Secure network access devices with data encryption

US 20050114663A1
Filed: 10/28/2004
Published: 05/26/2005
Est. Priority Date: 11/21/2003
Status: Abandoned Application

First Claim

Patent Images

1. A method of establishing a secure point to point link comprising:

initiating a trusted link by authenticating a trusted partner;

encrypting data to be sent on the trusted link;

sending the encrypted data on the trusted link;

policing the trusted link by verifying that the trusted partner remains connected to the trusted link and that other un-trusted clients are not connected to the trusted link; and

if the trusted partner becomes disconnected from the trusted link or if an un-trusted client is connected to the trusted link, ceasing to send the encrypted data on the trusted link.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Secure point to point network communications. Secure point to point network communications are accomplished by sending data across a secure link. Trusted partners at the link are matched to each other. To ensure that no un-trusted partners are on the link, authentication is performed. One of the points may be a secure tap. The secure tap authenticates a trusted partner by receiving a hardware embedded encryption key or value derived from the hardware embedded encryption key from the trusted partner. Data sent on the trusted link is encrypted to prevent interception of the data. The secure tap polices the link to ensure that no un-trusted partners are attached to the link and that the trusted partner is not removed from the link. If un-trusted partners are added to the link or trusted partners removed from the link, the secure tap ceases sending data.

Citations

25 Claims

1. A method of establishing a secure point to point link comprising:
- initiating a trusted link by authenticating a trusted partner;
  
  encrypting data to be sent on the trusted link;
  
  sending the encrypted data on the trusted link;
  
  policing the trusted link by verifying that the trusted partner remains connected to the trusted link and that other un-trusted clients are not connected to the trusted link; and
  
  if the trusted partner becomes disconnected from the trusted link or if an un-trusted client is connected to the trusted link, ceasing to send the encrypted data on the trusted link.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the data is packetized data including a header and a payload, wherein encrypting comprises encrypting both the header and the payload.
  - 3. The method of claim 1, wherein policing comprises monitoring a signal power on the trusted link.
  - 4. The method of claim 1, wherein policing comprises periodically authenticating the trusted partner.
  - 5. The method of claim 1, wherein authenticating is performed when a trusted partner is first attached.
  - 6. The method of claim 1, wherein authenticating comprises sending and receiving authentication information on an out of band data link.
  - 7. The method of claim 1, wherein encrypting comprises scrambling the network traffic using a hardware embedded encryption key.
  - 8. The method of claim 1, wherein encrypting comprises:
    - generating a random or pseudorandom encryption key a hardware embedded encryption key; and
      
      scrambling the network traffic using the random or pseudorandom encryption key.

9. A secure network interface device for use in a secure point to point link, the network interface device comprising:
- a first interface for receiving encrypted network traffic;
  
  logic for decrypting the encrypted network traffic coupled to the first interface, wherein the logic comprises a hardware embedded encryption key matched to a network device that sends the encrypted network traffic; and
  
  a second interface coupled to the logic and a host for delivering the decrypted network traffic to the host device.
- View Dependent Claims (10, 11)
- - 10. The secure network interface device of claim 9, wherein the second interface is at least one of a USB connector and IEEE 1394 connector.
  - 11. The secure network interface device of claim 9, embodied as a host bus adapter wherein the second interface is a PCI bus connection.

12. A secure network traffic distribution device for use in a secure point to point link, the secure network traffic distribution device comprising:
- an input configured to receive network traffic;
  
  an encryption module coupled to the input, the encryption module comprising a first hardware embedded encryption key used to encrypt network traffic, the first hardware embedded encryption key matched to a device that is configured to receive encrypted network traffic from the secure network traffic distribution device; and
  
  an output port coupled to the encryption module, the output port configured to transmit encrypted network traffic.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 13. The secure network traffic distribution device of claim 12, embodied as a secure tap wherein the input comprises first and second network ports wherein the first and second network ports are configured to pass through network traffic from each other.
  - 14. The secure network traffic distribution device of claim 12, embodied as at least one of a secure switch, router and hub, further comprising a decryption module coupled to the input port configured to decrypt encrypted network traffic, the decryption module comprising a second hardware embedded encryption key used to decrypt encrypted network traffic, the second hardware embedded encryption key matched to a device that is configured to send encrypted network traffic to the secure network traffic distribution device
  - 15. The secure network traffic distribution device of claim 14, the first and second hardware embedded encryption keys having the same value.
  - 16. The secure network traffic distribution device of claim 12, comprising:
    - a plurality of input ports configured to receive network traffic;
      
      a plurality of output ports coupled to the encryption module and configured to transmit encrypted network traffic, each output port of the plurality of output ports corresponding to an input port of the plurality of input ports.
  - 17. The secure network traffic distribution device of claim 12, comprising:
    - a plurality of input ports configured to receive network traffic;
      
      logic to combine network traffic from each of the plurality of input ports; and
      
      wherein the output port is configured to output encrypted network traffic comprising network traffic combined by the logic.
  - 18. The secure network traffic distribution device of claim 12, comprising:
    - a fanout buffer coupled to the encryption module;
      
      a plurality of output ports coupled to the fanout buffer for providing multiple copies of encrypted network traffic.
  - 19. The secure network traffic distribution device of claim 12 further comprising a management port, the management port coupled to the encryption module and adapted to couple to a management computer, wherein the hardware embedded encryption key is updateable by a management computer coupled to the management port.
  - 20. The secure network traffic distribution device of claim 12 further comprising:
    - a packet distribution machine coupled to the input port to receive network traffic;
      
      a plurality of queues coupled to the packet distribution machine, the packet distribution machine, in response to a type of network traffic packet, configured to select a corresponding queue from among the plurality of queues; and
      
      a plurality of output ports, each output port coupled to at least one of a queue from among the plurality of queues.
  - 21. The secure network traffic distribution device of claim 20, the packet distribution machine configured to route packets according to at least one of protocol, packet size, and error packets.
  - 22. The secure network traffic distribution device of claim 12, comprising authentication logic configured to authenticate a trusted partner by using out of band data.
  - 23. The secure network traffic distribution device of claim 22, further comprising an authentication connection coupled to the authentication logic and configured to transmit out of band data to the trusted partner.
  - 24. The secure network traffic distribution device of claim:
    - 22, the authentication logic configured to transmit out of band data by modulating a physical layer that transmits network traffic.

25. A secure tap comprising:
- an input configured to receive network traffic;
  
  an encryption module coupled to the input, the encryption module comprising a first hardware embedded encryption key used to encrypt network traffic, the first hardware embedded encryption key matched to a device that is configured to receive encrypted network traffic from the secure tap; and
  
  an output port coupled to the encryption module, the output port configured to transmit encrypted network traffic.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Finisar Corporation (II-VI Incorporated)
Original Assignee
Finisar Corporation (II-VI Incorporated)
Inventors
Gentieu, Paul, Lawson, Arthur M., Hosking, Lucy, Gordy, Stephen C., Cornell, Kevin S.

Application Number

US10/975,309
Publication Number

US 20050114663A1
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

G06F 21/57   Certifying or maintaining t...

G06F 21/72   in cryptographic circuits

G06F 21/85   interconnection devices, e....

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 9/0877   using additional device, e....

H04L 9/3234   involving additional secure...

Secure network access devices with data encryption

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Secure network access devices with data encryption

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links