1. Patent Search
  2. Details

METHOD AND APPARATUS FOR PROTECTING INTEGRITY OF DIGITAL INFORMATION

20220131874 · 2022-04-28

    Inventors

    Cpc classification

    International classification

    Abstract

    A method and apparatus for integrity protecting data that include and perform: receiving as input data any new digital information from one or more sources; forming a protection block representing the input data received during a first period of time, if any; forming a digital descriptor using at least the protection block; and producing a delay-coding verification code based on the digital descriptor and a previous verification code.

    Claims

    1-14. (canceled)

    15. An apparatus comprising: at least one processor; and at least one memory including computer program code, the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus to perform at least the following: receive as input data any new digital information from one or more sources; form a protection block representing the input data received during a first period of time, if any; form a digital descriptor using at least the protection block; and produce a delay-coding verification code based on the digital descriptor and a previous verification code.

    16. The apparatus of claim 15, wherein the input data comprises a gradually growing file.

    17. The apparatus of claim 15, wherein the memory and computer program code are further configured to, with the processor, cause the apparatus to form the protection block by combining data received from one or more sources during the first period of time into a single data unit.

    18. The apparatus of claim 15, wherein the digital descriptor is formed using the protection block and a time stamp.

    19. The apparatus of claim 15, wherein the forming of the digital descriptor comprises using one or more other digital descriptors.

    20. The apparatus of claim 15, wherein the forming of the digital descriptor comprises using one or more other protection blocks representing other periods of time.

    21. The apparatus of claim 15, wherein the digital descriptor comprises a message digest.

    22. The apparatus of claim 15, wherein the delay-coding verification code is formed using a memory-bound function.

    23. The apparatus of claim 15, wherein the delay-coding verification code is formed using a first function for a first protection block and using a second function for a second block.

    24. The apparatus of claim 15, wherein an indication of the function applied in forming the delay-coding verification code is combined with the delay-coding verification code.

    25. A method for integrity protecting data, comprising: receiving as input data any new digital information from one or more sources; forming a protection block representing the input data received during a first period of time, if any; forming a digital descriptor using at least the protection block; and producing a delay-coding verification code based on the digital descriptor and a previous verification code.

    26. The method of claim 25, wherein the input data comprises a gradually growing file.

    27. The method of claim 25, wherein the forming of the protection block comprises combining data received from one or more sources during the first period of time into a single data unit.

    28. The method of claim 25, wherein the digital descriptor is formed using the protection block and a time stamp.

    29. The method of any one of claim 25, wherein the forming of the digital descriptor comprises using one or more other digital descriptors.

    30. The method of claim 25, wherein the forming of the digital descriptor comprises using one or more other protection blocks representing other periods of time.

    31. The method of claim 25, wherein the digital descriptor comprises a message digest.

    32. The method of claim 25, wherein the delay-coding verification code is formed using a memory-bound function.

    33. The method of claim 25, wherein the delay-coding verification code is formed using a first function for a first protection block and using a second function for a second block.

    34. A non-transitory computer readable medium having stored thereon a set of computer readable instructions that, when executed by at least one processor, cause an apparatus to perform at least: receive as input data any new digital information from one or more sources; form a protection block representing the input data received during a first period of time, if any; form a digital descriptor using at least the protection block; and produce a delay-coding verification code based on the digital descriptor and a previous verification code.

    Description

    BRIEF DESCRIPTION OF THE DRAWINGS

    [0035] For a more complete understanding of example embodiments of the present invention, reference is now made to the following descriptions taken in connection with the accompanying drawings in which:

    [0036] FIG. 1 shows an architectural drawing of a system of an example embodiment;

    [0037] FIG. 2 shows a flow chart of a process of an example embodiment;

    [0038] FIG. 3 shows a time chart of an example embodiment; and

    [0039] FIGS. 4a and 4b show a flow chart of various steps of some example embodiments.

    DETAILED DESCRIPTION OF THE DRAWINGS

    [0040] An example embodiment of the present invention and its potential advantages are understood by referring to FIGS. 1 through 4 of the drawings. In this document, like reference signs denote like parts or steps.

    [0041] FIG. 1 shows an architectural drawing of a system 100 of an example embodiment. In FIG. 1, there are some network functions NF 110, servers 120, an integrity protector 130 and an account database 140. Any of these example elements may be combined or distributed according to implementation, either entirely or in part (e.g., portions of the network function 110 could be combined with the server 120 or the integrity protector 130). Any of these elements may be implemented using hardware, virtualized function, or both.

    [0042] In an example embodiment, some of the elements of FIG. 1 produce log files or other information. Some of the information is produced as discrete files, such as configuration logs or last good startup configuration files. Some of the information is produced as gradually growing files or databases, such as use logs, security logs, user account data or financial account data. In an example embodiment, the integrity protector 130 treats all new information that it receives (e.g., through a port or by gaining access through to data stored in databases and/or memories) during a first period of time as a protection block that is to be integrity protected against tampering.

    [0043] FIG. 2 an apparatus 200 according to an embodiment of the invention. The apparatus 200 comprises a memory 240 including computer program code 250. The apparatus 200 further comprises a processor 220 for controlling the operation of the apparatus 200 using the computer program code 240, a communication unit 210 for communicating with other nodes and with the cryptocurrency network. The communication unit 210 comprises, for example, a local area network (LAN) port; a wireless local area network (WLAN) unit; Bluetooth unit; cellular data communication unit; or satellite data communication unit. The processor 220 comprises, for example, any one or more of: a master control unit (MCU); a microprocessor; a digital signal processor (DSP); an application specific integrated circuit (ASIC); a field programmable gate array; and a microcontroller. In an example embodiment, the apparatus 200 further comprises a user interface 230.

    [0044] FIG. 3 shows a time chart of an example embodiment. FIG. 3 shows how the integrity protector 130 receives a first file 310, a second file 320, a third file 330, a fourth file 340 and a stream 350. Any and all of these received data items may vary in their data rate as exemplified by drawing a non-regular shape for the second and fourth files 320, 340.

    [0045] As seen from FIG. 3, data received during successive first to fourth time periods p1 to p4 is in this embodiment treated as protection blocks for which digital descriptors, here respective first to fourth hash results 360 to 390, are obtained.

    [0046] In FIG. 3, some data is received during each period of time. However, there need not be any data received during all time periods so some protection blocks may be empty except that there would still in some embodiments be some data that comprises any one or more items selected from a list consisting of: a time stamp; a sequence number; one or more identifiers; function description data; random replay attack protection data; one or more network addresses; one or more portions of any one of the preceding items.

    [0047] FIG. 3 shows by an arrow that data received during a given period of time is used in hashing or, more generally, for producing a respective digital descriptor. As mentioned in the foregoing, the digital descriptor is formed using data of one or more data files or streams received during that period but not only using those files or streams, or more generally the protection block, but also other data may be included in the forming of the digital descriptor.

    [0048] In an example embodiment, the digital descriptor is formed using a plurality of protection blocks. For example, the digital descriptor can be formed using most recent N protection blocks, or using first M and most recent N protection blocks, or N protection blocks backwards from the most recent ones with a skipping scheme in which after each sequence of 0 protection blocks, P protection blocks are skipped.

    [0049] In FIG. 3, the stream 350 and the third file 330 span to at least two time periods. Boundaries of file segments can be indicated using, for example, suitable metadata, embedding a delimiter token. In an example embodiment, a protection block description is produced, e.g., to define which files are contained in the protection block and optionally also by which portions. In an example embodiment, the protection block description is an extensive markup language XML description.

    [0050] The protection block may not as such be maintained after use for computing the digital descriptor. However, the protection block description may be maintained for simplifying subsequent verification that the digital descriptors formed match their source data. The protection block can also be formed combining data from various sources in various ways. For example, in an example embodiment, the data from different sources are concatenated, optionally with some delimiting codes. In another example embodiment, the data can be combined using an additive cipher function such as XOR joining.

    [0051] The purpose of the digital descriptors is to enable verifying the integrity of source data. It can be checked that the computation of the digital descriptor again with its presumed source data produces a matching result.

    [0052] In FIG. 3, the protection blocks were formed of equally long periods of time. In an example embodiment, the duration of the time periods is variable. For example, the duration can be varied depending on any one or more of: processing load of equipment producing the digital descriptor and/or the delay-coding verification code; amount of source data received; and a random parameter.

    [0053] FIGS. 4a and 4b show a flow chart of various steps of some example embodiments for integrity protecting data, comprising:

    [0054] 400. receiving as input data any new digital information from one or more sources;

    [0055] 405. forming a protection block representing the input data received during a first period of time, if any;

    [0056] 410. forming a digital descriptor using at least the protection block; and

    [0057] 415. producing a delay-coding verification code based on the digital descriptor and a previous verification code.

    [0058] 420. The input data may comprise a gradually growing file.

    [0059] 425. The forming of the protection block may comprise combining data received from one or more sources during the first period of time into a single data unit.

    [0060] 430. The digital descriptor may be formed using the protection block and a time stamp.

    [0061] 435. The forming of the digital descriptor may comprise using one or more other digital descriptors.

    [0062] 440. The forming of the digital descriptor may comprise using one or more other protection blocks representing other periods of time.

    [0063] 445. The digital descriptor may be or comprise a message digest.

    [0064] 450. The delay-coding verification code may be formed using a memory-bound function.

    [0065] 455. The delay-coding verification code may be formed using a first function for a first protection block and using a second function for a second block.

    [0066] 460. An indication of the function applied in forming the delay-coding verification code may be combined with the delay-coding verification code.

    [0067] 465. An indication of the function applied in forming the delay-coding verification code may be stored into an indication storage.

    [0068] The delay-coding may involve applying one or more encryption function. The one or more encryption functions may comprise a symmetric encryption function such as the advanced encryption standard. The one or more encryption functions may comprise an asymmetric encryption function such as the Rivest-Shamir-Adleman, RSA.

    [0069] Without in any way limiting the scope, interpretation, or application of the claims appearing below, a technical effect of one or more of the example embodiments disclosed herein is that data received from multiple sources at variable rates can be integrity protected with predictable computation cost. Another technical effect of one or more of the example embodiments disclosed herein is that the functions used in producing the digital descriptor and the delay-coding verification code can be freely changed during integrity protecting data. Yet another technical effect of one or more of the example embodiments disclosed herein is that the functions used and/or the amount of data (indirectly through the digital descriptor) subjected to the delay-coding verification can be varied such that varying amounts of source data and computation capacity can be accounted for.

    [0070] Embodiments of the present invention may be implemented in software, hardware, application logic or a combination of software, hardware and application logic. In an example embodiment, the application logic, software or an instruction set is maintained on any one of various conventional computer-readable media. In the context of this document, a “computer-readable medium” may be any non-transitory media or means that can contain, store, communicate, propagate or transport the instructions for use by or in connection with an instruction execution system, apparatus, or device, such as a computer, with one example of a computer described and depicted in FIG. 2. A computer-readable medium may comprise a computer-readable storage medium that may be any media or means that can contain or store the instructions for use by or in connection with an instruction execution system, apparatus, or device, such as a computer.

    [0071] If desired, the different functions discussed herein may be performed in a different order and/or concurrently with each other. Furthermore, if desired, one or more of the before-described functions may be optional or may be combined.

    [0072] Although various aspects of the invention are set out in the independent claims, other aspects of the invention comprise other combinations of features from the described embodiments and/or the dependent claims with the features of the independent claims, and not solely the combinations explicitly set out in the claims.

    [0073] It is also noted herein that while the foregoing describes example embodiments of the invention, these descriptions should not be viewed in a limiting sense. Rather, there are several variations and modifications which may be made without departing from the scope of the present invention as defined in the appended claims.