System for signatureless transmission and reception of data packets between computer networks
First Claim
1. A method for transmitting and receiving packets of data via an internetwork from a first host computer on a first computer network to a second host computer on a second computer network, the first and second computer networks including, respectively, first and second bridge computers, each of said first and second host computers and first and second bridge computers including a processor and a memory for storing instructions for execution by the processor, each of said first and second bridge computers further including memory storing at least one predetermined encryption/decryption mechanism and information identifying a predetermined plurality of host computers as hosts requiring security for packets transmitted between them, the method being carried [carded] out by means of the instructions stored in said respective memories and including the steps of:
- (1) generating, by the first host computer, a first data packet for transmission to the second host computer, a portion of the data packet including information representing an internetwork address of the first host computer and an internetwork address of the second host computer;
(2) in the first bridge computer, intercepting the first data packet and determining whether the first and second host computers are among the predetermined plurality of host computers for which security is required, and if not, proceeding to step 5, and if so, proceeding to step 3;
(3) encrypting the first data packet in the first bridge computer;
(4) in the first bridge computer, generating and appending to the first data packet an encapsulation header, including;
(a) key management information identifying the predetermined encryption method, and (b) a new address header representing the source and destination for the data packet, thereby generating a modified data packet;
(5) transmitting the data packet from the first bridge computer via the internetwork to the second computer network;
(6) intercepting the data packet at the second bridge computer;
(7) in the second bridge computer, reading the encapsulation header, and determining therefrom whether the data packet was encrypted, and if not, proceeding to step 10, and if so, proceeding to step 8;
(8) in the second bridge computer, determining which encryption mechanism was used to encrypt the first data packet;
(9) decrypting the first data packet by the second bridge computer;
(10) transmitting the first data packet from the second bridge computer to the second host computer; and
(11) receiving the unencrypted data packet at the second host computer.
0 Assignments
0 Petitions
Accused Products
Abstract
A system for automatically encrypting and decrypting data packet sent from a source host to a destination host across a public internetwork. A tunnelling bridge is positioned at each network, and intercepts all packets transmitted to or from its associated network. The tunnelling bridge includes tables indicated pairs of hosts or pairs of networks between which packets should be encrypted. When a packet is transmitted from a first host, the tunnelling bridge of that host'"'"'s network intercepts the packet, and determines from its header information whether packets from that host that are directed to the specified destination host should be encrypted; or, alternatively, whether packets from the source host'"'"'s network that are directed to the destination host'"'"'s network should be encrypted. If so, the packet is encrypted, and transmitted to the destination network along with an encapsulation header indicating source and destination information: either source and destination host addresses, or the broadcast addresses of the source and destination networks (in the latter case, concealing by encryption the hosts'"'"' respective addresses). An identifier of the source network'"'"'s tunnelling bridge may also be included in the encapsulation header. At the destination network, the associated tunnelling bridge intercepts the packet, inspects the encapsulation header, from an internal table determines whether the packet was encrypted, and from either the source (host or network) address or the tunnelling bridge identifier determines whether and how the packet was encrypted. If the packet was encrypted, it is now decrypted using a key stored in the destination tunnelling bridge'"'"'s memory, and is sent on to the destination host. The tunnelling bridge identifier is used particularly in an embodiment where a given network has more than one tunnelling bridge, and hence multiple possible encryption/decryption schemes and keys. In an alternative embodiment, the automatic encryption and decryption may be carried out by the source and destination hosts themselves, without the use of additional tunnelling bridges, in which case the encapsulation header includes the source and destination host addresses.
-
Citations
53 Claims
-
1. A method for transmitting and receiving packets of data via an internetwork from a first host computer on a first computer network to a second host computer on a second computer network, the first and second computer networks including, respectively, first and second bridge computers, each of said first and second host computers and first and second bridge computers including a processor and a memory for storing instructions for execution by the processor, each of said first and second bridge computers further including memory storing at least one predetermined encryption/decryption mechanism and information identifying a predetermined plurality of host computers as hosts requiring security for packets transmitted between them, the method being carried [carded] out by means of the instructions stored in said respective memories and including the steps of:
-
(1) generating, by the first host computer, a first data packet for transmission to the second host computer, a portion of the data packet including information representing an internetwork address of the first host computer and an internetwork address of the second host computer;
(2) in the first bridge computer, intercepting the first data packet and determining whether the first and second host computers are among the predetermined plurality of host computers for which security is required, and if not, proceeding to step 5, and if so, proceeding to step 3;
(3) encrypting the first data packet in the first bridge computer;
(4) in the first bridge computer, generating and appending to the first data packet an encapsulation header, including;
(a) key management information identifying the predetermined encryption method, and (b) a new address header representing the source and destination for the data packet, thereby generating a modified data packet;
(5) transmitting the data packet from the first bridge computer via the internetwork to the second computer network;
(6) intercepting the data packet at the second bridge computer;
(7) in the second bridge computer, reading the encapsulation header, and determining therefrom whether the data packet was encrypted, and if not, proceeding to step 10, and if so, proceeding to step 8;
(8) in the second bridge computer, determining which encryption mechanism was used to encrypt the first data packet;
(9) decrypting the first data packet by the second bridge computer;
(10) transmitting the first data packet from the second bridge computer to the second host computer; and
(11) receiving the unencrypted data packet at the second host computer. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A system for automatically encrypting and decrypting data packets transmitted from a first host computer on a first computer network to a second host computer on a second computer network, including:
-
a first bridge computer coupled to the first computer network for intercepting data packets transmitted from said first computer network, the first bridge computer including a first processor and a first memory storing instructions for executing encryption of data packets according to a predetermined encryption/decryption mechanism;
a second bridge computer coupled to the second computer network for intercepting data packets transmitted to said second computer network, the second bridge computer including a second processor and a second memory storing instructions for executing decryption of the data packets;
said first host computer including a third processor and a third memory including instructions for transmitting a first said data packet from said first host to said second host;
a first table stored in said first memory including a correlation of at least one of the first host computer and the first network with one of the second host computer and the second network, respectively;
instructions stored in said first memory for intercepting said first data packet before departure from said first network, determining whether said correlation is present in said first table, and if so, then executing encryption of said first data packet according to said predetermined encryption/decryption mechanism, generating a new address header and appending said new address header to said first data packet, thereby generating a modified first data packet, and transmitting said modified first data packet on to the second host computer;
a second table stored in said second memory including a correlation of at least one of the first host computer and the first network with one of the second host computer and the second network, respectively;
instructions stored in said second memory for intercepting said first data packet upon arrival at said second network, determining whether said correlation is present in said second table, and if so, then executing decryption of said first data packet according to said predetermined encryption/decryption mechanism, and transmitting the first data packet to the second host computer. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A method for transmitting and receiving packets of data via an internetwork from a first host computer on a first computer network to a second host computer on a second computer network, [the first and second computer networks,] each of said first and second host computers including a processor and a memory for storing instructions for execution by the processor, each said memory storing at least one predetermined encryption/decryption mechanism and a source/destination table identifying a predetermined plurality of sources and destinations requiring security for packets transmitted between them, the method being carried [carded] out by means of the instructions stored in said respective memories and including the steps of:
-
(1) generating, by the first host computer, a first data packet for transmission to the second host computer, a portion of the data packet including information representing an internetwork address of a source of the packet and an internetwork address of a destination of the packet;
(2) in the first host computer, determining whether the source and destination of the first data packet are among the predetermined plurality of sources and destinations identified in said source/destination table for which security is required, and if not, proceeding to step 5, and if so, proceeding to step 3;
(3) encrypting the first data packet in the first host computer;
(4) in the first host computer, generating and appending to the first data packet an enapsulation header, including;
(a) key management information identifying the predetermined encryption method, and (b) a new address header identifying the source and destination for the first data packet, (5) transmitting the first data packet from the first host computer via the internetwork to the second computer network;
(6) in the second host computer, reading the encapsulation header, and determining therefrom whether the first data packet was encrypted, and if not, ending the method, and if so, proceeding to step 7;
(7) in the second host computer, determining which encryption mechanism was used to encrypt the first data packet; and
(8) decrypting the first data packet by the second host computer. - View Dependent Claims (12, 13)
-
-
14. A system for automatically encrypting and decrypting data packets transmitted from a first host computer on a first computer network and having a first processor and a first memory, via an internetwork to a second host computer on a second computer network and having a second host computer on a second computer network and having a second processor and a sescond memory, the system including:
-
security data stored in said first and second memories indicating that data packets meeting at least one predetermined criterion are to be encrypted;
a predetermined encryption/decryption mechanism stored in said first and second memories;
a decryption key stored in said second memory;
instructions stored in said first memory for determining whether to encrypt data packets, by determining whether said at least one predetermined criterion is met by said data packet;
instructions stored in said first memory for executing encryption according to said predetermined encryption/decryption mechanism of at least a first said data packet, when said at least one predetermined criterion is met, for generating a new address header for said first data packet and for appending an encapsulation header to said first data packet and transmitting said first data packet to said second host, said encapsulation header including at least said new address header;
instructions stored in said second memory for receiving said first data packet, determining whether it has been encrypted by reference to said security data, and if so then determining which encryption/decryption mechanism was used for encryption, and decrypting said data packet by use of said decryption key. - View Dependent Claims (15)
-
-
16. A system for automatically encrypting data packets for transmission from a first host computer on a first computer network to a second host computer on a second computer network, said first host computer including a first processor and a first memory including instructions for transmitting said data packets from said first host to said second host, the system including:
-
a bridge computer coupled to the first computer network for intercepting at least a first said data packet transmitted from said first computer network, said bridge computer including a second processor and a second memory storing instructions for executing encryption of said first data packet according to a predetermined encryption/decryption mechanism;
information stored in said second memory correlating at least one of the first host computer and the first network with one of the second host computer and the second network, respectively;
instructions stored in said second memory for intercepting said first data packet before departure from said first network, determining whether said correlation is present, and if so, then executing encryption of said first data packet according to said predetermined encryption/decryption mechanism, generating a new address header and appending said new address header to said first data packet, thereby generating a modified first data packet on to the second host computer.
-
-
17. A method for transmitting packets of data via an internetwork from a first host computer on a first computer network to a second host computer on a second computer network, the first computer networks including a first bridge computer, each of said first and second host computers and said bridge computer further including memory storing at least one predetermined encryption/decryption mechanism and information identifying a predetermined plurality of host computers as hosts requiring security for packets transmitted between them, the method being carried out according to the instructions stored in said respective memories and including the steps of:
-
(1) generating, by the first host computer, a first data packet for transmission to the second host computer, a portion of the data packet including information representing an internetwork address of the first host computer and an internetwork address of the second host computer. (2) in the first bridge computer, intercepting the first data packet and determining whether the first and second host computers are among the predetermined plurality of host computers for which security is required, and if not, proceeding to step 5, and if so, proceeding to step 3;
(3) encrypting the first data packet in the first bridge computer;
(4) in the first bridge computer, generating and appending to the first data packet an enapsulation header, including;
(a) key management information identifying the predetermined encryption method, and (b) a new address header representing the source and destination for the data packet, thereby generating a modified data packet; and
(5) transmitting the data packet from the first bridge computer via the internetwork to the second computer network.
-
-
18. A system for automatically decrypting data packets transmitted from a first computer to a second computer, the system comprising:
-
a bridge coupled to the second computer for intercepting a data packet from the first computer, the bridge including a processor and a memory that stores instructions for decrypting data packets;
information stored in the memory of the bridge correlating the first and second computers; and
instructions stored in the memory of the bridge for intercepting the data packet, determining whether the information stored in the memory of the bridge correlates the first and second computers, and if so, decrypting the data packet to generate a new data packet including a new address header, and transmitting the new data packet onto the second computer. - View Dependent Claims (19, 20, 21)
-
-
22. A method for receiving data packets transmitted from a first computer to a second computer through a bridge, the bridge including a processor and a memory, the memory storing instructions for decrypting data packets and information correlating the first and second computers, the method being carried out according to instructions in the memory of the bridge and comprising:
-
intercepting a data packet from the second computer to the second computer portion of the data packet including information representing an internetwork address of the first computer and an internetwork address of the second computer;
determining whether the information stored in the memory of the bridge correlates the first and second computers, and if so, decrypting the data packet to generate a new data packet including a new address header, and transmitting the new data packet on to the second computer. - View Dependent Claims (23, 24, 25)
-
-
26. A method of encrypting data packets comprising:
-
receiving a data packet from a sources for destination, the data packet including a header section and a data section, and the header section storing a source identifier and a destination identifier;
determining whether the data packet should be encrypted upon reference to at least one of the sources and destination identifiers; and
if the data packet should be encrypted, encrypting the data packet to produce an encrypted data packet. - View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35)
-
-
36. A computer program product for encrypting data packets, comprising:
-
computer code that receives a data packet from a source for a destination, the data packet including a header section and a data section, and the header section storing a source identifier and a destination identifier;
computer code that determines whether the data packet should be encrypted upon reference to at least one of the source and destination identifiers;
computer code that encrypts the data packet to produce an encrypted data packet if the data packet should be encrypted; and
a computer readable medium that stores the computer codes. - View Dependent Claims (37)
-
-
38. A computer system for encrypting data packets, comprising:
-
a processor;
a computer readable medium coupled to the processor storing a computer program comprising;
computer code that receives a data packet from a source for a destination, the data packet including a header section and a data section, and the header section storing a source identifier and a destination identifier;
computer code that determines whether the data packet should be encrypted upon reference to at least one of the source and destination identifiers; and
computer code that encrypts the data packet to produce an encrypted data packet if the data packet should be encrypted. - View Dependent Claims (39)
-
-
40. A method of decrypting data packets, comprising:
-
receiving a data packet from a source for a destination, the data packet including a header section and a data section, and the header section storing a source identifier and a destination identifier;
determining whether the data packet is encrypted upon reference to at least one of the source and destination identifiers; and
if the data packet is encrypted, decrypting the data packet to produce a decrypted data packet. - View Dependent Claims (41, 42, 43, 44, 45, 46, 47, 48, 49)
-
-
50. A computer program product for decrypting data packets, comprising:
-
computer code that receives a data packet from a source for a destination, the data packet including a header section and a data section, and the header section storing a source identifier and a destination identifier, computer code that determines whether the data packet is encrypted upon reference to at least one of the source and destination identifiers;
computer code that decrypts the data packet to produce a decrypted data packet if the data packet is encrypted; and
a computer readable medium that stores the computer codes. - View Dependent Claims (51)
-
-
52. A computer system for decrypting data packets, comprising:
-
a processor;
a computer readable medium coupled to the processor storing a computer program comprising;
computer code that receives a data packet from a source for a destination, the data packet including a header section and a data section, and the header section storing a source identifier and a destination identifier;
computer code that determines whether the data packet is encrypted upon reference to at least one of the source and destination identifiers; and
computer code that decrypts the data packet to produce a decrypted data packet if the data packet is encrypted. - View Dependent Claims (53)
-
Specification