Working with cryptographic key information

It is important to create a cryptographic system such that the encryption system does not depend on the secret storage of the algorithm that is part of it, but only on the private key that is kept secret. In practice, key management is a separate area of cryptography, which is considered a problematic area. This paper describes the main characteristics of working with cryptographic key information. In that, the formation of keys and working with cryptographic key information are stored on external media. The random-number generator for generating random numbers used for cryptographic key generation is elucidated. To initialize the sensor, a source of external entropy, mechanism “Electronic Roulette” (biological random number), is used. The generated random bits were checked on the basis of National Institute of Standards and Technology (NIST) statistical tests. As a result of the survey, the sequence of random bits was obtained from the tests at a value of P ≥ 0.01. The value of P is between 0 and 1, and the closer the value of P is to 1, the more random the sequence of bits is generated. This means that random bits that are generated based on the proposed algorithm can be used in cryptography to generate crypto-resistant keys.


INTRODUCTION
Cryptographic protection of information (CPI) is an effective way and a key component of the entire spectrum of issues of information security in information systems (IS) and information protection transmitted through communication channels. To ensure strong data security, keys have to be rotated frequently, and transported and stored securely, along with the high demand for strong data security [1]. In [1], the result of researching the question "How painful is key management?" is "Fifty-six percent of respondents rate key management as very painful, which suggests respondents view managing keys as a very challenging activity. The highest percentage pain threshold of 69% occurs in Spain. At 37%, the lowest pain level occurs in France".
It is important to create a cryptographic system in such a way that the encryption system does not depend on the secret storage of the algorithm that is part of it, but only on the private key that is kept secret. There are many international and national key management standards that differ in the variety of requirements covered. In practice, key management is a separate area of cryptography, which is considered one of the problem areas. Cryptanalysts usually carry out attacks on public-key cryptosystems through key management systems.
It is important to form a pseudo-random sequence of keys in order to protect them from a brute force attack to a certain extent. In addition to the difficulties associated with collecting real random events on computers, there are also a number of problems. The fact that random events do not always exist in computing devices. For example, when collecting incoming entropy from the computer keyboard, a system wait occurs when the user does not enter text. It is also possible to cite sources of random entropy, in particular, the development of physical random sources. For example, in the case of using physical devices on a computer, their failure. In addition, the fact that there is no exact calculation of the entropy coming from the device to the computer, and that computers cannot be used as a generator of real random numbers.
One more main concern in this study is that the functions in question are related to cryptographic keys used in the encryption algorithm "O'z DSt 1105:2009" [2] and in this algorithm 256-bit or 512-bit cryptographic keys were used, as well as functional, session and phase keys were also used to further enhance cryptographic security which make this work different from the previous.
We presented this article in four sections. Section 2 elaborate the method, containing the software random number generator, initialization states, algorithm operation, sensor session keys, and the sensor parcels synchronous. Section 3 presents results and discussion, containing the mechanism of electronic roulette and the testing result. Then, we conclude in section 4.

METHOD
The variety of key management systems is described available on the market, helps buyers understand important characteristics to consider when evaluating alternatives, and the document covers: key management concepts, criteria for comparing solutions, advantages of the key management system, building a business case, available solutions, market segmentation [3].
In study [4], design and implementation of a key-lifecycle management system are described. Besides, in [5], a secure and reliable bio-key generation approach is presented, where there are three main issues to be solved: accuracy issue, security issue and, privacy issue. They put forward ideas such as how variations in the biometric image, like pose, blur, and illumination; affect the generated bio-key. Due to the possibility of information leakage from stored helper data or auxiliary information, an attacker can recreate biometric data from the helper data in a database. An attacker can utilize the leaked bio-key to get authentication in other applications once the bio-key has been leaked. Furthermore, to deploy the application system, a new bio-key cannot be generated. In [6] a novel biometric crypto system involving a key binding mechanism is proposed. New objective functions have been introduced to create helper data by binding the secret key with the biometric data of the user. In the retrieval phase, the local minima of the objective functions act as anchors to get the secret key.
To achieve confidentiality, it uses a key hierarchy where every key except a root key itself is encrypted by the respective parent key [7]. The hierarchy also allows for key rotation and, ultimately, for secure deletion of data. The design permits key rotation to proceed concurrently with key-serving operations. In [8]- [10], key management in distributed systems is described. Simion [11] reviewed how mathematical entropy can be estimated and evaluated, of the construction mode (from technologies based on analogue procedures: thermal noise in a transistor to modern procedures: quantum devices), as well as to evaluate the security of binary sequence generators used for generating cryptographic keys or critical security parameters related to new technologies based on quantum principles. In [12], [13], a secret key exchange protocol that establishes a cryptographically secure connection is presented between two objects and presents a new scenario for symmetric key exchange for smart city applications, which protocol is based on the specific properties of Fuss-Catalan numbers and lattice path combinatorics.
Based on the above, the article to a certain extent touched upon issues such as the operation of cryptographic key information. In [13], the functionality of the cryptographic service provider (CSP) is given. CSP is used to generate encryption keys, public and private keys of electronic digital signature (EDS), and the creation of electronic signature authentication, hashing, encryption, and data simulation protection using the algorithms mentioned in [2], [14]- [20]. In [21], the overall structure of the software CSP was described. It is implemented as nine dynamic libraries and four interface programs. The present paper describes the main characteristics and capabilities of the CSP in "Working with the cryptographic key information". The development is based on standards [22], [23]. CSP "Working with the cryptographic key information" is designed to create encryption keys, private and public keys of EDS. It can be used in telecommunication networks, public information systems, enterprise information systems through integration into application software provides storage, processing and transmission of information and the exchange of information and ensuring the legal value of electronic documents. CSP "Working with the cryptographic key information" performs two functions: formation of keys and work with the cryptographic key information stored on external media. CSP "Working with the cryptographic key information" is working with the cryptographic key information in the key container storage (key container) [14], [15].

The software random number generator
Second variant, a biometric template is used to generate the authentication key [24]. As a result, there is no need to be worried about the security of the key. Nevertheless, it usually has low discriminability, which can be measured in terms of key entropy and key stability. Key entropy refers to the number of possible keys that can be created, whereas key stability refers to how repeatable the key obtained from biometric data is. For instance, if a scheme produces the same key no matter what the input template is, it has high key stability but no entropy, resulting in a higher false accept rate. If, on the other hand, a scheme creates distinct keys for distinct templates of the same user, it has significant entropy but no stability, resulting in a higher false reject rate. As a result, the approach's limitation is that it is hard to create a key with high stability and entropy. Furthermore, the cancelability property of the key generation seems to be lost. True random number generator was also carried out [25]- [28]. The random number generator for generating random numbers is used for cryptographic key generation.

Initialization states
To initialize the sensor, we use a source of external entropy, mechanism "electronic roulette" (biological random number). For the implementation of the "electronic roulette", software module Gui.dll. The first call software random number generator with the "electronic roulette" removed 32 bytes software initialization vector of random numbers in making random checks the quality through statistical criteria.

Algorithm operation
The scheme of software random number is as follows. a) Set the elliptic curve E of the order Q over a large prime field by equation 2 = 3 + * + , where a simple module P and the coefficients a and b are structural parameters of the software random number generator. b) Define two points A=(XA, YA) and B=(XB, YB), belonging to a curve are also structural parameters of the software random number generator. The internal state of the software random number generator is the point of an elliptic curve . c) Initialized the initial value 0 of the internal state by an external source of entropy. d) Initialized the value 0 by the rule: 0 = * , where X is the external entropy source, presented in the form of an integer on modulo P, and the operation "*" is the multiplication of an integer on the point of the curve. Each time a software random number generator for the next output value of the internal state is changed according to rule (1), 0 = ( −1 ) * , = 1,2, . ..
where i is indicating the number of treatments after initialization, and is the x-coordinate of the point of an elliptic curve. The output at the i -th address to the random number is x coordinate of the point T of the elliptic curve E, calculated from (2). = ( ) * , = 1,2, . ..
The block diagram of a software random number generator is shown in Figure 1. A sensor session key is built based on the cryptographic algorithm GOST 28147-89, mode-XOR feedback. The sensor is used as the key initializes the sequence length of 32 bytes.  Movement R register in the j -th beat of work occurs according to the following rules. a) Calculate values: b) Shift register cell R:  [7] are used as the next portion of the random number generation at the sensor parcels synchronous.

The mechanism of "electronic roulette"
Biometric cryptosystems were designed to secure a cryptographic key utilizing biometric data or to generate a cryptographic key directly from biometric data. They have, however, been used to protect biometric templates. In this method, certain public helper data are saved in the database. Whereas the helper data does not reveal any important information about the original biometric template, it is required to generate a cryptographic key from the query biometric data during matching [24]. To initialize the sensor, a source of external entropy, mechanism "electronic roulette" (biological random number) is used.
For the implementation of the "electronic roulette" is used software module Gui.dll. The first call to a software random number generator with the "electronic roulette" removed 32 bytes initialization vector software random number generator. In this implementation of the CSP, we used BioRandom function from the library Gui.dll. The source code for the procedure called "electronic roulette" is given below. When you create a cryptographic key, you are prompted to enter the password for the key CSP. See Figure 2. Then, follow the standard instructions that appear on the screen during installation certification authority. It is known that random numbers and sequences of random numbers are used when implementing cryptographic substitution [29]. These random variables are the base point of cryptographic algorithms, that is, the consistency of cryptographic exchanges will depend on a random number or sequence of random numbers, the degree of their randomness. The difficulty of generalizing random numbers in computers is that computers are deterministic, that is, all processes are executed based on certain rules and the entire state is limited. We can say that the generalization sensors of all random numbers are periodic. All periodic cases are non-random. With the help of computers, it is possible to form pseudo-random rows. The period of such series is required to be such that a series of sufficient length must not be periodic. The non-periodic short-range series of a pseudo-random series must be close to the random series, that is, it must meet certain randomness criteria. Figure 2. Electronic roulette develops cryptographic key for the CA Based on this, this study will consider the functions associated with cryptographic keys used in the "O'z DSt 1105:2009" encryption algorithm. This algorithm used 256-bit or 512-bit cryptographic keys, as well as functional, session, and phase keys to further improve cryptographic security. The proposed CryptoAPI interface is a combination of basic cryptographic functions, as well as working with certificates (X.509), consisting of such functions as working with cryptographic information (PKCS#7) and working with keys as shown in Table 1. The key database consists of containers. Each key container will have its name, and the keys that will be used in it for a long time will be saved. Currently, the existing cryptographic encryption algorithms are based on a cryptographic key, that is, the cryptographic security of encryption algorithms is tied to the same keys. One of the methods of generalizing keys for encryption algorithms is to create a cryptographic key from these passwords (keywords). This password will be of variable length and will be shorter in length than the cryptographic key. However, a password is a resource that is not so good for creating a key, because users use a lot of words available in dictionaries that are remembered as passwords, and there is a high probability that this will be easily broken by dictionary attacks.
If a high level of security is required, in such cases the password must consist of random sequences. Such sequences can be obtained using the CryptGenRandom() function in the module or using other random number sensors [21]. There are several conditions for creating a key using passwords: i) the password can be specified of any length, while the key will be of a fixed length; ii) one-to-one and "close" passwords should be used to create "one-to-one" and "deleted keys" keys; and iii) the same keys should not be created using different passwords. It is considered very effective to use hash functions to create a key in such conditions. To further increase the cryptographic security of keys, you can add the "Basis" of the vector (salt) and the number of iterations to this mechanism. The "Basis" vector is a random sequence mixed with a password. The use of the "Basis" vector complicates the password dictionary, the recommended length of this vector is currently 8 bytes.
The number of iterations is the number of replacement functions to create a key from a password. If the hash function is used as a replacement function, then the hash function is represented by a sum equal to the number of iterations. To date, the number of iterations should be at least 1,000.
To calculate the EDS based on the standard "O'z DSt 1092:2009", it is necessary to initially formulate the user's public and private keys. To generate keys, we will need the parameters described in the standard "O'z DSt 1092:2009" G, P, Q, R, R1[]. With these parameters, the public and private keys of the EDS are formed using a special software module "random sequence generator". See Figures 3 and 4.  After entering the main parameters in this window, the switch proceeds to the key generation stage. A random sequence is used to obtain an initialization vector, if the user moves the mouse pointer over the window, a random sequence is formed, depending on this action, this generator can be called BioRandom, since random values in this are generated by random user movement. This program produces a random sequence of 256 bits as shown in Figure 5.
The random sequence is located in the "biorandom value" field. Public keys are 1024 bits long and are formed based on a random value. The private keys are formed using (3) and (4), respectively. Figure 5. Result of parameters The data encryption algorithm uses two keys. This is an encryption key and a function key, each of which is a 256-bit sequence. The original function key is generalized in one of two ways: i) as an encryption key function and ii) without taking into account the encryption key, that is, in the form of a pseudo-random number.
The data encryption algorithm, which uses two-dimensional arrays of session and phase keys to process data in CryptoText and converts it into open text, is formed based on the encryption key and the functional key. To work with these keys, a software module is created that performs cryptographic functions and manages these functions via CryptoAPI. The private keys (encryption keys and private electronic signature keys) available in the container are protected with a security key, which is the PIN code of the user's token. Cryptographic procedures are called in the cryptographic data protection system using the PKCS#11 interface. The same or different PKCS#11 slots can be used for UZ KEYEXCHANGE and UZ SIGNATURE [20]. The module can be used in telecommunications networks, information systems, programs that provide storage, processing, and transmission of information without access to information constituting a state secret, as well as in ensuring the legal significance of the exchange of information and electronic documents. The software module is currently applicable only in the Windows operating system and has not been investigated in other operating systems such as Linux, Mac, and Unix.

Testing result
During the experiments, 100 sequences of random bits with a length of 12,800 bits were generated. The generated random bits were tested using the statistical tests given in [30]. The P-value of all generated random bits is bigger than 0.01 Table 2. As a result of the survey, the sequence of random bits was obtained from the tests at a value of P≥0.01. The value of P is between 0 and 1, and the closer the value of P is to 1, the more random the sequence of bits is generated. This means that random bits that are generated based on the proposed algorithm can be used in cryptography to generate strong keys.

CONCLUSION
In this research work, the main characteristics of working with cryptographic key information are described. In that, the formation of keys and work with the cryptographic key information stored on external media. The random number generator for generating random numbers used for cryptographic key generation is elucidated. To initialize the sensor, a source of external entropy, mechanism "electronic roulette" (biological random number) is used. It is important to form a pseudo-random sequence of keys in order to protect them from a brute force attack to a certain extent. In making random checks the quality through statistical criteria. Generating random numbers is suitable for many specific applications, such as cryptographic information protection systems, gambling, lotteries, and simulation. Accordingly, the future work could refer specifically to the application that can be used to develop random number generators in mobile applications and IoT systems.