Communication device for implementing selective encryption in a software defined network
First Claim
1. A communication device configured to selectively encrypt data in a software defined network (SDN), the communication device comprising:
- a data bus;
a communication interface in communication with the data bus, the communication interface configured to receive a plurality of unencrypted data packets originating from a data producing device in an electric power system;
an SDN controller communication subsystem in communication with the data bus and configured to;
receive from an SDN controller a first criterion used to identify a subset of the plurality of unencrypted data packets to be encrypted;
an encryption subsystem configured to generate an encrypted data payload from an unencrypted data payload based on an encryption key;
a packet processing subsystem configured to;
identify unencrypted data packets to be encrypted based on the first criterion and comprising unencrypted routing information and an unencrypted payload;
selectively parse each identified data packet to extract the unencrypted routing information and the unencrypted data payload;
pass the unencrypted data payload to the encryption subsystem;
generate an encrypted data payload using the encryption key;
receive the encrypted data payload from the encryption subsystem;
generate a substitute packet comprising the unencrypted routing information and the encrypted data payload; and
transmit the substitute packet to a data consuming device in the electric power system using the unencrypted routing information via the communication interface;
wherein the first criterion comprises a determination that a first physical location at which the data consuming device identified by the routing information is separated from a second physical location at which the communication device is located;
wherein the encryption subsystem is further configured to generate a hash message authentication code (HMAC) and to append the HMAC code to the substitute packet; and
wherein the communication device is configured for use in a network that provides end-to-end encryption between the data producing device and the data consuming device that each lack encryption capabilities.
3 Assignments
0 Petitions
Accused Products
Abstract
The present disclosure pertains to systems and methods for selectively encrypting data flows within a software defined network (SDN). In one embodiment, a communication device may be configured to receive a plurality of unencrypted data packets. The communication device may receive from an SDN controller a criterion used to identify at least one of the unencrypted data flows to be encrypted. Based on the criterion, an encryption subsystem may generate an encrypted data flow the unencrypted data packets based on an encryption key. In some embodiments, the encryption system may parse the packets and encrypt the data payloads without encrypting the routing information associated with the packet. In other embodiments, the encryption subsystem may be configured to encapsulate and encrypt the entire unencrypted data packet. In some embodiments, the encryption subsystem may further be configured to authenticate a sending device and/or to verify the integrity of a message.
101 Citations
11 Claims
-
1. A communication device configured to selectively encrypt data in a software defined network (SDN), the communication device comprising:
-
a data bus; a communication interface in communication with the data bus, the communication interface configured to receive a plurality of unencrypted data packets originating from a data producing device in an electric power system; an SDN controller communication subsystem in communication with the data bus and configured to; receive from an SDN controller a first criterion used to identify a subset of the plurality of unencrypted data packets to be encrypted; an encryption subsystem configured to generate an encrypted data payload from an unencrypted data payload based on an encryption key; a packet processing subsystem configured to; identify unencrypted data packets to be encrypted based on the first criterion and comprising unencrypted routing information and an unencrypted payload; selectively parse each identified data packet to extract the unencrypted routing information and the unencrypted data payload; pass the unencrypted data payload to the encryption subsystem; generate an encrypted data payload using the encryption key; receive the encrypted data payload from the encryption subsystem; generate a substitute packet comprising the unencrypted routing information and the encrypted data payload; and transmit the substitute packet to a data consuming device in the electric power system using the unencrypted routing information via the communication interface; wherein the first criterion comprises a determination that a first physical location at which the data consuming device identified by the routing information is separated from a second physical location at which the communication device is located; wherein the encryption subsystem is further configured to generate a hash message authentication code (HMAC) and to append the HMAC code to the substitute packet; and wherein the communication device is configured for use in a network that provides end-to-end encryption between the data producing device and the data consuming device that each lack encryption capabilities. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
Specification