Multi-independent level secure (MILS) storage encryption

US 10,708,236 B2
Filed: 10/24/2016
Issued: 07/07/2020
Est. Priority Date: 10/26/2015
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, by a first computing device on a first port of a plurality of ports, a data packet, wherein each of the ports corresponds to one of a plurality of security classes including a first security class that corresponds to the first port, and the first computing device comprises a plurality of cryptographic modules, each module configured to encrypt data for a respective one of the security classes, each module comprising a cryptographic engine configured as a systolic-matrix array, and each module further comprising at least one field-programmable gate array (FPGA) programmable to support at least one security protocol;

tagging the data packet using tagging data that identifies the first security class and the first port, wherein tagging the data packet comprises replacing an external tag of the received data packet with an internal tag, wherein a first value in a field of the external tag indicates a protocol associated with the data packet, and wherein the internal tag is obtained by encoding the first value to a second value, the second value having a reduced number of bits as compared to the first value, and the second value replacing the first value in the field;

routing, based on at least one header, the data packet to a first cryptographic module of the plurality of cryptographic modules;

encrypting the data packet using the first cryptographic module; and

storing the encrypted data packet in a first data storage device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a method includes: receiving, by a first computing device on a first port of a plurality of ports, a data packet, wherein each of the ports corresponds to one of a plurality of security classes, and the first computing device comprises a plurality of cryptographic modules, each module configured to encrypt data for a respective one of the security classes; tagging the data packet, wherein tagging data identifies one of the security classes and the first port; routing, based on at least one header, the data packet to a first cryptographic module of the plurality of cryptographic modules; encrypting the data packet using the first cryptographic module; and storing the encrypted data packet in a first data storage device.

281 Citations

20 Claims

1. A method, comprising:
- receiving, by a first computing device on a first port of a plurality of ports, a data packet, wherein each of the ports corresponds to one of a plurality of security classes including a first security class that corresponds to the first port, and the first computing device comprises a plurality of cryptographic modules, each module configured to encrypt data for a respective one of the security classes, each module comprising a cryptographic engine configured as a systolic-matrix array, and each module further comprising at least one field-programmable gate array (FPGA) programmable to support at least one security protocol;
  
  tagging the data packet using tagging data that identifies the first security class and the first port, wherein tagging the data packet comprises replacing an external tag of the received data packet with an internal tag, wherein a first value in a field of the external tag indicates a protocol associated with the data packet, and wherein the internal tag is obtained by encoding the first value to a second value, the second value having a reduced number of bits as compared to the first value, and the second value replacing the first value in the field;
  
  routing, based on at least one header, the data packet to a first cryptographic module of the plurality of cryptographic modules;
  
  encrypting the data packet using the first cryptographic module; and
  
  storing the encrypted data packet in a first data storage device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 15, 16, 17, 18)
- - 2. The method of claim 1, further comprising:
    - sending the encrypted data packet over a network to a second data storage device;
      
      receiving, from the second data storage device by a second computing device, the encrypted data packet, wherein the second computing device comprises a plurality of cryptographic modules, each module configured to decrypt data for a respective one of the security classes;
      
      selecting, based on the tagging data, one of the cryptographic modules of the second computing device; and
      
      decrypting, using the selected cryptographic module, the data packet.
  - 3. The method of claim 2, further comprising:
    - selecting, based on the tagging data, one of a plurality of ports of the second computing device; and
      
      providing the decrypted packet as output on the selected port of the second computing device.
  - 4. The method of claim 1, further comprising loading at least one key for the encrypting by the first computing device of the received data packet, wherein the at least one key is selected based on a security class of the received data packet.
  - 5. The method of claim 4, wherein the security class of the received data packet is determined by at least one header comprising security information.
  - 6. The method of claim 1, wherein the internal tag includes at least one header comprising security information.
  - 7. The method of claim 1, wherein the first port is a virtual port.
  - 8. The method of claim 1, wherein the at least one header is an embedded data header or a meta-data header.
  - 15. The method of claim 1, further comprising, prior to storing the encrypted data packet in the first data storage device, restoring the field to replace the second value with the first value.
  - 16. The method of claim 15, wherein the field is an EtherType field.
  - 17. The method of claim 1, further comprising verifying, based on the internal tag, that a security class of a key does not exceed the first security class.
  - 18. The method of claim 17, further comprising, in response to verifying that the security class of the key does not exceed the first security class, restoring the field to replace the second value with the first value.

9. A system, comprising:
- at least one processor; and
  
  memory storing instructions configured to instruct the at least one processor to;
  
  receive, on a first port of a plurality of ports, a data packet, wherein each of the ports corresponds to one of a plurality of security classes;
  
  tag the data packet using tagging data that identifies a first security class of the security classes, wherein tagging the data packet comprises replacing an external tag of the received data packet with an internal tag, wherein a first value of the external tag indicates a protocol associated with the data packet, and wherein the internal tag is obtained by replacing the first value with a second value obtained by encoding the first value;
  
  route the data packet to a first cryptographic module of a plurality of cryptographic modules, wherein each cryptographic module is configured to encrypt data for a respective one of the security classes, each module comprises a cryptographic engine configured as a systolic-matrix array, and each module further comprises at least one field-programmable gate array (FPGA) programmable to support at least one security protocol; and
  
  encrypt the data packet using the first cryptographic module.
- View Dependent Claims (10, 11, 12, 13, 14, 19, 20)
- - 10. The system of claim 9, further comprising a data storage device coupled to receive the encrypted data packet for storage.
  - 11. The system of claim 9, wherein the first port is a physical port.
  - 12. The system of claim 9, wherein the data packet is routed to the first cryptographic module based on the tagging data.
  - 13. The system of claim 12, wherein at least one header of the data packet comprises the tagging data.
  - 14. The system of claim 9, wherein the tagging data further identifies the first port as an entry port.
  - 19. The system of claim 9, wherein the instructions are further configured to instruct the at least one processor to, after encrypting the data packet using the first cryptographic module, restore the first value by replacing the second value with the first value.
  - 20. The system of claim 9, wherein the first value is a value in an EtherType field associated with the data packet, and the second value replaces the first value in the EtherType field, and wherein the instructions are further configured to instruct the at least one processor to, in response to verifying that a security class of a key does not exceed the first security class, restore the EtherType field by replacing the second value in the EtherType field with the first value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Secturion Systems, Inc.
Original Assignee
Secturion Systems, Inc.
Inventors
Takahashi, Richard
Primary Examiner(s)
Rashid, Harunur

Application Number

US15/332,059
Publication Number

US 20170118180A1
Time in Patent Office

1,352 Days
Field of Search
US Class Current
CPC Class Codes

H04L 45/00   Routing or path finding of ...

H04L 45/74   Address processing for routing

H04L 63/0227   Filtering policies mail mes...

H04L 63/0428   wherein the data content is...

H04L 63/105   Multiple levels of security

H04L 63/126   the source of the received ...

H04L 69/22   Parsing or analysis of headers

H04L 9/0819   Key transport or distributi...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/14   using a plurality of keys o...

Multi-independent level secure (MILS) storage encryption

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

281 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-independent level secure (MILS) storage encryption

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

281 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links