la caracteristique des donnees est un condense de message du bloc de texte chiffre ; I'etape de dechiffrage comporte la recuperation d'une cle de bloc utilisee anterieurement en vue de produire le bloc de texte chiffre ; ladite recuperation etant effectuee en utilisant la cle de cryptographie ; et la methode comporte I'etape de decryptage du bloc de texte chiffre au niveau de I'hote (42) en utilisant la cle de bloc. Methode selon la revendication 6, dans laquelle le condense de message du bloc de texte chiffre est compris dans le bloc de texte chiffre recu par I'hote (42). Systeme de cryptographie, comportant un module de cryptographie (20), avec une cle de cryptographie stockee a I'interieur de celui-ci et ayant un moyen pour recevoir (21, 25, 26, 27, 28) une caracteristique de donnees provenant d'un hote (42), un moyen pour chiffrer (22, 20) la caracteristique de donnees avec la cle de cryptographie, et un moyen pour retransmettre (21, 25, 26, 27, 28) la caracteristique de donnees chiffree a I'hote (42), I'hote (42) ayant un moyen pour recevoir (40, 35, 36, 37, 38, 39, 41) la caracteristique chiffree de donnees provenant du module de cryptographie (20) ; CARACTERISE EN CE QUE la caracteristique de donnees est une valeur de total de controle representant un bloc de donnees ; la caracteristique de donnees chiffree forme une cle de bloc ; et le systeme comporte un moyen pour chiffrer (42) le bloc de donnees en utilisant la cle de bloc recue. Systeme selon la revendication 8, dans lequel ladite valeur peut etre derivee du bloc de donnees chiffre. Systeme selon la revendication 8, dans lequel ledit moyen de chiffrage (42) dudit bloc de donnees comporte un moyen pour garantir (42) qu'un bloc de donnees chiffre a le meme nombre de bits que son homologue non chiffre. Systeme de cryptographie, comportant un hote (42) ayant un moyen pour recevoir (42) des donnees chiffrees et une caracteristique des donnees, un moyen pour transmettre (42) la caracteristique des donnees a un module de cryptographie (20) avec une cle de cryptographie stockee a I'interieur de celui-ci, le module de cryptographie (20) ayant un moyen pour dechiffrer (22) la caracteristique des donnees avec la cle de cryptographie, et un moyen pour retransmettre (21, 25, 26, 27, 28) la caracteristique dechiffree des donnees a I'hote (42) ; CARACTERISE EN CE QUE les donnees chiffrees sont un bloc de texte chiffre ; la caracteristique des donnees est un condense de message du bloc de texte chiffre ; le moyen de dechiffrage comporte un moyen pour recuperer (22) une cle de bloc utilisee precedemment en vue de produire le bloc de texte chiffre ; ladite recuperation etant effectuee en utilisant la cle de cryptographie ; et le systeme comporte un moyen pour dechiffrer (42) au niveau de I'hote (42) du bloc de texte chiffre en utilisant la cle de bloc. Systeme selon la revendication 11, dans lequel ledit condense de message est inclus dans le bloc de texte chiffre recu par I'hote. Hote (42) pour chiffrer des donnees, comportant un moyen pour transmettre (41, 39, 40, 35, 36, 37, 38) une caracteristique de donnees a un module de cryptographie (20) qui stocke une premiere cle de cryptographie ; CARACTERISE EN CE QUE 11

12 la caracteristique de donnees est une valeur de total de controle representant un bloc de donnees ; le module de cryptographie (20) sert a transmettre une deuxieme cle de cryptographie a I'hote (42) qui comporte des informations transformees au moins une fois sous ladite premiere cle de cryptographie sans donner dedication sur ladite premiere cle de cryptographie ; et I'hote comporte un moyen pour chiffrer (42) au moins une partie des donnees dans ledit bloc de donnees sous la deuxieme cle de cryptographie. Hote (42) pour dechiffrer des donnees, comportant un moyen pour recevoir (42) des donnees chiffrees et une caracteristique des donnees, et un moyen pour transmettre (41, 39, 40, 35, 36, 37, 38) la caracteristique des donnees a un module de cryptographie ; CARACTERISE EN CE QUE les donnees chiffrees sont un bloc de donnees transformees anterieurement sous une premiere cle de cryptographie, ledit bloc de donnees comportant une pluralite de segments transformes sous une deuxieme cle de cryptographie qui est fonction de ladite premiere cle de cryptographie et des donnees dans lesdits segments ; la caracteristique des donnees est un condense de message associe aux donnees stockees dans un segment predetermine desdits segments afin d'identifier a celui-ci ladite deuxieme cle de cryptographie ; et I'hote comporte un moyen pour dechiffrer (42) au moins un sous-ensemble desdits segments en utilisant ladite deuxieme cle de cryptographie. Module de cryptographie (20) comportant un moyen pour stacker (22) une cle de cryptographie ; un moyen pour recevoir (21, 25, 26, 27, 28) une caracteristique de donnees provenant d'un hote (42) ; un moyen pour chiffrer (22) la caracteristique de donnees ; et un moyen pour retransmettre la caracteristique de donnees chiffree a I'hote (42) ; CARACTERISE EN CE QUE la caracteristique de donnees est une valeur de total de controle d'un bloc de donnees faisant partie d'un bloc de donnees de texte normal ; et le moyen de chiffrage comporte un moyen pour effectuer au moins une operation de transformation sous ladite cle de cryptographie en vue de deriver une cle de cryptographie differente qui est transmise audit hote (42) pour que ledit hote (42) crypte les bits dans ledit bloc sous ladite cle de cryptographie differente. Module de cryptographie comportant un moyen pour stacker (22) une premiere cle de cryptographie ; un moyen pour recevoir (21, 25, 26, 27, 28) des donnees chiffrees provenant d'un hote (42) ; un moyen pour dechiffrer (22) les donnees ; et un moyen pour retransmettre (21, 25, 26, 27, 28) les donnees a un hote (42) ; CARACTERISE EN CE QUE les donnees chiffrees contiennent au moins un condense de message d'un sous-bloc de donnees de texte chiffre provenant d'un groupe de tels sous-blocs qui ont ete a) chiffres anterieurement sous une deuxieme cle de cryptographie qui est fonction de ladite premiere cle de cryptographie et des donnees dans lesdits sousblocs, et b) recus par ledit hote (42) comme partie d'un bloc de donnees de texte chiffre ; et le moyen de dechiffrage comporte un moyen pour deriver dudit condense de message de donnees chiffrees ladite deuxieme cle de cryptographie qui est transmise audit hote (42) afin que ledit hote (42) dechiffre les sous-blocs restants de donnees chiffrees sans connattre ladite premiere cle de cryptographie. 12

13 I _ o co CO I I I o

14 F I G. 2 i nri/ n ata tkita ki cim di nri/c I DIVIDE A RECEIVED BLOCK OF DATA INTO N SUB-BLOCKS /" 201 CALCULATE HASH OF A SELECTED SUB-BLOCK 202 DERIVE INTERMEDIATE SUB-BLOCKS FOR REMAINING SUB-BLOCKS - BY PERFORMING AN "EXCLUSIVE OR" OPERATION ON THE REMAINING SUB-BLOCKS WITH THE RESULTING HASH OF THE SELECTED SUB-BLOCK CALCULATE HASH h OF INTERMEDIATE SUB-BLOCKS 204 DERIVE INTERMEDIATE SUB-BLOCK FOR THE SELECTED - SUB-BLOCK BY PERFORMING AN "EXCLUSIVE OR" OPERATION ON THE SELECTED SUB-BLOCK WITH HASH VALUE h. 205 TRANSMIT INTERMEDIATE SUB-BLOCK I FOR SELECTED SUB-BLOCK B] TO SMARTCARD 205 ENCRYPT I USING THE CRYPTOGRAPHIC KEY TO PRODUCE FIRST CYPHERTEXT SUB-BLOCK ^ 207 ENCRYPT Ci USING CRYPTOGRAPHIC KEY TO PRODUCE BLOCK KEY K«SEND C AND Ks TO HOST WHICH ENCRYPTS REMAINING INTERMEDIATE SUB-BLOCKS USING K,

15 F I G. 3 RYPTFD Rl OCX INTO N SIIR-RinfKS I ^ 301 DIVIDE RECEIVED ENCRYPTED BLOCK INTO N SUB-BLOCKS SEND SELECTED CIPHERTEXT SUB-BLOCK TO 302 CRYPTOGRAPHIC MODULE TO RECOVER BLOCK KEY Ks CRYPTOGRAPHIC MODULE DECRYPTS THE SELECTED CIPHERTEXT 303 SUB-BLOCK TO PRODUCE INTERMEDIATE SUB-BLOCK I SEND BLOCK KEY K s AND INTERMEDIATE SUB-BLOCK I TO HOST 304 DECRYPT C2 TO Cn WITH BLOCK KEY Ks TO PRODUCE k~305 INTERMEDIATE BLOCK 1 2 TO I n nnrnatinti au i i i ri i w a i i ir \/~ <ju/ PERFORM EXCUUSIVE OR OPERATION ON HASH VALUE h WITH SELECTED INTERMEDIATE SUB-BLOCK I] TO PRODUCE CLEARTEXT OF FIRST SUB-BLOCK B1 > CALCULATE HASH OF Bi TO PRODUCE H(Bi) 308 n itiaii Ar r i ai i TkiTrnurnTiTr I S~ 309 PERFORM EXCULSIVE OR OPERATION OF EACH INTERMEDIATE SUB-BLOCK WITH H(B -j) TO PRODUCE B2TO Bn i ta n _ ta nraaurn iat 1 ^ 310 ASSEMBLE SUB-BLOCKS B ] TO B 2 TO RECONSTUCT THE BLOCKS OF PLAINTEXT DATA 15