Apparatus and method for secure transmission of data over an unsecure transmission channel
First Claim
1. A method for transmitting data packets in a secure manner on an unsecured data transmission channel having a plurality of nodes coupled thereto, each of said nodes including a memory for storing encryption key words for use in encrypting said data packets, said method comprising the steps of:
- generating at one of said nodes a data packet for transmission to a target one of said nodes;
searching the memory at said host node to locate an encryption key word designated for use with data packets to be processed by said target node;
assembling, upon determining that no said encryption key word is stored, a key request (AR) data packet; and
transmitting said AR data packet to a key distribution (KDC) one of said nodes to request assignment of an encryption key word for use in encrypting data packets to be processed by said host and target nodes.
6 Assignments
0 Petitions
Accused Products
Abstract
Apparatus and methods, readily adapted to interface with a standard data transmission network having an unsecure transmission channel, e.g., "Ethernet," for the provision of secure transmission of data over the network channel in a manner which is essentially transparent to the standard network devices and users thereof, are provided. Various encryption keys are generated and utilized within the system to disguise or encrypt information transferred between network nodes. The encryption keys are made known only to those network devices which are permitted to handle information encrypted with the encryption keys.
-
Citations
27 Claims
-
1. A method for transmitting data packets in a secure manner on an unsecured data transmission channel having a plurality of nodes coupled thereto, each of said nodes including a memory for storing encryption key words for use in encrypting said data packets, said method comprising the steps of:
-
generating at one of said nodes a data packet for transmission to a target one of said nodes; searching the memory at said host node to locate an encryption key word designated for use with data packets to be processed by said target node; assembling, upon determining that no said encryption key word is stored, a key request (AR) data packet; and transmitting said AR data packet to a key distribution (KDC) one of said nodes to request assignment of an encryption key word for use in encrypting data packets to be processed by said host and target nodes. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for transmitting data packets in a secure manner on an unsecured data transmission channel having a plurality of nodes coupled thereto, each of said nodes including memory for storing encryption key words for use in encrypting said data packets, said method comprising the steps of:
-
periodically generating at a key distribution (KDC) one of said nodes new encryption key words; assembling at said KDC node a key transfer (AO) data packet for transmission to a host one of said nodes; encrypting a new encryption key word generated at said KDC node with a first master encryption key word usable for decryption only at a target one of said nodes; including said encrypted new encryption key word in said AO data packet; including the unencrypted new encryption key word in said AO data packet; encrypting said AO data packet with a second master encryption key word usable for decryption only at said host node; and transmitting said encrypted AO data packet to said host node thereby transferring said new encryption key word to said host node. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
-
14. A secure data transmission system for transmitting data packets having a destination address and a message field, the system comprising:
-
unsecured channel means for transferring said data packets; a plurality of node means coupled to said unsecured channel means for generating said data packets and for transmitting said data packets onto said channel means; first encryption means included at a first one of said node means for encrypting the message field of a first data packet according to a first encryption key word; key control means for automatically invalidating said first encryption key word upon detection of a predetermined condition; key generation means included at a second one of said node means for generating a second encryption key word and for including said second encryption key word in the message field of a second data packet having a destination address identifying said first node means; second encryption means included at said second node means for encrypting the message field of said second data packet with a first master encryption key word unique to said first node means, said second encryption means including means for generating an intermediate key word, means for encrypting said intermediate key word according to said first master encryption key word and for including said encrypted intermediate key word in the message field of said second data packet, and means for encrypting a portion of said message field following said encrypted intermediate key word according to said intermediate key word; and first decryption means included at said first node means for decrypting said second data packet and for substituting said second encryption key word obtained therefrom for said first encryption key word used by said first encryption means.
-
-
15. A secure data transmission system for transmitting data packets having a destination address and a message field, the system comprising:
-
unsecured channel means for transferring said data packets; a plurality of node means coupled to said unsecured channel means for generating said data packets and for transmitting said data packets onto said channel means; first encryption means included at a first one of said node means for encrypting the message field of a first data packet according to a first encryption key word; key control means for automatically invalidating said first encryption key word upon detection of a predetermined condition; key generation means included at a second one of said node means for generating a second encryption key word and for including said second encryption key word in the message field of a second data packet having a destination address identifying said first node means; second encryption means included at said second node means for encrypting the message field of said second data packet with a first master encryption key word unique to said first node means; first decryption means included at said first node means for decrypting said second data packet and for substituting said second encryption key word obtained therefrom for said first encryption key word used by said first encryption means; means included in said second node means for generating an association setup message including a target address identifying a third one of said node means, said setup message further including said second encryption key word; means for controlling said second encryption means to encrypt said second encryption key word within said association setup message with a second master encryption key word unique to said third node means; and means for including said association setup message within the message field of said second data packet. - View Dependent Claims (16, 17, 18, 19, 20)
-
-
21. A method for transmitting data packets in a secure manner on an unsecured data transmission channel having a plurality of nodes coupled thereto, each of said nodes including a memory for storing encryption key words for use in encrypting said data packets, said method comprising the steps of:
-
periodically rendering said encryption key words stored at a host one of said nodes unusable for encryption; generating at a key distribution (KDC) one of said nodes a new encryption key word; assembling said new encryption key word into a key transfer (AO) data packet which is encrypted through use of a first master encryption key word unique to said host node; transmitting said AO data packet from said KDC node to said host node; and accessing the memory for storing the encryption key words at each of said nodes using procedures which preclude the transmission of a master encryption key word stored in said memory over said unsecured data transmission channel.
-
-
22. A method for transmitting data packets in a secure manner on an unsecured data transmission channel having a plurality of nodes coupled thereto, each of said nodes including a memory for storing encryption key words for use in encrypting said data packets, said method comprising the steps of:
-
periodically rendering said encryption key words stored at a host one of said nodes unusable for encryption; generating at a key distribution (KDC) one of said nodes a new encryption key word; assembling said new encryption key word into a key transfer (AO) data packet; encrypting said AC data packet by encrypting said new encryption key word with an intermediate encryption key word included in said AO data packet after being encrypted with a first master encryption key word unique to said host node; and transmitting said encrypted AO data packet from said KDC node to said host node.
-
-
23. A method for transmitting data packets in a secure manner on an unsecured data transmission channel having a plurality of nodes coupled thereto, each of said nodes including a memory for storing encryption key words for use in encrypting said data packets, said method comprising the steps of:
-
periodically rendering said encryption key words stored at a host one of said nodes unusable for encryption; generating at a key distribution (KDC) one of said nodes a new encryption key word; assembling said new encryption key word into a key transfer (AO) data packet which is encrypted through use of a first master key word unique to said host node; assembling into said AO data packet at said KDC node a message field including said new encryption key word encrypted through use of a second master encryption key word unique to a target one of said nodes; transmitting said AO data packet from said KDC node to said host node; decrypting said AO data packet at said host node; storing the decrypted new encryption key word in the memory of said host node in place of said unusable encryption key word; assembling at said host node an association setup (AF) data packet including said encrypted message field taken from said AO data packet; transmitting said AF data packet from said host node to said target node; decrypting said AF data packet at said target node through use of said second master encryption key word; and storing in the memory at said target node the new encryption key word obtained from said decrypted AF data packet. - View Dependent Claims (24)
-
-
25. A method for transmitting data packets in a secure manner on an unsecured data transmission channel having a plurality of nodes coupled thereto, said method comprising the steps of:
-
initializing a source one of said nodes, a destination one of said nodes, and a key distribution control one of said nodes; placing the source and destination nodes in an operational state upon completion of the initialization step; storing at the source node a transmission message data packet to be transmitted over the unsecured data transmission channel to a destination node; determining at the source node existence of a valid association of the source and destination nodes; determining at the key distribution control node the existence of a permitted association between the initialized source and distribution nodes; formulating at the key distribution control node an association open message including an association key for encrypting the transmission message data packet stored at the source node; encrypting an association forward data packet field portion of the association open message with a first master key corresponding to the destination node; encrypting the association open message with a second master key corresponding to the source node; transmitting the encrypted association open message from the key distribution control node to the source node; determining at the source node the message type and the encryption keys of the association open message; decrypting the association open message at the source node with the second master key; transmitting the association forward data packet field portion of the association open message including the first master key from the source node to the destination node; decrypting the association forward message at the destination node with the first master key; creating an association record for the source and destination nodes; determining that the association key used by the source node and the destination node is identical for subsequent encryption and decryption of the transmission message data packets to be transferred between the source node and the destination node; encrypting the transmission message data packet at the source node with the association key upon determining that the association key is the same for the source and destination node; transmitting the encrypted transmission message data packet from the source node to the destination node; decrypting the transmission message data packet at the destination node with the association key upon determining that the association key is the same as the association key at the source node; and preparing and receiving a receive message at the destination node identical to the decrypted transmission message data packet. - View Dependent Claims (26)
-
-
27. A method for transmitting data packets in a secure manner on an unsecured data transmission channel having a plurality of nodes coupled thereto, said method comprising the steps of:
-
formulating an initialization request message at a source one of said nodes; transmitting the formulated initialization request message to a key distribution control one of said nodes; formulating an initialization message and a general information message at the key distribution control node; transmitting the formulated initialization and general information messages to the source node and a destination one of said nodes; transmitting a message acknowledging receipt of the initialization and general information messages by the source and destination nodes to the key distribution control node; placing the source and destination nodes in an operational state subsequent to transmission of the message acknowledging receipt by the source and destination nodes; storing at the source node a transmission message data packet to be transmitted over the unsecured data transmission channel to the destination node; determining at the source node existence of a valid association of the source and destination nodes; determining at the key distribution control node existence of a permitted association between the initialized source and destination nodes; formulating at the key distribution control node an association open message including an association key for encrypting the transmission message data packet stored at the source node; storing the association open message at the key distribution control node; encrypting an association forward data packet field portion of the association open message with a first master key corresponding to the destination node; encrypting the association open message with a second master key corresponding to the source node; transmitting the encrypted association open message from the key distribution control node to the source node; storing the association open message at the source node; determining at the source node the message type and the encryption keys of the association open message; decrypting the association open message at the source node with the second master key; transmitting the association forward data packet field portion of the association open message including the first master key from the source node to the destination node; storing the association forward message at the destination node; decrypting the association forward message at the destination node with the first master key; creating an association record for the source and destination nodes; determining that the association key used by the source node and the destination node is identical for subsequent encryption and decryption of the transmission message data packets to be transferred between the source node and the destination node; encrypting the transmission message data packet at the source node with the association key upon determining that the association key is the same for the source and destination nodes; transmitting the encrypted transmission message data packet from the source node to the destination node; storing the encrypted transmission message data packet at the destination node; decrypting the stored transmission message data packet at the destination node with the association key upon determining that the key is the same as the association key at the source node; and preparing and receiving a receive message at the destination node identical to the decrypted transmission message data packet.
-
Specification