A system for automatically encrypting and decrypting data packet sent from a source host to a destination host across a public internetwork. A tunnelling bridge is positioned at each network, and intercepts all packets transmitted to or from its associated network. The tunnelling bridge includes tables indicated pairs of hosts or pairs of networks between which packets should be encrypted. When a packet is transmitted from a first host, the tunnelling bridge of that host's network intercepts the packet, and determines from its header information whether packets from that host that are directed to the specified destination host should be encrypted; or, alternatively, whether packets from the source host's network that are directed to the destination host's network should be encrypted. If so, the packet is encrypted, and transmitted to the destination network along with an encapsulation header indicating source and destination information: either source and destination host addresses, or the broadcast addresses of the source and destination networks (in the latter case, concealing by encryption the hosts' respective addresses). An identifier of the source network's tunnelling bridge may also be included in the encapsulation header. At the destination network, the associated tunnelling bridge intercepts the packet, inspects the encapsulation header, from an internal table determines whether the packet was encrypted, and from either the source (host or network) address or the tunnelling bridge identifier determines whether and how the packet was encrypted. If the packet was encrypted, it is now decrypted using a key stored in the destination tunnelling bridge's memory, and is sent on to the destination host. The tunnelling bridge identifier is used particularly in an embodiment where a given network has more than one tunnelling bridge, and hence multiple possible encryption/decryption schemes and keys. In an alternative embodiment, the automatic encryption and decryption may be carried out by the source and destination hosts themselves, without the use of additional tunnelling bridges, in which case the encapsulation header includes the source and destination host addresses.

PTO Wrapper PDF
Dossier Espace Google
Patent
   RE39360
Priority
Sep 15 1994
Filed
Aug 19 1998
Issued
Oct 17 2006
Expiry
Sep 15 2014
Inventors
Patterson,…
Assg.orig
Sun Micros…
Assg.curr
Sun Micros…
Entity
Large
Referenced by
142
References
8
Maint.:
all paid
5.2 Encoding of the …
5.3 Encoding of an A…
6.0 Conclusions
References
0. 26. A method of encrypting data packets, comprising:
receiving a data packet from a source for a destination, the data packet including a header section and a data section, the header section storing a source identifier and a destination identifier;
determining whether the data packet should be encrypted upon reference to at least one of the source and destination identifiers;
if the data packet should be encrypted, encrypting the data packet to produce an encrypted data packet; and
generating a new address header and appending the new address header to the encrypted data packet, thereby generating a modified data packet;
wherein the new address header includes a mechanism for identifying an encryption method used to generate the encrypted data packet.
0. 18. A system for automatically decrypting data packets transmitted from a first computer to a second computer, the system comprising:
a bridge coupled to the second computer for intercepting a data packet from the first computer, the data packet having an address header and a body, the address header including broadcast addresses of the first and second computers, the bridge including a processor and a memory that stores instructions for decrypting data packets;
information stored in the memory of the bridge correlating the first and second computers; and
instructions stored in the memory for intercepting the data packet, determining whether the information stored in the memory of the bridge correlates the first and second computers, and if so, decrypting at least a portion of the data packet to generate a new data packet including a new address header, and transmitting the new data packet onto the second computer.
0. 21. A system for automatically decrypting data packets transmitted from a first computer to a second computer, the system comprising:
a bridge coupled to the second computer for intercepting a data packet from the first computer, the data packet including a header storing key management information providing a mechanism for identifying an encryption method used to encrypt the data packet, the bridge including a processor and a memory that stores instructions for decrypting data packets;
information stored in the memory of the bridge correlating the first and second computers; and
instructions stored in the memory for intercepting the data packet, determining whether the information stored in the memory of the bridge correlates the first and second computers, and if so, decrypting the data packet to generate a new data packet including a new address header, and transmitting the new data packet onto the second computer.
0. 25. A method for receiving data packets from a first computer to a second computer through a bridge including a processor and a memory that stores instructions for decrypting data packets and information correlating the first and second computers, the method being carried out according to instructions in the memory of the bridge and comprising:
intercepting a data packet from the first computer to the second computer, the data packet including information representing an internetwork address of the first computer and an internetwork address of the second computer;
determining whether the information stored in the memory of the bridge correlates the first and second computers, and if so, decrypting the data packet to generate a new data packet including a new address header; and
transmitting the new data packet on to the second computer;
wherein the data packet includes a header storing key management information providing a mechanism for identifying an encryption method used to encrypt the new data packet.
0. 22. A method for receiving data packets from a first computer to a second computer through a bridge including a processor and a memory that stores instructions for decrypting data packets and information correlating the first and second computers, the method being carried out according to instructions in the memory of the bridge and comprising:
intercepting a data packet from the first computer to the second computer, the data packet including an address header and a body, the address header including broadcast addresses of the first and second computers and the body including address information representing an internetwork address of the first computer and an internetwork address of the second computer, wherein the address information is encrypted;
determining whether the information stored in the memory of the bridge correlates the first and second computers, and if so, decrypting the data packet to generate a new data packet including a new address header; and
transmitting the new data packet on to the second computer.
0. 34. A computer program product adapted for encrypting data packets, comprising:
computer code that when executed causes the reception of a data packet from a source for a destination, the data packet including a header section and a data section, and the header section storing a source identifier and a destination identifier;
computer code that when executed causes the determination of whether the data packet should be encrypted upon reference to at least one of the source and destination identifiers;
computer code that when executed, if the data packet should be encrypted, causes the encryption of the data packet to produce an encrypted data packet;
computer code that when executed causes the generation of a new address header and appends the new address header to the encrypted data packet, the new address header including a mechanism for identifying an encryption method used to generate the encrypted data packet, thereby generating a modified data packet; and
a computer readable medium that stores the computer codes.
0. 42. A computer program product adapted for encrypting data packets, comprising:
computer code that when executed on a computer causes the computer to receive a data packet from a source for a destination, the data packet including a header section and a data section, and the header section storing a source identifier and a destination identifier;
computer code that when executed on a computer causes the computer to determine whether the data packet should be encrypted upon reference to at least one of the source and destination identifiers;
computer code that when executed on a computer causes the computer to, if the data packet should be encrypted, encrypt the data packet to produce an encrypted data packet;
computer code that when executed on a computer causes the computer to generate a new address header storing at least one of a broadcast address associated with the source and a broadcast address associated with the destination, and append the new address header to the encrypted data packet, thereby generating a modified data packet; and
a computer readable medium that stores the computer codes.
0. 43. A computer system for encrypting data packets, comprising:
a processor;
a computer readable medium coupled to the processor storing a computer program comprising:
computer code that when executed by the processor causes the processor to receive a data packet from a source for a destination, the data packet including a header section and a data section, the header section storing a source identifier and a destination identifier;
computer code that when executed by the processor causes the processor to determine whether the data packet should be encrypted upon reference to at least one of the source and destination identifiers;
computer code that when executed by the processor causes the processor to if the data packet should be encrypted, encrypt the data packet to produce an encrypted data packet; and
computer code that when executed by the processor causes the processor to generate a new address header storing at least one of a broadcast address associated the source and a broadcast address associated with the destination, and append the new address header to the encrypted data packet, thereby generating a modified data packet.
0. 36. A computer system for encrypting data packets, comprising:
a processor;
a computer readable medium coupled to the processor and storing a computer program comprising:
computer code that when executed by the processor causes the processor to receive a data packet from a source for a destination, the data packet including a header section and a data section, and the header section storing a source identifier and a destination identifier;
computer code that when executed by the processor causes the processor to determine whether the data packet should be encrypted upon reference to at least one of the source and destination identifiers;
computer code that when executed by the processor causes the processor to encrypt the data packet to produce an encrypted data packet when it is determined that the data packet should be encrypted; and
computer code that when executed by the processor causes the processor to generate a new address header and append the new address header to the encrypted data packet, thereby generating a modified data packet;
wherein the new address header includes a mechanism for identifying an encryption method used to generate the encrypted data packet.
0. 41. A system for automatically encrypting data packets for transmission from a first host computer on a first computer network to a second host computer on a second computer network, said first host computer including a first processor and a first memory including instructions for transmitting said data packets from said first host to said second host, the system including:
a bridge computer coupled to the first computer network for intercepting at least a first data packet transmitted from said first computer network, said bridge computer including a second processor and a second memory storing instructions for executing encryption of said first data packet according to a predetermined encryption/decryption mechanism;
information stored in said second memory correlating at least one of the first host computer and the first network with one of the second host computer and the second network, respectively; and
instructions stored in said second memory for intercepting said first data packet before departure from said first network, determining whether said correlation is present, and if so, then executing encryption of said first data packet according to said predetermined encryption/decryption mechanism, generating a new address header including the internetwork broadcast addresses of the first and second computer networks and appending said new address header to said first data packet, thereby generating a modified first data packet on to the second host computer.
16. A system for automatically encrypting data packets for transmission from a first host computer on a first computer network to a second host computer on a second computer network, said first host computer including a first processor and a first memory including instructions for transmitting said data packets from said first host to said second host, the system including:
a bridge computer coupled to the first computer network for intercepting at least a first said data packet transmitted from said first computer network, said bridge computer including a second processor and a second memory storing instructions for executing encryption of said first data packet according to a predetermined encryption/decryption mechanism;
information stored in said second memory correlating at least one of the first host computer and the first network with one of the second host computer and the second network, respectively; and
instructions stored in said second memory for intercepting said first data packet before departure from said first network, determining whether said correlation is present, and if so, then executing encryption of said first data packet according to said predetermined encryption/decryption mechanism, generating a new address header including a mechanism for identifying said predetermined encryption/decryption mechanism and appending said new address header to said first data packet, thereby generating a modified first data packet on to the second host computer.
0. 38. A system for automatically encrypting and decrypting data packets transmitted from a first host computer on a first computer network, the first host computer having a first processor and a first memory, via an internetwork to a second host computer on a second computer network, the second host computer having a second processor and a second memory, the system including:
security data stored in said first and second memories indicating that data packets meeting at least one predetermined criterion are to be encrypted;
instructions stored in said first memory for determining whether to encrypt one or more data packets, by determining whether said at least one predetermined criterion is met by said one or more data packets;
instructions stored in said first memory for executing encryption of at least a first one of said one or more data packets according to a predetermined encryption/decryption mechanism, when said at least one predetermined criterion is met, for generating a new address header for said first data packet and for appending an encapsulation header to said first data packet and transmitting said first data packet to said second host, said encapsulation header including said new address header and a mechanism for identifying said predetermined encryption/decryption mechanism;
instructions stored in said second memory for receiving said first data packet, determining whether it has been encrypted by reference to said security data in said second memory, and if so then determining which encryption/decryption mechanism was used for encryption, and decrypting said first data packet by use of said encryption/decryption mechanism.
17. A method for transmitting packets of data via an internetwork from a first host computer on a first computer network to a second host computer on a second computer network, the first computer networks including a first bridge computer, each of said first and second host computers and said bridge computer further including memory storing at least one predetermined encryption/decryption mechanism and information identifying a predetermined plurality of host computers as hosts requiring security for packets transmitted between them, the method being carried out according to the instructions stored in said respective memories and including the steps of:
(1) generating, by the first host computer, a first data packet for transmission to the second host computer, a portion of the first data packet including information representing an internetwork address of the first host computer and an internetwork address of the second host computer;
(2) in the first bridge computer, intercepting the first data packet and determining whether the first and second host computers are among the predetermined plurality of host computers for which security is required, and if not, proceeding to step 5, and if so, proceeding to step 3;
(3) encrypting the first data packet in the first bridge computer;
(4) in the first bridge computer, generating and appending to the first data packet an encapsulation header, including:
(a) key management information providing a mechanism for identifying the predetermined encryption method, and
(b) a new address header representing the source and destination for the data packet, thereby generating a modified first data packet; and
(5) transmitting the first data packet or the modified first data packet from the first bridge computer via the internetwork to the second computer network.
14. A system for automatically encrypting and decrypting data packets transmitted from a first host computer on a first computer network and having a first host computer on a first computer network and , the first host computer having a first processor and a first memory, via an internetwork to a second host computer on a second computer network and having a second host computer on a second computer network and , the second host computer having a second processor and a second memory, the system including:
security data stored in said first and second memories indicating that data packets meeting at least one predetermined criterion are to be encrypted;
a predetermined encryption/decryption mechanism stored in said first and second memories;
a decryption key stored in said second memory;
instructions stored in said first memory for determining whether to encrypt one or more data packets, by determining whether said at least one predetermined criterion is met by said data packet one or more data packets;
instructions stored in said first memory for executing encryption according to said predetermined encryption/decryption mechanism of at least a first said data packet one of said one or more data packets,when said at least one predetermined criterion is met, for generating a new address header for said first data packet and for appending an encapsulation header to said first data packet and transmitting said first data packet to said second host, said new address header identifying broadcast addresses of the first and second computer networks, said encapsulation header including at least said new address header; and
instructions stored in said second memory for receiving said first data packet, determining whether it has been encrypted by reference to said security data in said second memory, and if so then determining which encryption/decryption mechanism was used for encryption, and decrypting said first data packet by use of said decryption key.
6. A system for automatically encrypting and decrypting data packets transmitted from a first host computer on a first computer network to a second host computer on a second computer network, including:
a first bridge computer coupled to the first computer network for intercepting data packets transmitted from said first computer network, the first bridge computer including a first processor and a first memory storing instructions for executing encryption of data packets according to a predetermined encryption/decryption mechanism;
a second bridge computer coupled to the second computer network for intercepting data packets transmitted to said second computer network, the second bridge computer including a second processor and a second memory storing instructions for executing decryption of the data packets;
said first host computer including a third processor and a third memory including instructions for transmitting a first said data packet from said first to said second host;
a first table stored in said first memory including a correlation of at least one of the first host computer and the first network with one of the second host computer and the second network, respectively;
instructions stored in said first memory for intercepting said first data packet before departure from said first network, determining whether said correlation is present in said first table, and if so, then executing encryption of said first data packet according to said predetermined encryption/decryption mechanism, generating a new address header including a mechanism for identifying said predetermined encryption/decryption mechanism and appending said new address header to said encrypted first data packet, thereby generating a modified first data packet, and transmitting said modified data packet on to the second host computer;
a second table stored in said second memory including a correlation of at least one of the first host computer and the first network with one of the second host computer and the second network, respectively; and
instruction stored in said second memory for intercepting said modified first data packet upon arrival at said second network, determining whether said correlation is present in said second table, and if so, then executing decryption of said first data packet according to said predetermined encryption/decryption mechanism, and transmitting the first data packet to the second host computer.
11. A method for transmitting and receiving packets of data via an internetwork from a first host computer on a first computer network to a second host computer on a second computer network, the first and second computer networks, each of said first and second host computer networks, each of said first and second host computers including a processor and a memory for storing instructions for execution by the processor, each said memory storing at least on a predetermined encryption/decryption mechanism and a source/destination table identifying a predetermined plurality of sources and destinations requiring security for packets transmitted between them, the method being carded carried out by means of the instructions stored in said respective memories and including the steps of:
(1) generating, by the first host computer, a first data packet for transmission to the second host computer, a portion of the first data packet including information representing an internetwork address of a source of the first data packet and an internetwork address of a destination of the first data packet;
(2) in the first host computer, determining whether the source and destination of the first data packet are among the predetermined plurality of sources and destinations identified in said source/destination table for which security is required, and if not, proceeding to step 5, and if so, proceeding to step 3;
(3) encrypting the first data packet in the first host computer;
(4) in the first host computer, generating and appending to the encrypted first data packet an encapsulation header, including:
(a) key management information providing a mechanism for identifying the predetermined encryption method, and
(b) a new address header identifying the source and destination for the first data packet, hereby generating a modified first data packet;
(5) transmitting the first data packet or the modified first data packet from the first host computer via the internetwork to the second computer network;
(6) in the second host computer, if the encapsulation header has been appended to the first data packet, reading the encapsulation header, and determining therefrom whether the first data packet was encrypted, and if not the first data packet was not encrypted, ending the method, and if so the first data packet was encrypted, proceeding to step 7;
(7) in the second host computer, determining which encryption mechanism was used to encrypt the first data packet; and
(8) decrypting the first data packet by the second host computer.
1. A method for transmitting and receiving packets of data via a an internetwork from a first host computer on a first computer network to a second host computer on a second computer network, the first and second computer networks including, respectively, first and second bridge computers, each of said first and second host computers and first and second bridge computers including a processor and a memory for storing instructions for execution by the processor, each of said first and second bridge computers further including memory for storing at least one predetermined encryption/decryption mechanism and information identifying a predetermined plurality of host computers as hosts requiring security for packets transmitted between them, the method being carded carried out be by means of the instructions stored in said respective memories and including the steps of:
(1) generating, by the first host computer, a first data packet for transmission to the second host computer, a portion of the first data packet including information representing an internetwork address of the first host computer and an internetwork address of the second host computer;
(2) in the first bridge computer, intercepting the first data packet and determining whether the first and second host computers are among the predetermined plurality of host computers for which security is required, and if not, proceeding to step 5, and if so, proceeding to step 3;
(3) encrypting the first data packet in the first bridge computer;
(4) in the first bridge computer, generating and appending to the encrypted first data packet an encapsulation header, including:
(a) key management information identifying providing a mechanism for identifying the predetermined encryption method, and
(b) a new address header representing the source and destination for the first data packet, hereby generating a modified first data packet;
(5) transmitting the first data packet or the modified first data packet from the first bridge computer via the internetwork to the second computer network;
(6) intercepting the first data packet or the modified first data packet at the second bridge computer;
(7) in the second bridge computer, if the encapsulation header has been appended to the first data packet, reading the encapsulation header, and determining therefrom whether the first data packet was encrypted, and if not, proceeding to step 10, and if so, proceeding to step 8 and if it is determined that the first data packet has been encrypted, proceeding to step 8 and otherwise proceeding to step 10;
(8) in the second bridge computer, determining which encryption mechanism was used to encrypt the first data packet;
(9) decrypting the first data packet by the second bridge computer;
(10) transmitting the first data packet from the second bridge computer to the second host computer, ; and
(11) receiving the unencrypted first data packet at the second host computer.
2. The method of claim 1, wherein the new address header for the modified first data packet includes the internetwork broadcast addresses of the first and second computer networks.
3. The method of claim 2, wherein the new address header for the modified first data packet includes an identifier of the second bridge computer.
4. The method of claim 1, wherein the new address header of the modified first data packet includes the address of the second host computer.
5. The method of claim 4, wherein the new address header for the modified first data packet includes an identifier of the second bridge computer.
7. The method of claim 6, A system for automatically encrypting and decrypting data packets transmitted from a first host computer on a first computer network to a second host computer on a second computer network, including:
a first bridge computer coupled to the first computer network for intercepting data packets transmitted from said first computer network, the first bridge computer including a first processor and a first memory storing instructions for executing encryption of data packets according to a predetermined encryption/decryption mechanism;
a second bridge computer coupled to the second computer network for intercepting data packets transmitted to said second computer network, the second bridge computer including a second processor and a second memory storing instructions for executing decryption of the data packets;
said first host computer including a third processor and a third memory including instructions for transmitting a first data packet from said first host to said second host;
a first table stored in said first memory including a correlation of at least one of the first host computer and the first network with one of the second host computer and the second network, respectively;
instructions stored in said first memory for intercepting said first data packet before departure from said first network, determining whether said correlation is present in said first table, and if so, then executing encryption of said first data packet according to said predetermined encryption/decryption mechanism, generating a new address header and appending said new address header to said encrypted first data packet, thereby generating a modified first data packet, and transmitting said modified first data packet on to the second host computer, wherein said new address header includes the internetwork broadcast addresses of the first and second computer networks. ;
a second table stored in said second memory including a correlation of at least one of the first host computer and the first network with one of the second host computer and the second network, respectively; and
instructions stored in said second memory for intercepting said modified first data packet upon arrival at said second network, determining whether said correlation is present in said second table, and if so, then executing decryption of said first data packet according to said predetermined encryption/decryption mechanism, and transmitting the first data packet to the second host computer.
8. The method of claim 7, wherein said new address header includes an identifier of the second bridge computer.
9. The method of claim 6, wherein said new address header includes the address of the second host computer.
10. The method of claim 9, wherein said new address header includes an identifier of the second bridge computer.
12. The method of claim 11, wherein the new address header for the modified first data packet includes internetwork broadcast addresses of the first and second computer networks.
13. The method of claim 11, wherein the source/destination table includes data identifying internetwork addresses of the first and second host computers.
15. The system of claim 14, wherein:
said security data comprises correlation data stored in each of said first and second memories identifying at least one of said first and second memories identifying at least one of said first host computer and said first network correlated with at least one of said second host computer and said second network;
the system further including instructions stored in said first memory for determining whether to encrypt data packets by inspecting for a match between source and destination addresses of said data packets with said correlation data.
0. 19. The system of claim 18, wherein the data packet includes the new data packet in encrypted form.
0. 20. The method of claim 18, wherein the new address header includes information indicating the first computer is a source of the new data packet and the second computer is a destination of the new data packet.
0. 23. The method of claim 22, wherein the body includes the new data packet in encrypted form.
0. 24. The method of claim 22, wherein the new address header includes information indicating the first computer is a source of the new data packet and the second computer is a destination of the new data packet.
0. 27. The method of claim 26, further comprising transmitting the modified data packet to the destination.
0. 28. The method of claim 26, wherein the determining whether the data packet should be encrypted comprises accessing stored information that indicates by presence or absence of the source identifier that data packets from the source should be encrypted.
0. 29. The method of claim 26, wherein the determining whether the data packet should be encrypted comprises accessing stored information that indicates by presence or absence of a correlation between the source and destination identifiers that data packets from the source for the destination should be encrypted.
0. 30. The method of claim 26, wherein the encrypted data packet includes an encrypted data packet header section and an encrypted data packet data section, the encrypted data packet header section including the header section of the data packet after encryption and the encrypted data packet data section including the data section of the data packet after encryption, the modified data packet including a header portion storing the new address header and a data portion storing the encrypted data packet.
0. 31. The method of claim 30, wherein the encrypted data packet header section stores the source and destination identifiers.
0. 32. The method of claim 26, wherein the source is a host computer or a network.
0. 33. The method of claim 26, wherein the destination is a host computer or a network.
0. 35. The computer program product of claim 34, wherein the computer readable medium is a memory, random-access-memory, read-only-memory, disk drive, or CD-ROM.
0. 37. The computer program product of claim 36, wherein the computer readable medium is a memory, random-access-memory, read-only-memory, disk drive, or CD-ROM.
0. 39. The system as recited in claim 38, wherein said predetermined encryption/decryption mechanism is provided in encrypted form within said encapsulation header.
0. 40. The system of claim 15, wherein said correlation data includes:
encryption rules identifying source and destination networks to and from which packets are to be encrypted; and
host information indicating exceptions to the encryption rules.
0. 44. The system as recited in claim 16, wherein the mechanism indirectly references said predetermined encryption/decryption mechanism.
0. 45. The system as recited in claim 20, wherein the mechanism indirectly identifies the encryption method.
0. 46. The method as recited in claim 26, wherein the mechanism indirectly identifies the encryption method.
0. 47. The computer program product as recited in claim 34, wherein the mechanism indirectly identifies the encryption method.
0. 48. The computer system as recited in claim 36, wherein the mechanism indirectly identifies the encryption method.


and from PKCS #3,

AlgorithmIdentifier ::=
SEQUENCE {
algorithm  OBJECT IDENTIFIER
SEQUENCE {
prime INTEGER, — p
base INTEGER, — g
privateValueLength INTEGER OPTIONAL
}
}

with the OBJECT IDENTIFIER value being

dhKeyAgreement OBJECT IDENTIFIER ::=
{iso(1) member-body(2) US(840)
rsadsi(113549) pkcs(1) 3 1}

which is also taken from PKCS #3.

DHPublicKey is what gets encapsulated as the BIT STRING in SubjectPublicKeyInfo of an X.509 certificate in the obvious manner.

5.2 Encoding of the Distinguished Name (DN)

The certificate is allowed to bind multiple IP addresses to a single public value to accommodate cases where a single IP node has multiple IP addresses. The SEQUENCE OF construct in a DN readily allows for this. What is needed is an OBJECT IDENTIFIER for an AttributeType specifying an IP address. This is defined here as,
ipAddress ATTRIBUTE   WITH ATTRIBUTE-SYNTAX
PrintableString (SIZE(1..nh-ipAddress))
::= {ipsec-odd 1}    — Need to register this XXX
The DN in the certificate can contain multiple

of these by iterating on the SEQUENCE OF construct of the Relative Distinguished Name Sequence.

The Printable string contains either the hexadecimal representation or standard dot notation representation of an IP address.

5.3 Encoding of an Authorization Certificate

An authorization certificate is associated with each CA below the PCA level. The authorization certificate in effect entitles a CA to bind IP addresses to DH public keys.

6.0 Conclusions

We have described a scheme, Simple Key-Management for Internet Protocols (SKIP) that is particularly well suited to connectionless datagram protocols like IP and its replacement candidate SIPP. Both the protocol and computational overheads of this scheme are relatively low. In-band signalled keys incur the length overhead of the block size of a shared-key cipher. Also, setting and changing packet encrypting keys involves only a shared-key cipher operation. Yet the scheme has the scalability and robustness of a public-key certificate based infrastructure.

A major advantage of this scheme is that establishing and changing packet encrypting keys requires no communication between sending and receiving nodes and no establishment of a pseudo-session state between the two sides is required.

In many ways the key-management scheme here has structural similarities with the scheme used by PEM [1]. Both use the concept of an inter-change key (in our case that is the pair keys Kij) and data encrypting keys (the packet encryption keys Kp). By using the Implicit shared secret property of long-term DH public values, and treating the resulting keys as keys for a SKCS, we have reduced the protocol overhead substantially as compared to the overhead of PEM when used in conjunction with an asymmetric key-management system.

We have also described how this scheme may be used in conjunction with datagram multicast protocols, allowing a single encrypted datagram to be multicast to all the receiving nodes.

References

Each of the above references is incorporated into this Appendix A by reference.

INVENTORS:

Patterson, Martin, Aziz, Ashar, Mulligan, Geoffrey, Scott, Glenn

THIS PATENT IS REFERENCED BY THESE PATENTS:
Patent Priority Assignee Title
10003507, Mar 04 2016 Cisco Technology, Inc Transport session state protocol
10003520, Dec 22 2014 Cisco Technology, Inc System and method for efficient name-based content routing using link-state information in information-centric networks
10009266, Jul 05 2016 Cisco Technology, Inc Method and system for reference counted pending interest tables in a content centric network
10033642, Sep 19 2016 Cisco Technology, Inc System and method for making optimal routing decisions based on device-specific parameters in a content centric network
10043016, Feb 29 2016 Cisco Technology, Inc Method and system for name encryption agreement in a content centric network
10051071, Mar 04 2016 Cisco Technology, Inc Method and system for collecting historical network information in a content centric network
10063414, May 13 2016 Cisco Technology, Inc Updating a transport stack in a content centric network
10067948, Mar 18 2016 Cisco Technology, Inc Data deduping in content centric networking manifests
10069729, Aug 08 2016 Cisco Technology, Inc System and method for throttling traffic based on a forwarding information base in a content centric network
10069933, Oct 23 2014 Cisco Technology, Inc System and method for creating virtual interfaces based on network characteristics
10075401, Mar 18 2015 Cisco Technology, Inc Pending interest table behavior
10075402, Jun 24 2015 Cisco Technology, Inc Flexible command and control in content centric networks
10084764, May 13 2016 Cisco Technology, Inc System for a secure encryption proxy in a content centric network
10091012, Dec 24 2014 Cisco Technology, Inc. System and method for multi-source multicasting in content-centric networks
10091330, Mar 23 2016 Cisco Technology, Inc Interest scheduling by an information and data framework in a content centric network
10097346, Dec 09 2015 Cisco Technology, Inc Key catalogs in a content centric network
10098051, Jan 22 2014 Cisco Technology, Inc Gateways and routing in software-defined manets
10103989, Jun 13 2016 Cisco Technology, Inc Content object return messages in a content centric network
10104041, May 16 2008 Cisco Technology, Inc Controlling the spread of interests and content in a content centric network
10122624, Jul 25 2016 Cisco Technology, Inc System and method for ephemeral entries in a forwarding information base in a content centric network
10135948, Oct 31 2016 Cisco Technology, Inc System and method for process migration in a content centric network
10148572, Jun 27 2016 Cisco Technology, Inc Method and system for interest groups in a content centric network
10158656, May 22 2014 Cisco Technology, Inc. Method and apparatus for preventing insertion of malicious content at a named data network router
10187387, Oct 30 1998 VirnetX, Inc. Method for establishing connection between devices
10212248, Oct 03 2016 Cisco Technology, Inc Cache management on high availability routers in a content centric network
10237075, Jul 17 2014 Cisco Technology, Inc. Reconstructable content objects
10237189, Dec 16 2014 Cisco Technology, Inc System and method for distance-based interest forwarding
10243851, Nov 21 2016 Cisco Technology, Inc System and method for forwarder connection information in a content centric network
10257271, Jan 11 2016 Cisco Technology, Inc Chandra-Toueg consensus in a content centric network
10263965, Oct 16 2015 Cisco Technology, Inc Encrypted CCNx
10264099, Mar 07 2016 Cisco Technology, Inc Method and system for content closures in a content centric network
10284511, Apr 26 2002 Malikie Innovations Limited System and method for selection of messaging settings on a messaging client
10305864, Jan 25 2016 Cisco Technology, Inc Method and system for interest encryption in a content centric network
10305865, Jun 21 2016 Cisco Technology, Inc Permutation-based content encryption with manifests in a content centric network
10305968, Jul 18 2014 Cisco Technology, Inc. Reputation-based strategy for forwarding and responding to interests over a content centric network
10313227, Sep 24 2015 Cisco Technology, Inc System and method for eliminating undetected interest looping in information-centric networks
10320760, Apr 01 2016 Cisco Technology, Inc Method and system for mutating and caching content in a content centric network
10333840, Feb 06 2015 Cisco Technology, Inc System and method for on-demand content exchange with adaptive naming in information-centric networks
10348865, Apr 04 2016 Cisco Technology, Inc. System and method for compressing content centric networking messages
10355999, Sep 23 2015 Cisco Technology, Inc Flow control with network named fragments
10367871, Aug 19 2014 Cisco Technology, Inc. System and method for all-in-one content stream in content-centric networks
10404537, May 13 2016 Cisco Technology, Inc. Updating a transport stack in a content centric network
10419345, Sep 11 2015 Cisco Technology, Inc. Network named fragments in a content centric network
10425503, Apr 07 2016 Cisco Technology, Inc Shared pending interest table in a content centric network
10440161, Jan 12 2015 Cisco Technology, Inc. Auto-configurable transport stack
10445380, Mar 04 2014 Cisco Technology, Inc. System and method for direct storage access in a content-centric network
10447805, Oct 10 2016 Cisco Technology, Inc Distributed consensus in a content centric network
10454820, Sep 29 2015 Cisco Technology, Inc System and method for stateless information-centric networking
10511573, Oct 30 1998 VirnetX, Inc. Agile network protocol for secure communications using secure domain names
10581741, Jun 27 2016 Cisco Technology, Inc. Method and system for interest groups in a content centric network
10581967, Jan 11 2016 Cisco Technology, Inc. Chandra-Toueg consensus in a content centric network
10693852, May 13 2016 Cisco Technology, Inc. System for a secure encryption proxy in a content centric network
10701038, Jul 27 2015 Cisco Technology, Inc Content negotiation in a content centric network
10715634, Oct 23 2014 Cisco Technology, Inc. System and method for creating virtual interfaces based on network characteristics
10721332, Oct 31 2016 Cisco Technology, Inc. System and method for process migration in a content centric network
10742596, Mar 04 2016 Cisco Technology, Inc Method and system for reducing a collision probability of hash-based names using a publisher identifier
10897518, Oct 03 2016 Cisco Technology, Inc. Cache management on high availability routers in a content centric network
10956412, Aug 09 2016 Cisco Technology, Inc Method and system for conjunctive normal form attribute matching in a content centric network
11310256, Sep 23 2020 ExtraHop Networks, Inc. Monitoring encrypted network traffic
11349861, Jun 18 2021 ExtraHop Networks, Inc. Identifying network entities based on beaconing activity
11388072, Aug 05 2019 ExtraHop Networks, Inc. Correlating network traffic that crosses opaque endpoints
11431744, Feb 09 2018 ExtraHop Networks, Inc. Detection of denial of service attacks
11438247, Aug 05 2019 ExtraHop Networks, Inc. Correlating network traffic that crosses opaque endpoints
11463299, Feb 07 2018 ExtraHop Networks, Inc. Ranking alerts based on network monitoring
11463465, Sep 04 2019 ExtraHop Networks, Inc. Automatic determination of user roles and asset types based on network monitoring
11463466, Sep 23 2020 EXTRAHOP NETWORKS, INC Monitoring encrypted network traffic
11496378, Aug 09 2018 ExtraHop Networks, Inc. Correlating causes and effects associated with network activity
11546153, Mar 22 2017 ExtraHop Networks, Inc. Managing session secrets for continuous packet capture systems
11558413, Sep 23 2020 ExtraHop Networks, Inc. Monitoring encrypted network traffic
11652714, Aug 05 2019 ExtraHop Networks, Inc. Correlating network traffic that crosses opaque endpoints
11665207, Oct 25 2017 ExtraHop Networks, Inc. Inline secret sharing
11706233, May 28 2019 ExtraHop Networks, Inc. Detecting injection attacks using passive network monitoring
11843606, Mar 30 2022 ExtraHop Networks, Inc. Detecting abnormal data access based on data similarity
11916771, Sep 23 2021 ExtraHop Networks, Inc. Combining passive network analysis and active probing
7502926, Nov 26 2002 HUAWEI TECHNOLOGIES CO , LTD 802.1X protocol-based multicasting control method
7543140, Feb 26 2003 Microsoft Technology Licensing, LLC Revocation of a certificate and exclusion of other principals in a digital rights management (DRM) system based on a revocation list from a delegated revocation authority
7739497, Mar 21 2001 FORCEPOINT FEDERAL HOLDINGS LLC F K A FORCEPOINT LLC Method and apparatus for anonymous IP datagram exchange using dynamic network address translation
8112811, Apr 04 2000 Sony Corporation Information playing/reproducing apparatus and method
8365273, Jun 15 1999 SSH Communications Security OYJ Method and arrangement for providing security through network address translations using tunneling and compensations
8429411, Jun 21 2005 Malikie Innovations Limited Automated selection and inclusion of a message signature
8539111, Dec 30 1999 AVAYA Inc Port switch
8544079, Jun 15 1999 SSH Communications Security OYJ Method and arrangement for providing security through network address translations using tunneling and compensations
8549285, Mar 21 2001 FORCEPOINT FEDERAL HOLDINGS LLC Method and apparatus for anonymous IP datagram exchange using dynamic network address translation
8578171, Jun 21 2005 Malikie Innovations Limited Automated selection and inclusion of a message signature
8843643, Oct 30 1998 VirnetX, Inc. System and method employing an agile network protocol for secure communications using secure domain names
8850009, Oct 30 1998 VirnetX, Inc. System and method employing an agile network protocol for secure communications using secure domain names
8868705, Oct 30 1998 VirnetX, Inc. Agile network protocol for secure communications using secure domain names
8874771, Oct 30 1998 VirnetX, Inc. Agile network protocol for secure communications with assured system availability
8904516, Oct 30 1998 VirnetX, Inc. System and method employing an agile network protocol for secure communications using secure domain names
8914872, Jun 15 1999 SSH Communications Security OYJ Revealing occurrence of network address translations
8914873, Jun 15 1999 SSH Communications Security OYJ Revealing address information in systems where network address translations occur
8918858, Jun 15 1999 SSH Communications Security OYJ Communications across a network address translator
8943201, Oct 30 1998 VirnetX, Inc. Method for establishing encrypted channel
8973126, Jun 15 1999 SSH Communications Security OYJ Determining occurrence of a network address translation
8973127, Jun 15 1999 SSH Communications Security OYJ Communications across a network address translator
9027115, Oct 30 1998 VirnetX, Inc. System and method for using a registered name to connect network devices with a link that uses encryption
9037713, Oct 30 1998 VirnetX, Inc. Agile network protocol for secure communications using secure domain names
9038163, Oct 30 1998 VirnetX, Inc. Systems and methods for connecting network devices over communication network
9071578, Jun 15 1999 SSH Communications Security OYJ Maintaining network address translations
9077694, Oct 30 1998 VirnetX, Inc. Agile network protocol for secure communications using secure domain names
9077695, Oct 30 1998 VirnetX, Inc.; VIRNETX, INC System and method for establishing an encrypted communication link based on IP address lookup requests
9094399, Oct 30 1998 VirnetX, Inc. Method for establishing secure communication link between computers of virtual private network
9100375, Oct 30 1998 VirnetX, Inc. System and method employing an agile network protocol for secure communications using secure domain names
9374346, Oct 30 1998 VirnetX, Inc. Agile network protocol for secure communications using secure domain names
9386000, Oct 30 1998 VirnetX, Inc. System and method for establishing a communication link
9413766, Oct 30 1998 VIRNETX, INC Method for establishing connection between devices
9473576, Apr 07 2014 Cisco Technology, Inc Service discovery using collection synchronization with exact names
9479426, Oct 30 1998 VIRNETZ, INC. Agile network protocol for secure communications with assured system availability
9503365, Aug 11 2014 Cisco Technology, Inc Reputation-based instruction processing over an information centric network
9590887, Jul 18 2014 Cisco Technology, Inc Method and system for keeping interest alive in a content centric network
9590948, Dec 15 2014 Cisco Technology, Inc CCN routing using hardware-assisted hash tables
9609014, May 22 2014 Cisco Technology, Inc Method and apparatus for preventing insertion of malicious content at a named data network router
9621354, Jul 17 2014 Cisco Technology, Inc Reconstructable content objects
9626413, Mar 10 2014 Cisco Technology, Inc System and method for ranking content popularity in a content-centric network
9660825, Dec 24 2014 Cisco Technology, Inc System and method for multi-source multicasting in content-centric networks
9667594, Jun 15 1999 SSH Communications Security OYJ Maintaining network address translations
9686194, Oct 21 2009 Cisco Technology, Inc Adaptive multi-interface use for content networking
9699198, Jul 07 2014 Cisco Technology, Inc System and method for parallel secure content bootstrapping in content-centric networks
9716622, Apr 01 2014 Cisco Technology, Inc System and method for dynamic name configuration in content-centric networks
9729616, Jul 18 2014 Cisco Technology, Inc Reputation-based strategy for forwarding and responding to interests over a content centric network
9729662, Aug 11 2014 Cisco Technology, Inc Probabilistic lazy-forwarding technique without validation in a content centric network
9781076, Jan 17 2008 AIRBUS DEFENCE AND SPACE LIMITED Secure communication system
9800637, Aug 19 2014 Cisco Technology, Inc System and method for all-in-one content stream in content-centric networks
9819649, Oct 30 1998 VirnetX, Inc. System and method employing an agile network protocol for secure communications using secure domain names
9832123, Sep 11 2015 Cisco Technology, Inc Network named fragments in a content centric network
9832291, Jan 12 2015 Cisco Technology, Inc Auto-configurable transport stack
9836540, Mar 04 2014 Cisco Technology, Inc System and method for direct storage access in a content-centric network
9860283, Oct 30 1998 VIRNETX, INC Agile network protocol for secure video communications with assured system availability
9882964, Aug 08 2014 Cisco Technology, Inc Explicit strategy feedback in name-based forwarding
9912776, Dec 02 2015 Cisco Technology, Inc Explicit content deletion commands in a content centric network
9916457, Jan 12 2015 Cisco Technology, Inc Decoupled name security binding for CCN objects
9929935, Jul 18 2014 Cisco Technology, Inc. Method and system for keeping interest alive in a content centric network
9930146, Apr 04 2016 Cisco Technology, Inc System and method for compressing content centric networking messages
9946743, Jan 12 2015 Cisco Technology, Inc Order encoded manifests in a content centric network
9954678, Feb 06 2014 Cisco Technology, Inc Content-based transport security
9954795, Jan 12 2015 Cisco Technology, Inc Resource allocation using CCN manifests
9967240, Oct 30 1998 VIRNETX, INC Agile network protocol for secure communications using secure domain names
9977809, Sep 24 2015 Cisco Technology, Inc Information and data framework in a content centric network
9986034, Aug 03 2015 Cisco Technology, Inc Transferring state in content centric network stacks
9992097, Jul 11 2016 Cisco Technology, Inc System and method for piggybacking routing information in interests in a content centric network
9992281, May 01 2014 Cisco Technology, Inc Accountable content stores for information centric networks
9998412, Jun 21 2005 Malikie Innovations Limited Automated selection and inclusion of a message signature
THIS PATENT REFERENCES THESE PATENTS:
Patent Priority Assignee Title
5161192, Dec 06 1989 3Com Ireland Repeaters for secure local area networks
5204961, Jun 25 1990 HEWLETT-PACKARD DEVELOPMENT COMPANY, L P Computer network operating with multilevel hierarchical security with selectable common trust realms and corresponding security protocols
5303303, Jul 18 1990 GPT Limited Data communication system using encrypted data packets
5416842, Jun 10 1994 Sun Microsystems, Inc. Method and apparatus for key-management scheme for use with internet protocols at site firewalls
5442708, Mar 09 1993 Verizon Patent and Licensing Inc Computer network encryption/decryption device
5444782, Mar 03 1993 Verizon Patent and Licensing Inc Computer network encryption/decryption device
JP4154233,
WO9202095,
ASSIGNMENT RECORDS    Assignment records on the USPTO
/
Executed onAssignorAssigneeConveyanceFrameReelDoc
Aug 19 1998Sun Microsystems, Inc.(assignment on the face of the patent)
MAINTENANCE FEES AND DATES:    Maintenance records on the USPTO
Date Maintenance Fee Events
Jan 25 2008M1553: Payment of Maintenance Fee, 12th Year, Large Entity.


Date Maintenance Schedule
Oct 17 20094 years fee payment window open
Apr 17 20106 months grace period start (w surcharge)
Oct 17 2010patent expiry (for year 4)
Oct 17 20122 years to revive unintentionally abandoned end. (for year 4)
Oct 17 20138 years fee payment window open
Apr 17 20146 months grace period start (w surcharge)
Oct 17 2014patent expiry (for year 8)
Oct 17 20162 years to revive unintentionally abandoned end. (for year 8)
Oct 17 201712 years fee payment window open
Apr 17 20186 months grace period start (w surcharge)
Oct 17 2018patent expiry (for year 12)
Oct 17 20202 years to revive unintentionally abandoned end. (for year 12)