Communication device for implementing selective encryption in a software defined network

US 10,341,311 B2
Filed: 07/20/2015
Issued: 07/02/2019
Est. Priority Date: 07/20/2015
Status: Active Grant

First Claim

Patent Images

1. A communication device configured to selectively encrypt data in a software defined network (SDN), the communication device comprising:

a data bus;

a communication interface in communication with the data bus, the communication interface configured to receive a plurality of unencrypted data packets originating from a data producing device in an electric power system;

an SDN controller communication subsystem in communication with the data bus and configured to;

receive from an SDN controller a first criterion used to identify a subset of the plurality of unencrypted data packets to be encrypted;

an encryption subsystem configured to generate an encrypted data payload from an unencrypted data payload based on an encryption key;

a packet processing subsystem configured to;

identify unencrypted data packets to be encrypted based on the first criterion and comprising unencrypted routing information and an unencrypted payload;

selectively parse each identified data packet to extract the unencrypted routing information and the unencrypted data payload;

pass the unencrypted data payload to the encryption subsystem;

generate an encrypted data payload using the encryption key;

receive the encrypted data payload from the encryption subsystem;

generate a substitute packet comprising the unencrypted routing information and the encrypted data payload; and

transmit the substitute packet to a data consuming device in the electric power system using the unencrypted routing information via the communication interface;

wherein the first criterion comprises a determination that a first physical location at which the data consuming device identified by the routing information is separated from a second physical location at which the communication device is located;

wherein the encryption subsystem is further configured to generate a hash message authentication code (HMAC) and to append the HMAC code to the substitute packet; and

wherein the communication device is configured for use in a network that provides end-to-end encryption between the data producing device and the data consuming device that each lack encryption capabilities.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure pertains to systems and methods for selectively encrypting data flows within a software defined network (SDN). In one embodiment, a communication device may be configured to receive a plurality of unencrypted data packets. The communication device may receive from an SDN controller a criterion used to identify at least one of the unencrypted data flows to be encrypted. Based on the criterion, an encryption subsystem may generate an encrypted data flow the unencrypted data packets based on an encryption key. In some embodiments, the encryption system may parse the packets and encrypt the data payloads without encrypting the routing information associated with the packet. In other embodiments, the encryption subsystem may be configured to encapsulate and encrypt the entire unencrypted data packet. In some embodiments, the encryption subsystem may further be configured to authenticate a sending device and/or to verify the integrity of a message.

101 Citations

View as Search Results

11 Claims

1. A communication device configured to selectively encrypt data in a software defined network (SDN), the communication device comprising:
- a data bus;
  
  a communication interface in communication with the data bus, the communication interface configured to receive a plurality of unencrypted data packets originating from a data producing device in an electric power system;
  
  an SDN controller communication subsystem in communication with the data bus and configured to;
  
  receive from an SDN controller a first criterion used to identify a subset of the plurality of unencrypted data packets to be encrypted;
  
  an encryption subsystem configured to generate an encrypted data payload from an unencrypted data payload based on an encryption key;
  
  a packet processing subsystem configured to;
  
  identify unencrypted data packets to be encrypted based on the first criterion and comprising unencrypted routing information and an unencrypted payload;
  
  selectively parse each identified data packet to extract the unencrypted routing information and the unencrypted data payload;
  
  pass the unencrypted data payload to the encryption subsystem;
  
  generate an encrypted data payload using the encryption key;
  
  receive the encrypted data payload from the encryption subsystem;
  
  generate a substitute packet comprising the unencrypted routing information and the encrypted data payload; and
  
  transmit the substitute packet to a data consuming device in the electric power system using the unencrypted routing information via the communication interface;
  
  wherein the first criterion comprises a determination that a first physical location at which the data consuming device identified by the routing information is separated from a second physical location at which the communication device is located;
  
  wherein the encryption subsystem is further configured to generate a hash message authentication code (HMAC) and to append the HMAC code to the substitute packet; and
  
  wherein the communication device is configured for use in a network that provides end-to-end encryption between the data producing device and the data consuming device that each lack encryption capabilities.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The communication device of claim 1, further comprising:
    - a decryption subsystem configured to generate an unencrypted data payload from an encrypted data payload based on the encryption key;
      
      wherein the communication interface is further configured to receive a plurality of encrypted data packets;
      
      wherein the SDN controller communication subsystem is further configured to receive from the SDN controller a second criterion used to identify a subset of the plurality of encrypted data packets to be decrypted; and
      
      wherein the packet processing subsystem is further configured to;
      
      identify encrypted data packets to be decrypted based on the second criterion and comprising unencrypted routing information and an encrypted payload;
      
      selectively parse each identified data packet to extract the unencrypted routing information and the encrypted data payload;
      
      pass the encrypted data payload to the decryption subsystem;
      
      generate an unencrypted data payload using the encryption key;
      
      receive the unencrypted data payload from the decryption subsystem;
      
      generate a second substitute packet comprising the unencrypted routing information and the unencrypted data payload; and
      
      transmit the second substitute packet using the unencrypted routing information via the communication interface.
  - 3. The communication device of claim 2, wherein the second criterion comprises a determination that the data consuming device identified by the routing information and the communication device are both located at a common physical location.
  - 4. The communication device of claim 2, wherein the decryption subsystem is further configured to receive a hash message authentication code (HMAC) the HMAC appended to at least one of the encrypted data packets and to verify at least one of a source of the at least one of the encrypted data packets and a message integrity based on the HMAC.
  - 5. The communication device of claim 1, wherein the packet processing subsystem is further configured to generate an error detection code based on the encrypted data payload and the packet processing subsystem is further configured to include the error detection code in the substitute packet.
  - 6. The communication device of claim 5, wherein the packet processing subsystem is further configured to generate a trailer for the substitute packet and the trailer comprises the error detection code.
  - 7. The communication device of claim 1, wherein the SDN controller communication subsystem is further configured to receive the encryption key from the SDN controller.
  - 8. The communication device of claim 7, wherein the encryption key persists through multiple sessions with the SDN controller.
  - 9. The communication device of claim 1, wherein the encryption subsystem is implemented in one of a field-programmable gate array and an application-specific integrated circuit.
  - 10. The communication device of claim 1, wherein the HMAC code is at least partially determined based on an identifier of a source of at least one of the plurality of unencrypted data packets, such that a receiving device may identify the source based at least in part on the HMAC code.
  - 11. The communication device of claim 1, wherein the HMAC code is at least partially determined based on the encrypted data payload, such that a receiving device may verify the integrity of the substitute data packet based at least in part on the HMAC code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Schweitzer Engineering Laboratories, Incorporated
Original Assignee
Schweitzer Engineering Laboratories, Incorporated
Inventors
Smith, Rhett, Grussling, Barry Jakob
Primary Examiner(s)
Pham, Luu T
Assistant Examiner(s)
Wilcox, James J

Application Number

US14/803,755
Publication Number

US 20170026349A1
Time in Patent Office

1,443 Days
Field of Search
US Class Current
CPC Class Codes

H04L 45/38   Flow based routing

H04L 45/42   Centralised routing

H04L 45/64   using an overlay routing layer

H04L 63/0428   wherein the data content is...

H04L 63/0471   applying encryption by an i...

H04L 63/06   for supporting key manageme...

H04L 63/162   at the data link layer

Communication device for implementing selective encryption in a software defined network

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

101 Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Communication device for implementing selective encryption in a software defined network

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

101 Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links