Method and system for concealing data encryption in communication channel

FIELD: radio engineering, communication.

SUBSTANCE: method of concealing data encryption in a communication network involves the following operations: generating a set of characters using a set of encryption keys as input into a pseudorandom function, wherein each character corresponds to an indicator value; subdividing the encrypted data into a plurality of parts; partitioning each part into a plurality of groups; encoding each part by mapping each group with a character in the set of characters in accordance with its indicator value; and transmitting the mapped characters over a communication network.

EFFECT: high probability of identifying encrypted data in a communication network.

20 cl, 4 dwg

 

The scope of the invention

The present invention, in General, relates to method and system for data encryption, and more particularly, to method and system for hiding the existence of data encryption in the communication channel, when the efficient allocation of bandwidth.

Prerequisites to the creation of inventions

Traffic flows in today's large networks can often be subjected to mechanisms based on ill-considered policy for the "formation" of such traffic. Often such movable policy formation is harmful for encrypted streams, even when such flows are usually not "formed"if it is not necessary for encryption.

In addition, in some global regions, the traffic that sirawan, often subjected to additional study using invasive technologies of observation, compared to the unencrypted traffic. In fact, encrypted traffic, even if it is "harmless," may attract too much attention simply due to the encryption. In many places in the modern Internet, in particular close to the edge of the network, use the technology traffic shaping allows you to automatically detect encrypted streams and produce processing, otherwise, in accordance with local policy. Such processing may, in effect, the key to provide a drop traffic or the location of the traffic Quality of Service ("QoS") all, which has a very low priority.

Encrypted traffic, with the exception of fixed headers, has a specific statistical property, namely, that it is indistinguishable from a stable pseudo-random sequence of the same length. However, if the encrypted traffic to watch for quite a long time frame, you get a very uniform distribution of bits or octets, which usually makes this traffic distinguishable from unencrypted traffic. It is this property that allows traffic-generating apparatus to recognize encrypted streams and apply the corresponding "policy" to these threads. Threads that are unencrypted, have quite different statistical distribution of bits (octets)than encrypted streams.

Several tests can be performed on the traffic, to determine that the traffic has statistical properties of encrypted traffic. All encrypted traffic must pass these tests, but passing these tests does not necessarily indicate the presence of encryption. For example, the traffic flows that have been compressed, have long-term statistical properties, which are almost indistinguishable from the properties of random or encrypted streams.

The usual test kit tests for randomness allows typically shows the presence or absence of encryption of the traffic. Test kit, which is described in Federal standard for information processing ("FIPS") 140-2, makes it easy to distinguish similar to random threads from not similar to random threads, usually when there are only 4 kilobytes of traffic flow.

Similarly, for a longer period, attempt compressing the contents of the stream using any one of a number of compression function can be used to distinguish flows of random type from threads that are not random. For example, attempt compressing purely random flow results in no compression or even leads to an increase in size, depending on the used compression algorithm. Threads that are not random, can be moderately or highly compressed,

There is historical support for the use of shorthand for hiding secret messages so that only the sender and the designated recipient can understand that there is a hidden message. Thus, it seems natural and tempting to use the shorthand technique for hiding seemingly random bits of encrypted thread inside a thread that seems statistically unencrypted.

It is already known that some groups allow you to hide encrypted messages inside these safe objects as files digital images on the Internet, and is known for their use in narrowband communications technology. Already there are various tools that help create verbatim materials, audio and video files and image files as "carriers" as a shorthand for hidden information.

However, the effectiveness of the use of the band "traditional" verbatim technique is typically very low, and the "carrier" of information dominates the width of the spectrum used for transmission of verbatim objects. The information media to hidden information, which is about 100:1 or worse, is normal when using this technique. However, the advantage of the verbatim technique is that the resulting data streams are clearly uneven statistical distribution of octets, which means that they are difficult to identify as encrypted traffic using automated equipment on the Internet.

You can also encode the encrypted bit streams, so that they were similar, for example, in normal English text. Techniques such as using a dictionary of common English words to display groups of bits of cipher text, historically have used to hide the presence of underlying encrypted messages. For example, if a group of four bits to consider at the same time, they can be used in owani as "index" in short matrix English (or German, Spanish, French etc) words. These words are replaced in the bit sequence, and the receiver simply finds the corresponding bit sequence, when he meets one of the dictionary elements. This technology is effective enough to trick the automatic tests for randomness, particularly those checks, which is unknown, the existence of the card replacement bits per word, and if this card is quite extensive.

Problems occur when the efficiency of the use of the band of operating frequencies of the communication channel is of particular importance when developing a coding system for hiding encrypted streams. The system described above, for example, requires significant expenditure to display 4 bits of "real" information. Typically, 40 to 50 bits passed in order to display these 4 bits of real information.

There are many encryption technologies, which are used to convert binary data in a coding system, which is suitable for very limited channels, such as e-mail ASCII transfer, etc. These coding systems are relatively effective width of the spectrum and allow you to get a 30% increase in occupied bandwidth. In many protocols that are currently using the Internet, use some variant of ase64 encoding, which converts the 24-bit input data into 32 bits of output data, a strong limitation of the output alphabet. However, coding, which is based on Base64, can be easily identified automatic way, and this means that this encoding can be removed, and the resulting bit stream further analyzed for randomness.

The key concept of reducing the ability to detect encrypted streams is to reduce the density of information, the encrypted stream. The stream of encrypted data seems simple pseudo-random sequence, which means that it has the maximum density or minimum redundancy. Any technology that reduces the amount of information transferred transferred bit, reduces the likelihood of identification of the resulting stream as a strictly pseudo-random and, thus, reduces the probability of identifying an encrypted stream.

Standard encoding, such as Base64, reduces the information carried by the transmitted bit. However, since Base64 is easy to recognize that the stream can be decoded and the resulting bit sequence is analyzed for randomness. Thus, there is a need for a system and method of encoding, which simultaneously reduce the density of information flow trafika reduce the probability of detection of the coding scheme, so do not find that the traffic is encrypted, and therefore traffic is not analyzed on the basis of the detection of the encoding scheme.

The invention

In accordance with the present invention offers a method and system for hiding the existence of encrypted data traffic in the communication network, so that traffic does not identify as encrypted and therefore traffic is not analyzed on the basis of the detection of the coding scheme. As a rule, the encrypted data is additionally encode in accordance with the Base64 encoding scheme, using a pseudo-random generated alphabetical set, on the basis of the set of encryption keys. The elements of the alphabetic coding mostly are virtually unknown.

In accordance with the first aspect of the present invention proposes a method for hiding the existence of data encryption in a communication network. The set of characters generated through the use of a set of encryption keys to enter a pseudo-random function. Each sign corresponds to the value of the pointer. Encrypted items are divided into many parts. Each part of the partition into multiple groups and code by displaying each group character in the character set, in accordance with its pointer value. Displayed characters is passed through the communication network. In accordance with another aspectaleatoire invention features a network interface for hiding the existence of data encryption, which contains the controller and the communication interface. The communication interface is connected to the controller. The controller generates a set of characters through the use of a set of encryption keys as input to a pseudorandom function, and each sign corresponds to the value of the pointer.

The controller additionally divides the encrypted data into multiple pieces, shards each part of many parts of many groups and encodes each part by displaying each group of the multiple groups sign in the set of characters in accordance with its pointer value. The communication interface transmits the displayed characters through a network connection.

In accordance with another aspect of the present invention, a system for hiding the existence of data encryption in a communication network that includes the first network interface and second network interface. The first network device generates a set of alphabetic characters (letters) through the use of a set of encryption keys as input to a pseudo-random function, each alphabetic character matches the value of the pointer. The first network interface additionally divides the encrypted data into multiple pieces, shards each part of many groups and encodes each part by displaying each group of the multiple groups sign in the set of characters in soo is working according to its pointer value. The first network interface transmits the displayed characters through the communication network. A second network interface receives the encoded data block. The encoded data block contains the displayed characters. A second network interface divides the encoded data block into multiple groups of characters, shows every sign of his pointer value, to restore many parts and decrypts each part of the multiple parts.

These and other features and advantages of the invention will be more apparent from the subsequent detailed description, given with reference to the accompanying drawings, which are schematic and are not real, unless specifically stated otherwise.

Brief description of drawings

Figure 1 shows a block diagram of an exemplary system for hiding data encryption, constructed in accordance with the principles of the present invention.

Figure 2 shows a block diagram of an exemplary encoder data, constructed in accordance with the principles of the present invention.

Figure 3 shows the sequence diagram of exemplary operations of a method of hiding data encryption in accordance with the principles of the present invention.

Figure 4 shows the sequence diagram of operations of an exemplary method of decoding in the presence of hiding data encryption in accordance to the principles of the present invention.

Detailed description of the invention

Previously, detailed descriptions of exemplary embodiments of the present invention, it should be noted that these options are primarily represent a combination of components, devices and processing operations associated with implementation of a system and method for hiding the existence of data encryption in the communication channel, with efficient use of bandwidth of the channel. Thus, the components of the system and method, indicated respectively with standard symbols in the drawings represent only those specific details that are necessary for understanding the embodiments of the present invention, while not shown other details are available for the understanding of the experts in this field after reading the description of the present invention, in order not to complicate the description of the present invention.

Used here, relative terms such as "first" and "second," "upper" and "lower," etc. may be used only to distinguish one object or element from another object or item, without the need for any physical or logical connection between such objects or elements. Also used in the description and the claims, the term "Zigbee" refers to the sequence of wireless protocols is Noah due to the high level, defined in IEEE standard 802.15.4. Additionally, the "Wi-Fi" refers to the communication standard in accordance with IEEE 802.11. The term "WiMAX" refers to the communication protocols in accordance with IEEE 802.16. The term "BLUETOOTH" refers to the technical requirements for wireless personal communications network ("PAN"), developed by the Bluetooth Special Interest Group.

In accordance with the first embodiment of the present invention offers a method and system for encoding the encrypted streams to avoid automatic detection (detect the presence of encryption) using different types of validation criteria of randomness, including validation criteria of randomness FIPS 140-2. Option protected against some known attacks using the scheme, which contains various ambiguous encoding mechanisms.

We now turn to a consideration of the drawings, in which similar parts have the same reference designators. 1 shows an exemplary system 10 for hiding data encryption. The system 10 includes a first client computer 12, having connection with the second client computer 14 over a wide area network ("WAN") 16. Global network 16 may be Internet, intranet or other network connection. Client computers 12, 14 may be personal computers, laptop computers, PDAs ("PDAs"), servers, mobile phones and p Each client computer 12, 14 transmits data across the WAN 16, via the WAN interface 18a. 18b, collectively named as the WAN interface 18. Although the communications network shown in figure 1 as a WAN, the principles of the present invention can also be applied to other types of communication networks, such as personal networks ("PANs"), local area networks ("LANs"), the University network ("CANs"), city networks ("MANs"), etc. in Addition, although figure 1 shows two client computer, it should be borne in mind that this configuration is shown for example only. For example, the system 10 may have multiple WAN interfaces 18. WAN interface 18 may be linked to different types of client devices, such as routers, switches, etc. in Addition, the WAN interface 18 may be a stand-alone device, or it may be part of another resource, such as a client computer 12, 14.

Each WAN interface 18 encrypts the data from the client computer 12, 14 in accordance with one or more known encryption schemes. WAN interface 18 includes concealer encryption, described in more detail below, used to hide the fact that the data has been encrypted using Base64 encoding scheme with randomly (randomly) generated by the alphabet, in contrast to the standard Base64 encoding, which is typically predusmatriva is no use only known alphabet. Each WAN interface 18 also performs the reverse function when the WAN interface 18 receives Base64 encoded and encrypted blocks of data over the WAN 16, which then decodes and decrypts, using randomly generated alphabet, to obtain data of the original transmitted from the client computer 12, 14. Although each WAN interface 18 in figure 1 is shown as connected to one client computer 12. 14, an exemplary WAN interface 18, constructed in accordance with the principles of the present invention, can be connected to multiple computers 12, 14 that are not beyond the scope of this invention.

We now turn to a consideration of figure 2, which shows an exemplary WAN interface 18, which contains the communication interface 20 connected to the controller 22. The interface 20 may be wired, wireless or any combination thereof. The communication interface 20 transmits the data packets between the WAN interface 18 and other resources of the global network 16 using known communication protocols such as Ethernet, Wi-Fi, WiMAX, BLUETOOTH, etc. the communication Interface can have any number of communication ports.

The controller 22 controls the processing of information and the WAN interface 18, to implement the functions described here. The controller 22 also has a connection with the non-volatile memory 24. Non-volatile memory is ü 24 includes a memory 26 for storing data and a memory 28 for storing programs. The memory 28 for storing programs contains concealer 30 encryption, which provides concealment of the fact that the data was encrypted, from the auto-detection with other objects connected to the WAN 16, which is described in more detail below. Concealer 30 encryption contains the generator 32 of the alphabet for random generation containing sixty-four (64) character Base64 set of alphabet from a standard two hundred and fifty six (256) possible ASCII characters and Base64 encoder 34 encodes the encrypted data in accordance with the Base64 encoding scheme, using the Base64 alphabet. The memory 26 stores data files such as table 36 compliance, providing correlation Base64 set of alphabet with the corresponding ASCII characters and a set of 38 encryption keys that are passed between the WAN interface 18 and a resource destination, such as a client computer 14, previously transmit any user data.

In addition to those described here above structures, each WAN interface 18 may have additional, optional patterns (not shown)that may be necessary to implement other functions of the interface 18.

When using the Base64 encoding scheme, then usually use a single, standardized alphabet for converting the input triplets (three is) octets in weekend four octets, due to what is effectively reduced density information, for example by eliminating accidental side-effects. This encoding is intended to pass arbitrary binary data through the "channels"that can be opaque to such data. RFC-822 email represents one example of such a channel.

Base64 scheme, the set of 64 characters to choose from all possible ASCII characters and use it as the "alphabet encoding". There are a few variants of this alphabet, but usually use only one or two options. It is important to consider the combinatorics associated with the choice of a suitable alphabet for encoding binary (and encrypted or random) data. Equation (1) gives the total number of possible alphabets, when 64 characters selected from a field of 256 characters (8-bit ASCII or UTF-8):

P=K!n!(K!-n!),

where K is the total number of octets, for example 256, a n - subset size, for example 64.

With the above parameters obtained approximately 1061alphabets containing 64 characters, chosen from a field of 256 possible values of the octet. If we consider the information-theoretic aspects of the coding scheme is about it should be borne in mind, the ability of the resulting encoding to produce pure printing ASCII characters is completely unimportant. What is important is that the resulting encoding reduces the information density of the resulting stream. Any encoding that extends 24-bit triplet in 32-bit four is sufficient to reduce the density of information in the result stream.

When implementing the present invention it is tempting to create a small number of alphabets (or maybe only one alphabet)that are not in the Base64 alphabet, and the use of these alphabets to encode the encrypted streams. However, immediately becomes clear problem that arises in any such encoding scheme: single, fixed, alphabet subjected to decoding the "opponents" to the same extent as Base64 scheme. We can assume that the "enemies" will be known alphabet (the alphabet)used in the scheme, and they will be able to perform processing similar to that described here above processing Base64.

Thus, variants of the present invention, in which the alphabet 34 selected dynamically, for example, during the creation of long-term encrypted stream, have the best protection from discovery than flows using the static scripts.

In addition, in most encrypted session the script to generate the key material, for example, the keys 38 encryption, early in the session creation to create a concatenated key encryption and integrity for the underlying cryptographic "packaging." The key part of this material may be used to assist in the selection of dynamic alphabets 34 encryption, such as the keys 38 share on both sides of the communication system in the establishment of an encrypted channel.

We now turn to a consideration of figure 3, which shows an exemplary sequence of operations carried out by the concealer 30 encryption to hide the existence of data encryption. The process begins when the WAN interface 18 determines that there is encrypted data to be transmitted (operation S102). Encrypted data may be received from the client computer 12 in encrypted or unencrypted. In the latter case, the WAN interface 18 can encrypt data in accordance with known methods of encryption.

WAN interface 18 starts a secure communication session with the device of the recipient via the communication interface 20 (operation S104). As part of initializing a secure communication session, the WAN interface 18 and the device of the recipient to exchange key material (operation S106), for example by keys 38 encryption. The keys 38 encryption is used to generate a single random selected alphabet is of 64 elements, selected from a wider field of 256 elements, for example, from the full set of ASCII characters (S 108).

Any random number generator can be used to generate the combined alphabet coding, however, to improve interoperability use standardized cryptographically secure pseudo-random function, so that on both sides of the communication system have the same alphabet encoding. A suitable algorithm is described in the publication, Internet Request For Comments ("RFC") 4615, and the output of the pseudorandom function (PRF) is a variable clutch for the next call to the PRF, and the requested key, K, is taken from the combined key material from the session initialization. Examples of symbolic code are shown in table 1.

charalphabet[64]
hain_variable=PRF(K,block-of-16-zeros)
for x in 1 to 64
do
Do
cha invariable=PRF(K, chainvariable)
C=chainvariable[0]
while with isalreadyused
alphabet[x]=
done

Table 1

To start encryption in accordance with the present invention encrypted data partition into parts, such as triplets octets, i.e. 3 parts of 8 bits (operation S110). The input triplet octets of the data portion is divided into groups of 6 bits (operation S112 (), and these 6 bits are used as index in the table 36 sixty-four selected elements of the alphabet (operation S114). Data code by displaying each group of 6 bits corresponding sign of the alphabet using 6 bits as a pointer in the table 36 compliance (operation S116). The coded data, that is, 4 character alphabet for the initial part of a triplet of octets passed across the WAN 16, the device of the recipient (S 118).

Figure 4 shows an exemplary diagram of a sequence of operations performed by the device of the recipient, such as receiving the WAN interface 18 or the client computer 14, after receiving the block of data with encryption, hidden in accordance with the principles of the present izobreteniya, described with reference to figure 4, is essentially the method described with reference to figure 3, performed in reverse order. As before, the device of the recipient forms a secure communication session with the source device (operation S118) and enables the exchange of keys 38 encryption (operation S120). The keys 38 encryption is used for pseudo-random generation of the same Base64 alphabet set that was used to encode the encrypted data (operation S122). The so-called "reverse" table can be calculated using, for example, the symbolic code, are shown in table 2.

chartable[256]
for x in 1 to 64
Do
table [[x]]=x;
Done

Table 2

The device of the recipient receives the coded data, which contain groups of alphabetic characters contained in the generated pseudo-random Base64 alphabet set (operation S124). When decoding an alphabetic character is used as a pointer in the opposite table, which gives the 6-bit data (operation S126). Series (groups) 6 bit data link in groups of 4 to restore p is roncallo encrypted triplet octets (operation S128). Source data are obtained through decryption of the triplet octets using well-known encryption schemes (operation S130).

The result of applying the described technology is that the input data will be effectively encrypted with monoalphabetic substitution symbol of the (secret) of the alphabet with the formation of an additional layer of encryption. This technology allows you to securely obtain the coding scheme generates data corresponding to the FIPS 140-2 validation criterion of randomness.

Redundancy can be further enhanced by introducing a subtle shift in the generated script. For example, the generated alphabet can be arranged so that there is less likelihood of ASCII control characters as elements of the alphabet, and so that there is a slightly greater probability of choosing the ASCII group "ETAOIN S" and "tins" as elements of the alphabet. This slightly reduces the number of possible alphabets, but at the same time reduces the density of information.

An additional improvement of the coding scheme against combinatorial complex "attacks" can be implemented by embedding many random alphabets in the output of four octets. The generation of three different alphabets and scripts to output four octets allows to deceive any m the mechanisms, which can be used for reliable identification of traffic, coded according to this scheme. Assignment (appointment) alphabets output quadruples can be fixed, such as 1-2-3-1, or can be chosen at random, using the same PRF, which was used to generate the scripts. Although this does not improve the information-theoretical aspects of this system, it allows to increase the combinatorial complexity of any "attacks" against the system.

The attack against this scheme can be considered successful, if a third party can reliably identify encrypted traffic, coded according to this scheme. It is useful to consider only those attacks that can be effectively automated, as these "attacks" are attacks, from which the circuit should be protected. If we consider the example of Base64 encoding scheme, "attacker" shall inspect traffic flow at a sufficient depth to ensure that only characters from the Base64 encryption used in the stream and then decode the resulting stream and check the resulting bit stream to the accident. It should be borne in mind that since Base64 is used to protect many different types of data, not only encrypted data, many attempts to decode Base64 will give "no case is significant verdict in auto attack.

Hypothetical scenario dangerous "attack" is the scenario in which the adversary has some significant number of all possible alphabets encoding generated using this scheme. "The attacker must be authenticated to a considerable depth traffic flow considering all possible alphabets to come to the conclusion that the traffic is indeed encoded using one of these scripts. Since the attacker cannot determine in advance what the alphabet (the alphabet) will be used for coding any of this thread, there is a task of great complexity, in order to reliably distinguish between traffic that is coded according to this scheme, from any other unencrypted traffic in a typical Internet scenario.

The total number of possible alphabets approximately, as mentioned here above, 10. Exemplary PRF produces approximately 10" States before repeating. Thus, the upper limit on the number of possible alphabets generated using this scheme, approximately 10. As each alphabet has a length of 64 bytes, to store all 10 scripts require too much memory.

The most dangerous attack is an attack that allows to reliably detect traffic that is coded according to this scheme, however, she cannot reliably do the conclusion of the tion of the presence of encrypted data. If the attacker starts with a hypothesis that the analyzed data were coded according to this scheme, then it must support the frequency table for each octet in the output and four after analyzing enough data to see the frequency table in which only 64 input are not equal to zero for all 4 output octets. Maintenance frequency tables must be based on flow, as the scripts created in the beginning of the stream. The problem, in the long term "attack"is that Base64 and other 24 bits in the 32-bit encoding schemes also give erroneous results. Since the attacker has only frequency tables and don't know the reverse display 6 bits, it cannot uniquely identify this traffic as encrypted, because the traffic can not be decoded. The attacker only knows that each octet is limited to 64 values - that is not explicit evidence, and only a modest hint that the underlying data, which were coded according to this scheme, can be encrypted data.

Discussed here above "attack", which is similar to Base64 encoding scheme can be reliably detected even in the presence of choosing a random alphabet can be tapped through the use of ambiguous (uncertain) coding scheme, in which some of the which of the input 6-bit sequence can be represented multiple output octets. In one such scheme, the degree of "uncertainty" encoding can be selected randomly at the beginning of the session, just as the display of the alphabet is chosen randomly at the beginning of the communication session. For each of the 3 alphabets and corresponding inverse mappings some redundant code points, for example to 23 code of points generated in the alphabetical table, corresponding to the limit of 23 entries in the alphabet. Thus, the alphabet can be of any length from 64 to 87 members. When encrypting, take a random decision when encode 6 bits, which of the two possible schemes of encryption to use. The probability of such decisions can be any, but in the embedded example used a probability of 50%.

The decision on what inputs will be "undefined" encoding alphabet, can also be set dynamically, using a random number generator to select a shift in the primary alphabet. The use of an undefined coding scheme, in which almost 30% of the 6-bit sequence of an uncertain encoding allows to increase the security of the resulting encrypted stream from the detection means described herein above analysis using frequency tables,

The present invention may be implemented using hardware, software medium is in, or a combination of hardware and software. All types of computing systems or other devices adapted to implement the methods described here are suitable for performing the functions described here.

A typical combination of hardware and software can be specialized, or can be used in a computer system for General purpose with one or more of processor elements and a computer program stored in a storage medium and which, after downloading and implementation, controls the computer system such that it carries out the methods described here. The present invention may also be implemented as a computer program product, which contains all the features enabling the implementation of all methods described here, and which, once loaded into the computing system, allows to carry out these methods. The storage medium may be any volatile or non-volatile storage device.

A computer program or application in the present context, consider any expression, in any language, using any code or notation, of a set of commands designed to encourage a system that has the resources to process information, to perform a particular function either directly or after any one or beinleumi operations: a) conversion to another language, in other code or notation; b) reproduction in a different material form.

Despite what has been described the preferred embodiment of the invention, it is clear that it specialists in this field can be amended and supplemented, which do not extend, however, beyond the scope of the following claims.

1. The method of hiding the existence of data encryption in a communication network, comprising the following operations:
generating a character set by using the set encryption key as input to a pseudo-random function, each sign corresponds to the value of the pointer;
the division of the encrypted data into multiple pieces;
partitioning each part of many groups;
encoding each part by displaying each group character in the character set in accordance with its pointer value; and
transfer of displayed characters through a network connection.

2. The method according to claim 1, in which the character set contains sixty-four characters.

3. The method according to claim 2, in which sixty-four characters pseudorandom selected from the full set of 256 ASCII characters.

4. The method according to claim 1, which additionally provides for the offset of generating a character set, so the probability of choosing the ASCII control characters as elements of the set is reduced.

5. Pic is b according to claim 1, which additionally provides for the offset of generating a character set, so the probability of selecting a group of characters as elements of the set increases.

6. The method according to claim 1, wherein a portion of the used data is a triplet octets, and each group has six bits.

7. The method according to claim 1, which additionally includes the following operations:
generating multiple sets of characters; and
the use of different character sets to encode the neighboring parts.

8. The method according to claim 7, in which the assigning character sets parts produce a pseudo-random manner.

9. The method according to claim 8, in which the assignment of character sets to produce parts using a pseudo-random function used to generate character sets.

10. The method according to claim 1, which additionally includes the following operations:
receiving the encoded data block, and the encoded data block contains characters in the character set;
the unit of the encoded data block into groups of characters;
display each character to its corresponding pointer value to restore many parts; and
decoding each part of many parts.

11. A network interface for hiding the existence of data encryption, containing:
a controller that:
generates a set of marks due to use the lower set of encryption keys as input to a pseudo-random function, each sign corresponds to the value of the pointer;
divides the encrypted data into multiple pieces;
shards each part of many parts of many groups;
encodes each part by displaying each group of the multiple groups sign in the set of characters in accordance with its pointer value;
and
the communication interface with the communication controller and the communication interface transmits the displayed characters through a network connection.

12. The network interface according to claim 11, in which part of the encrypted data is a triplet octets, and each group has six bits.

13. The network interface 12, in which sixty-four characters pseudorandom selected from the full set of 256 ASCII characters.

14. The network interface according to claim 11, in which the controller additionally shifts the generation of a set of characters, so the probability of choosing the ASCII control characters as elements of a set of characters is reduced.

15. The network interface according to claim 11, in which the controller additionally shifts the generation of a set of characters, so the probability of selecting a group of characters as elements of a set of characters increases.

16. The network interface according to claim 11, in which the controller optional:
generates multiple character sets; and
uses different character sets to encode the neighboring parts.

17. Network interface the with clause 16, in which assigning character sets parts is fixed.

18. The network interface according to clause 16, in which the assigning character sets parts produce a pseudo-random manner.

19. The network interface according to claim 11, in which the communication interface additionally receives the encoded data block, and the encoded data block contains characters in the character set; the controller optional:
divides the encoded data block into multiple groups of characters;
displays each character to its corresponding pointer value to restore many parts; and
decrypts each part of the multiple parts.

20. System for hiding the existence of data encryption in a communication network, comprising:
the first network interface, which is:
generates a set of alphabetical characters by using a set of encryption keys as input to a pseudo-random function, each alphabetic character matches the value of the pointer;
divides the encrypted data into multiple pieces;
shards each part into many groups;
encodes each part by displaying each of the multiple groups sign in the set of characters in accordance with its pointer value; and
transmits the displayed characters through the communication network;
a second network interface that:
receives the encoded data block, and the coding for the cell data block contains the displayed characters;
divides the encoded data block into multiple groups of characters;
displays each character to its corresponding pointer value to restore many parts; and
decrypts each part of the multiple parts.



 

Same patents:

FIELD: radio engineering, communication.

SUBSTANCE: method for secure transmission of information includes generating an information signal with encoded information, adaptive summation of said signal with a chaotic masking signal, transmitting the resultant signal over a communication channel to a receiving device, detecting information; during detection, the information signal is identified based on a neural network technique.

EFFECT: high information security.

2 cl, 4 dwg

FIELD: information technology.

SUBSTANCE: block cipher with common key processing configuration is implemented with improved immunity against such attacks as saturation attacks and algebraic attacks ("РЯС" attack). In the encryption processing device which executes processing of block cipher with common key, S-blocks used as modules of nonlinear transformation processing in round function and installed in round functions execution modules are made capable to use S-blocks of at least two different types. With such configuration, immunity against saturation attacks can be improved. Additionally, types of S-blocks represent mixture of various types.

EFFECT: increased difficulty of cryptanalysis and implementation of highly protected algorithm of block cipher with common key.

14 cl, 19 dwg

FIELD: physics, communications.

SUBSTANCE: invention relates to data transmission. The system includes a first and a second communication device. One of the communication devices encrypts transmitted data in order to generate encrypted data and transmits said data to the other communication device which decrypts the received encrypted data. Before encryption, each of the communication devices divides transmitted data into portions with given number of bits. Each of the communication devices changes the number of bits of the transmitted divided data and mixes with the transmitted divided data, except portions with the highest number of bits, and includes fictitious data, the size of which ensures coincidence of the number of bits of the transmitted divided data with the highest number of bits.

EFFECT: low probability of cracking of data by a third party.

19 cl, 6 dwg, 1 ex

FIELD: information technology.

SUBSTANCE: binary sequence of a secret identification key and a binary sequence of a secret embedding key, a cryptographic function and several Fourier coefficients of the electronic image are pre-generated for the sender and the receiver. An electronic image certified by a digital watermark is created for the sender, for which the electronic image is divided into M units with pixel size n×n. An identifier for the m-th unit of the electronic image is created. The binary sequence of the digital watermark of the m-th unit of the electronic image is determined. The digital watermark is embedded into the m-th unit of the electronic image and operations for certifying units of the electronic image for the sender with the digital watermark are repeated until completion. The receiver is sent the electronic image certified with the digital watermark. Authenticity of the electronic image received by the receiver is checked.

EFFECT: invention increases security of an electronic image certified by a digital watermark from deliberate altering of the content of the image.

3 cl, 9 dwg

FIELD: physics, communications.

SUBSTANCE: invention relates to a method and a device for encryption in a mobile broadcast system. The technical result is achieved due to that in a mobile broadcast system, BCAST service subscription management (BSM) manages terminal subscriber information and sends a first delivery message for BCAST service distribution/adaptation (BSD/A), where the said message contains registration key material (RKM) for registering the broadcast service for the terminal, and also at least one service or content identifier. BSD/A sends a first message to BSM for confirming delivery, where the said message contains information indicating success/failure of receiving the first delivery message, and sends the RKM to the terminal.

EFFECT: increased efficiency of encrypting transmitted content.

21 cl, 18 dwg, 7 tbl

FIELD: engineering of systems for protecting communication channels, which realize claimed method for user authentication on basis of biometric data by means of provision and extraction of cryptographic key and user authentication.

SUBSTANCE: in accordance to the invention, neither biometric template nor cryptographic user key are explicitly represented in information storage device, without provision of biometric sample and information storage device with a pack stored on it, any cryptographic operations with data are impossible.

EFFECT: creation of biometric access system and method for provision/extraction of cryptographic key and user authentication on basis of biometry, increased key secrecy level, increased reliability, expanded functional capabilities and simplified system creation process.

2 cl, 2 dwg

FIELD: automatics and computer science, in particular, identification means for controlling access to autonomous resources.

SUBSTANCE: method includes changing identification information during each new query of autonomous resource, which information is used for identification of carrier during following queries to autonomous resources, by including it in algorithmically converted form on information carrier and in database of central device and checking of its correspondence in a row of previous queries to autonomous resources. Each autonomous resource has memory block for storing conversion algorithms and signs of these algorithms and block for reading/recording carrier information. Central device contains at appropriate data bank addresses the virtual memory blocks for storing information for identification of carriers and memory block for storing a set of algorithms for converting code from one type to another and signs of these algorithms, and for each carrier - information storage address which was used during previous accesses. Carrier contains energy-independent additional memory block for recording, storing and reading additional information code after identification of carrier, available both during manufacture of carrier and its submission to autonomous resource.

EFFECT: increased level of protection from unsanctioned access.

3 cl, 1 dwg

FIELD: engineering of methods for cryptographic transformation of data, possible use in communication, computer and informational systems for cryptographic encryption of information and computation of numbers close to random.

SUBSTANCE: device contains two memory blocks, current time moment timer, two concatenation blocks, two hash-function computation blocks, operation block, computing block.

EFFECT: increased complexity of encryption analysis and decreased probability of reliable prediction of next values of pseudo-random series bits while increasing operation speed of generator.

1 dwg

The invention relates to telecommunications, and in particular to the field of cryptographic devices to protect information transmitted over telecommunication networks.The device consists of a S2 blocks controlled substitutions (epmo) 1 and S-1 blocks of fixed permutations (FFT) 2

The invention relates to telecommunications and computing, and more particularly to cryptographic methods and devices for data encryption

FIELD: information technologies.

SUBSTANCE: method for automatic identification of malicious software includes reception of a sequence in a language of an assembler from a binary file by means of an expert system knowledge base. Further, in accordance with the method, identification of instructions sequence from the received sequence is identified. And also classification is realised, by means of the expert system knowledge base, of the sequence of instructions as threatening, non-threatening or not subject to classification by means of application of one or more rules of the expert system knowledge base to the sequence of instructions. At the same time the sequence of instructions is classified as threatening, if it includes: procedures of coding, procedures of decoding, instructions for replication of a part of instructions sequence. If the sequence of instructions is classified as threatening, information may be sent into a component of code analysis, and a user may be notified that the binary file includes malicious software.

EFFECT: provision of safety of computer equipment due to automated analysis of an executable code.

21 cl, 6 dwg

FIELD: information technology.

SUBSTANCE: method comprises steps of selecting an arbitrary duration T for successive crypto-periods; replacing the current encryption key TEKj with a new key TEKj+1 at the end of each crypto-period using a synchroniser; encrypting successive segments Pi K through TEKj, wherein each Pi begins at the corresponding time tdi; the generator generating a packet Si, the duration of reception of which is shorter than the duration of reproducing Pi, wherein Si includes an encrypted Pi and a cryptogram of each TEK, used to encrypt Pi, wherein the step of replacing TEKj with TEKj+1 for encrypting Pi is delayed until a time tdi+TSTKM or is postponed to tdi in response to the exchange of a synchronisation signal between the generator and the synchroniser, wherein duration of TSTKM is greater than or equal to the time required by the receiver to decrypt the crytogram TEKj, included in Si, and is strictly less than a selected T.

EFFECT: preventing delays when reproducing an encrypted K.

9 cl, 7 dwg

FIELD: information technology.

SUBSTANCE: group server receives a recommendation request for joining a group, and the user being recommended to be added to the group is added to the group according to the recommendation request.

EFFECT: enabling any user to add to a group any user, which simplifies performing user actions for joining a group.

7 cl, 8 dwg

FIELD: radio engineering, communication.

SUBSTANCE: method for end-to-end encrypted communication includes: storing a set of keys suitable for end-to-end encrypted communication in a user terminal. One or more keys are associated with a validity indicator which defines a cryptographic group of two or more user terminals in which the corresponding key should be used, and a period during which said key is usable in said cryptographic group; connecting, at the user terminal, to the cryptographic group communication and selecting the key to be used from the stored set of keys based on said cryptographic group and current time in accordance with the associated validity indicator.

EFFECT: high data transmission safety.

20 cl

FIELD: information technology.

SUBSTANCE: method of applying rules for controlling devices and applications using multi-factor authentication is used, wherein: one or more users are authenticated on a computer when the computer is connected to one or more tokens; wireless connection/disconnection of one or more transponders to one or more tokens after successful user authentication is monitored; rules for controlling devices and applications are applied for a user that has gone through the authentication procedure on the computer, based on information on finding one or more transponders in the receiving area of said one or more tokens.

EFFECT: high protection of information from unauthorised access by applying rules for controlling devices and applications.

18 cl, 7 dwg, 2 tbl

FIELD: information technology.

SUBSTANCE: method is realised by determining that at least one object appearing on a personal computer when updating licensed software is trusted. A new object appearing when updating, which is initiated by a licensed updating means, is considered trusted. If a licensed installation means accesses said new object, that installation means will be considered trusted. At least one new object appearing during installation initiated by a trusted installation means will be considered trusted.

EFFECT: updating software, the launch of which is licensed for any user of any personal computer on a network.

28 cl, 5 dwg

FIELD: information technology.

SUBSTANCE: method is realised by analysing links between network nodes, plotting a graph of links between network nodes and automatic analysis of changes in links between nodes with detection and blocking of the address of intermediate nodes. Said result is achieved by using a system of computing means, services for determining the route of a schedule in a network, a WHOIS service for accessing registration information on the owner of the domain and IP address and then plotting a graph of dissemination of malware from the malicious site over data links. Intensity of use of a communication channel to access a trusted node is also estimated; an intermediate node used for illegal acts is detected and blocked.

EFFECT: blocking intermediate nodes of an intruder.

9 cl, 8 dwg, 3 tbl

FIELD: radio engineering, communication.

SUBSTANCE: disclosed is a method of protecting information based on identification data, which involves encrypting a source message and subsequent decryption using a secret key generator and by applying a computational technique, characterised by that the following procedures are performed: at the initial initialisation step, calculating a secret master key and a system public key; at the second step, sending the secret master key to the input of an algorithm which executes the secret key computation step and generates, at the request of the decryption algorithm, a secret key for the new system user; at the encryption step, encrypting the source message using the identifier of the new user and the system public key obtained at the initial initialisation step; at the decryption step, transmitting to the input of the decryption algorithm the secret key for the new user and decrypting the message obtained at the encryption step.

EFFECT: high security.

5 cl, 5 dwg

FIELD: information technology.

SUBSTANCE: device for encrypting data includes a GOST 28147-89 conversion circuit, an AES conversion circuit, an AES key conversion unit, a first multiplexer, a second multiplexer, a data storage and a key storage; the output of the data storage is connected to the first input of the GOST 28147-89 conversion circuit and to the first input of the AES conversion circuit; the output of the key storage is connected to the second input of the GOST 28147-89 conversion circuit, the second input of the AES conversion circuit, the input of the AES key conversion unit and the second input of the second multiplexer; outputs of the GOST 28147-89 conversion circuit and the AES conversion circuit are connected to the first and second inputs of the first multiplexer, respectively; the output of the first multiplexer is connected to the input of the data storage; the output of the AES key conversion unit is connected to the first input of the second multiplexer; the output of the second multiplexer is connected to the input of the key storage; encryption algorithm selection signals are transmitted to the control inputs of the first and second multiplexers.

EFFECT: reducing the amount of memory required to encrypt data.

3 dwg

FIELD: information technologies.

SUBSTANCE: method for software versions control, including: determination of whether a security ID of the first security certificate corresponds to the trustworthy security certificate. At the same time the first security certificate contains criteria of a software version; determination of whether the software version of a software application meets the criteria of the software version of the first security certificate, in response to determination of the fact that the security identifier of the specified first certificate corresponds to the trustworthy security ID; authentication of the trustworthy security ID by inspection of the fact that the device ID of the second security certificate corresponds to the trustworthy device ID, at the same time the second security certificate contains criteria of the security certificate version; permission of execution of the specified software application by the processor in response to determination of the fact that the specified software version corresponds to the specified criteria of the software version.

EFFECT: prevention of execution of unauthorised software versions by devices.

13 cl, 5 dwg

FIELD: engineering of devices and methods for using server for access to processing server, which performs given processing.

SUBSTANCE: for this in accordance to method reservation is requested, reservation is confirmed, authentication information included in reservation information is stored, service is requested on basis of authentication information, server utilization is authenticated and server is utilized on basis of authentication result, while on stage of reservation confirmation device for controlling reservation transfers reservation setting information, and on stage of authentication server utilization is only confirmed when authentication information matches authentication information transferred from user terminal. Device contains receiving means, information generation device and transmitting means.

EFFECT: creation of method for using server, device for controlling server reservation and means for storing a program, capable of providing multiple users with efficient utilization of functions of processing server with simultaneous decrease of interference from unauthorized users without complicated processing or authentication operations.

6 cl, 51 dwg

Up!