Encryption error monitoring system and method for packet transmission

US 20050102525A1
Filed: 10/05/2004
Published: 05/12/2005
Est. Priority Date: 10/06/2003
Status: Active Grant

First Claim

Patent Images

1. An encryption error monitoring system for checking packets transmitted between a private network and an external network, said system comprising:

a detector module (60) configured to be connected to receive said packet for determining whether or not said packet is successfully encrypted in accordance with a specific security protocol, said detector module being configured to read from said packet a sender'"'"'s address and a destination address, and to provide an error signal when said packet is judged not to be successfully encrypted, a manager module (80) which is configured to be connected to said detector module within said private network, and to create, upon receipt of said error signal, a report including said sender'"'"'s address and said destination address with regard to the packet determined not to be successfully encrypted, said detector module including a judge means (66) configured to read a header (31) included in said packet and checks whether or not said header includes a protocol code that matches with a particular code identifying said specific security protocol, said judge means providing said error signal when said header does not include the protocol code that matches with said particular code.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An encryption error monitoring system for checking packets transmitted between a private network and an external network. The system includes includes a detector module (60) which is connected to receive the packet for determining whether or not the packet is successfully encrypted in accordance with a specific security protocol such as IPSec (Internet Protocol Security). The detector module reads from the packet a sender'"'"'s address and a destination address, and provides an error signal when the packet is judged not to be successfully encrypted. A manager module (80) is connected to the detector module within the private network to create, upon receipt of the error signal, a report including the sender'"'"'s address and the destination address with regard to the packet judged not to be successfully encrypted. The detector module is configured to have a judge means (66) which reads a header of the packet and checks whether or not the header includes a protocol code that matches with a particular code identifying the specific security protocol. When the header does not include the protocol code in match with the particular code, the judge means provides the error signal to notify the encryption error. Thus, the encryption error can be determined only by referring to the unencrypted header and therefore without necessitating the decryption of the packet.

Citations

11 Claims

1. An encryption error monitoring system for checking packets transmitted between a private network and an external network, said system comprising:
- a detector module (60) configured to be connected to receive said packet for determining whether or not said packet is successfully encrypted in accordance with a specific security protocol, said detector module being configured to read from said packet a sender'"'"'s address and a destination address, and to provide an error signal when said packet is judged not to be successfully encrypted, a manager module (80) which is configured to be connected to said detector module within said private network, and to create, upon receipt of said error signal, a report including said sender'"'"'s address and said destination address with regard to the packet determined not to be successfully encrypted, said detector module including a judge means (66) configured to read a header (31) included in said packet and checks whether or not said header includes a protocol code that matches with a particular code identifying said specific security protocol, said judge means providing said error signal when said header does not include the protocol code that matches with said particular code.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system as set forth in claim 1, wherein said manager (80) module is configured to set a condition for determining whether or not the packet is to be encrypted, and transmits said condition to said detector module;
    - said detector module including a packet filter (64) configured to filter out the packet designated to be encrypted in accordance with said condition, such that said judge means processes said packet designated to be encrypted.
  - 3. The system as set forth in claim 1, wherein said judge means is configured to refer to a security payload (20) which is included in said packet to succeed said header (31) for giving an encrypted data, and to read a payload length of said security payload, said judge means providing said error signal when said payload length (P) is not a multiple of a block length which is prescribed by said specific security protocol to define said payload.
  - 4. The system as set forth in claim 1, wherein said judge means is configured to refer to a security payload (20) which is included in said packet to succeed said header (31) for giving an encrypted data, said security payload including an encrypted trailer having a next header field (23) which specifies an upper layer protocol designated by said specific security protocol to identify the nature of said security payload, said judge means reading a portion of said security payload corresponding to said next header field to take an undecrypted readout (R1) for comparison with one of default protocols already known to said judge means as identifying said upper layer protocol, said judge means incrementing an uncertainty count when the following conditions are met for each of the packets transmitted within a common session:
    - a) said header (31) includes the protocol code that matches with said particular code, b) said undecrypted readout (R1) is in match with one of said default protocols, said judge means providing said error signal when said uncertainty count exceeds a predetermined count (m).
  - 5. The system as set forth in claim 1, wherein said judge means is configured to refer to a security payload (20) which is included in said packet to succeed said header (31) for giving an encrypted data, said security payload including an encrypted trailer composed of a padding field (21) which adjusts a payload length of said security payload for encryption;
    - a padding length field (22) which identifies said payload length adjusted by said padding field, a next header field (23) which stores an upper layer protocol designated by said specific security protocol to identify the nature of said security payload, said judge means reading i) the payload length (P), ii) a portion of said security payload corresponding to said next header field to take a first undecrypted readout (R1) for comparison with one or more of default protocols already known to said judge means as identifying said upper layer protocol, iii) another portion of said security payload corresponding to said padding length field to take a second undecrypted readout (R2) for comparison with a payload length of said security payload, said judge means incrementing an uncertainty count (m) when all of the following conditions are met for each of the packets transmitted within a common session;
      
      a) said header (31) includes the protocol code that matches with said particular code, b) said first undecrypted readout (R1) is in match with one of said default protocols, c) said second undecrypted readout (R2) represents a numerical value which shorter than the payload length minus the length of said encrypted trailer except said padding field, said judge means providing said error signal when said uncertainty count exceeds a predetermined count (m).
  - 6. The system as set forth in claim 1, wherein said judge means is configured to refer to a security payload (20) which is included in said packet to succeed said header (31) for giving an encrypted data, said security payload including an encrypted trailer composed of a padding field (21) which adjusts a payload length (P) of said security payload for encryption;
    - a padding length field (22) which identifies said payload length adjusted by said padding field, a next header field (23) which stores an upper layer protocol designated by said specific security protocol to identify the nature of said security payload, said judge means reading i) the payload length (P), ii) a portion of said security payload corresponding to said next header field to take a first undecrypted readout (R1) for comparison with one or more of default protocols already known to said judge means as identifying said upper layer protocol, iii) another portion of said security payload corresponding to said padding length field to take a second undecrypted readout (R2) for comparison with the payload length, said judge means incrementing an uncertainty count when all of the following conditions are met for each of the packets transmitted within a common session;
      
      a) said header includes the code that matches with said particular code, b) said payload length (P) is a multiple of a block length which is prescribed by said specific security protocol to define said payload, c) said first undecrypted readout (R1) is in match with one of said default protocols, d) said second undecrypted readout (R2) represents a numerical value which shorter than the payload length minus the length of said encrypted trailer except said padding field, said judge means providing said error signal when said uncertainty count exceeds a predetermined count (m).

7. An encryption error monitoring method for checking encrypted packets transmitted between a private network and an external network, said method comprising the steps of:
- acquiring a security protocol code which identifies a specific security protocol relied upon for encrypting an original packet into said encrypted packet, said security protocol code being different from an original protocol code included in said original packet, reading an unencrypted header (31) of said encrypted packet to take therefrom a protocol code in addition to a sender'"'"'s address and a destination address;
  
  comparing said protocol code with said security protocol code to determine an encryption error when both codes are found identical to each other;
  
  creating a report listing said sender'"'"'s address and said destination address in response to said encryption error.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The method as set forth in claim 7, wherein said method further includes the steps of:
    - referring to a security payload (20) which is included in said encrypted packet and succeeding said header (31) to give an encrypted datagram;
      
      reading a payload length (P) of the security payload, determining said encryption error when said payload length is not a multiple of a block length which is prescribed by said specific security protocol to define said payload.
  - 9. The method as set forth in claim 7, wherein said method further includes the steps of:
    - referring to a security payload (20) which is included in said encrypted packet and succeeding said header (31) to give an encrypted datagram, said security payload including an encrypted trailer having a next header field (23) which specifies an upper layer protocol designated by said specific security protocol to identify the nature of said security payload, reading a portion of said security payload corresponding to said next header field to take an undecrypted readout (R1) for comparison with one of default protocols predetermined as identifying said upper layer protocol, incrementing an uncertainty count when all of the following conditions are met for each of the encrypted packet transmitted within a common session, a) said header includes the protocol code that matches with said particular code, b) said undecrypted readout (R1) is in match with one of said default protocols, determining the encryption error when said uncertainty count exceeds a predetermined count (m).
  - 10. The method as set forth in claim 7, wherein said method further includes the steps of:
    - referring to a security payload (20) which is included in said encrypted packet and succeeding said header (31) to give an encrypted datagram, said security payload including an encrypted trailer composed of a padding field (21) which adjusts a payload length of said security payload for encryption;
      
      a padding length field (22) which identifies a length to which said security payload is adjusted by said padding field, a next header field (23) which stores an upper layer protocol designated by said specific security protocol to identify the nature of said security payload, reading a portion of said security payload corresponding to said next header field to take a first undecrypted readout (R1) for comparison with one or more of default protocols predetermined as identifying said upper layer protocol, reading another portion of said security payload corresponding to said padding length field to take a second undecrypted readout (R2) for comparison with a payload length of said security payload, incrementing an uncertainty count when all of the following conditions are met for each of the packets transmitted within a common session;
      
      a) said header includes the protocol code in match with said particular code, b) said first undecrypted readout (R1) is in match with one of said default protocols, c) said second undecrypted readout (R2) represents a numerical value which shorter than the payload length minus the length of said encryption trailer except said padding field, determining the encryption error when said uncertainty count exceeds a predetermined count (m).
  - 11. The method as set forth in claim 7, wherein said method further includes the steps of:
    - referring to a security payload which is included in said encrypted packet and succeeding said header to give an encrypted datagram, said security payload including an encrypted trailer composed of a padding field (21) which adjusts a payload length of said security payload for encryption;
      
      a padding length field (22) which identifies a length to which said security payload is adjusted by said padding field, a next header field (23) which stores an upper layer protocol designated by said specific security protocol to identify the nature of said security payload, reading a portion of said security payload corresponding to said next header field to take a first undecrypted readout (R1) for comparison with one or more of default protocols predetermined as identifying said upper layer protocol, reading another portion of said security payload corresponding to said padding length field to take a second undecrypted readout (R2) for comparison with a payload length of said security payload, incrementing an uncertainty count when all of the following conditions are met for each of the packets transmitted within a common session;
      
      a) said header include the protocol code in match with said particular code, b) said payload length (P) is a multiple of a block length which is prescribed by said specific security protocol to define said payload, c) said first undecrypted readout (R1) is in match with one of said default protocols, d) said second undecrypted readout (R2) represents a numerical value which shorter than the payload length (P) minus the length of said encryption trailer except said padding field, determining the encryption error when said uncertainty count exceeds a predetermined count (m).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Panasonic Electric Works Company Limited (Panasonic Holdings Corporation)
Original Assignee
Panasonic Electric Works Company Limited (Panasonic Holdings Corporation)
Inventors
Akimoto, Masao

Granted Patent

US 7,434,255 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/187
CPC Class Codes

G06F 2221/2107   File encryption

H04L 63/0236   Filtering by address, proto...

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/164   at the network layer

H04L 63/20   for managing network securi...

Encryption error monitoring system and method for packet transmission

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Encryption error monitoring system and method for packet transmission

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links