TITLE: ENCRYPTION DEVICE
Technical Field
The present invention relates to an encryption device for encryption of a data flow, and more particularly to an encryption device comprising a PC-card, having a data input and a data output for encrypted data.
Prior Art
The increased use of computers in different networks for transmission of information involves at the same time an increased exposure of for example information of confidential nature, which the sender and receiver does not want to be available for unauthorized persons. This is a big problem, because it is relatively simple to tap data communication over different networks. It is very difficult to keep unauthorized persons from tapping information being transmitted over the Internet, because the network is available for everyone, including persons acquiring secret information in an illegitimate way. This problem can be solved by encryption of information, i.e. means for the sender and receiver to be able to transmit information over an insecure communication channel available for several users in a secure way. The security is achieved by means of a message en clair is translated into an encrypted text or a so-called cryptogram by means of a crypto and a key. The crypto can be an encryption algorithm known for a few or everyone while the key is known for authorized senders and receivers but unknown for other users, who have access to the same network. An unauthorized user encrypts a message with a key and then he transmits the encrypted message to an authorized receiver. In order to decode or decrypt the received message and
verify that the message is sent by an authorized sender, the user uses the current key. The encryption can be performed before the information is sent or in connection with the data stream passing the modem. Laptop computers normally have card slots for connection to external hardware, such as different kinds of modems: analogue, ISDN, GSM; memory devices: hard disks, flash disks; or other kinds of interface cards for connection to the Ethernet, analogue or digital input and output signals. This kind of interface cards are called PC-cards or previously PCMCIA-cards.
During for example communication between a distance worker and his company network via the Internet or the public switched network, the transmitted information is internal and important information for the company. Often, it can be directly detrimental for the company if the information falls into wrong hands, and, therefore, it should be protected by encryption. A distance worker is often provided with a laptop computer, equipped with a modem to be able to work both at home and during business trips. For example, a modem can be a GSM or ISDN modem etc. on a PC- card for connection to a suitable network, for transmission of the information.
There are several prior art PC-cards with encryption functionality, which can be divided in two groups: PC-cards including only encryption functionality and PC-cards including encryption functionality and a modem. The main functionality of the first group can be described as a file and/or a hard disk encryption tool, and is not relevant for the present invention as it lacks communication possibilities via the modem. The integrated modem functionality of the latter group protects the calling modem connections in the first place.
Vkaart PCMCIA encryption card from Philips Crypto, Holland, is a PCMCIA-card providing a main functionality
for a modem crypto and PC-related security functions, such as access control to a PC or laptop computer, digital signatures in order to secure the authority of the user for what is communicated, and encryption of files on the com- puter, with optional smart card support.
The modem crypto from Philips Crypto and other prior art modem cryptos comprise a PC-card for encryption with an integrated modem. This delimits the possibilities for connection of the modem crypto, or the computer connected to the modem crypto, to a certain kind of network, determined by the kind of modem.
Summary of the Invention
The object of the present invention is to achieve an encryption device for encryption of a data flow between a computer and a PC-card, and decryption in the reverse direction, and to provide the possibility of connection of the encryption device to several kinds of networks in order to obtain a secure information transmission between a sender and a receiver over an insecure communication channel .
The object is achieved by an encryption device according to the present invention, comprising a PC-card part including encryption means/decryption means for en- cryption/decryption of data on the PC-card bus and a data output, which is operatively connected to connection means for an external PC-card.
An advantage of the encryption device according to the invention is that the communication between a computer, provided with the encryption device and a modem connected to its connection means for an external PC-card, and another computer, also provided with a corresponding encryption device in connection with the modem via the network, is encrypted in a simple and secure way.
Another advantage of the present invention is the possibility of changing the modem for other kinds of modems, for example for another communication medium.
The Drawings
The invention will be described in the following description with reference to the accompanying drawings, in which
FIG 1 is a schematic side view of an encryption de- vice according to the present invention, and
FIG 2 is a block diagram illustrating the encryption device in FIG 1 connected to a computer and a PC-card modem.
Description
FIG 1 shows an encryption device 1 according to the present invention, including a PC-card or a PC-card part 2 having a data input 3 and a data output 4 for encrypted data, a reader/writer 5 for active cards 6 with an encryp- tion key, wherein the reader/writer 5 is integrated with a keypad 7 for verification of a user of the active card 6. The encryption device 1 has a PC-card 2 such as a PCMCIA- card type II in this embodiment, which can be placed into a card slot of a computer for PC-cards with a corresponding terminal. The data output 4 is in turn operatively connected with a terminal in a card slot of the encryption device 1 for an external PC-card 8.
The block diagram in FIG 2 illustrates the encryption device 1 according to the invention connected to a computer 9, for example a laptop computer, and the external PC-card 8, a modem in the embodiment. The encryption device 1 has encryption means 10 for encryption of data, encrypting data by means of an encryption algorithm directly from the PC- card input bus 11, which is operatively connected to the data output 3. The encryption means 10 is connected to the
data output 4 through the output bus 12, said output being operatively connected to the connection means for an external PC-card. A filter 13 is operatively connected to the data input 3 via the input bus 11 of the PC-card 2 for wire tapping of the data flow, based on which the filter 13 activates and deactivates the encryption.
In order to obtain a required security in the encryption and the possibility for authorisation control, a key is required in addition to the crypto. The key is sup- plied from the active card 6 via the card reader/writer 5 in this embodiment to the encryption means 10, which is operatively connected to the card reader/writer 5.
Secret information to be securely transmitted from the computer 9 to a receiving computer is performed by the encryption device 1 according to the invention, connected to the PCMCIA-bus 11' of the computer 9, the PC-card modem connected to the encryption device 1, and an insecure communication channel available for several users and connected to the receiver. The security is obtained by means of the encryption device 1 being activated by a user, who put his active card 6 into the card reader/writer 5 and enters his authorisation code, a so-called PIN-code on the keypad 7. A correctly entered code results in the encryption key stored on the card 6 being read into the encryp- tion device 10. A connection established by a call is initiated between the transmitter computer 9 and the receiver computer. The encryption device at the receiver computer automatically verifies that the key information of the calling computer 9 corresponds to the own information. If this verification is unsuccessful, the connection is interrupted and the line is automatically disconnected.
Regulation and control information for initialisation of the connection could usually not be encrypted. Therefore, the filter 13 taps the data flow and searches for known bit patterns for identification of regulation and
control information. Based on the identified information, the filter activates or deactivates the encryption function.
The information or the message from the computer is en clair and is translated in the encryption device 1 to a cryptogram by means of the crypto and a key in the encryption means. Then, the encrypted message is transmitted to the computer of the authorized receiver via the input bus 12, the data output 4, and the modem 8 placed in the card slot of the encryption device and its PCMCIA-bus 12'.
In order to decode or decrypt the received message and verify that the message is transmitted by an authorized sender, the user uses the current key.
Usually, the information transmission is duplex and the computer 9 therefore has to operate both as a transmitter and a receiver of encrypted information. Therefore, the encryption device 1 according to the invention also comprises decryption means 14 for decryption of received data from its external PC-card 8. During decryption, the data output 4 operates as input for encrypted input data and the data input 3 as output for decrypted data .
After a completed session, the user takes out his active card 6 from the card reader/writer 5. All secret information is stored on the card, and the encryption de- vice 2 automatically deletes internal memory circuits in the encryption means 10 and the decryption means 14 after the card has been removed from the reader. This implies that the key always has to be loaded after the active card has been removed from the card reader/writer 5 or that the computer has been turned off. Since the encryption device 1 gets power supplied from the computer 9, it will be automatically turned off when the computer 9 is turned off.
Even though the invention has been described by way of an example thereof, it is apparent that the encryption device according to the present invention fulfils the aims
and advantages set forth above, and alternatives, modifications and variations of the invention are possible within the scope of the accompanying claims.
In alternative embodiments of the encryption device 1, the encryption key can be entered manually on the keypad 7, from a network through the connection means for the external PC-card 8, via the computer 9, or via an IR-con- nection.
Thus, the encryption device 1 according to the in- vention comprises a PC-card with a hardware based encryption. Encryption keys are supplied in several ways but preferably by a personal active card protected by a PIN- code . Additionally, the encryption device 1 provides functionality for encrypted information transmission through an analogue telecommunication network as well as GSM and ISDN. Examples of connectable external PC-cards 8 are the V90-, GSM- , ISDN-, XDSL- modem or a combination thereof. The flexibility of the construction facilitates a simple upgrade to future communication standards. In another embodiment, the PC-card part 2 is provided with an interface terminal for connection to a serial port or a USB-port (Universal Serial Bus) of a desktop computer.