Key management for encrypted packet based networks
First Claim
1. In a packet switched network, a method for changing keys used for encrypted switched virtual circuit communication between a first Data Terminal Equipment (DTE) and a second DTE, said first and second DTE having an associated first and second encryption device, comprising the steps of:
- issuing a call request packet from said first DTE to said second DTE;
intercepting said call request packet at said first encryption device and substituting a call request for a key management center;
transferring a key from said key management center to said first DTE;
balancing counters at a link associated with said first DTE and first encryption device using a dummy packet in order to make frame send and receive sequence numbers equal and packet send and receive sequence numbers equal;
establishing a channel between said first and second data encrypters; and
transferring a key from said first data encrypter to said second encrypter.
2 Assignments
0 Petitions
Accused Products
Abstract
In a packet based communication network 10, a key management center 20 is used to distribute cryptographic keys for either a switched virtual circuit or a permanent virtual circuit. The disclosed methods allow the key management center 20 to communicate directly with the data encryption/decryption devices (DE'"'"'s) 14 even though they operate in a transparent mode (rather than a store and forward mode). This is accomplished by balancing link counters with calls to fictitious addresses and/or use of interrupt packets transferred between the DTE 12 and the DE 14. In permanent virtual circuits, the MAC of the last packet transmitted under the old cryptographic key is exchanged to synchronize the key change.
-
Citations
2 Claims
-
1. In a packet switched network, a method for changing keys used for encrypted switched virtual circuit communication between a first Data Terminal Equipment (DTE) and a second DTE, said first and second DTE having an associated first and second encryption device, comprising the steps of:
-
issuing a call request packet from said first DTE to said second DTE; intercepting said call request packet at said first encryption device and substituting a call request for a key management center; transferring a key from said key management center to said first DTE; balancing counters at a link associated with said first DTE and first encryption device using a dummy packet in order to make frame send and receive sequence numbers equal and packet send and receive sequence numbers equal; establishing a channel between said first and second data encrypters; and transferring a key from said first data encrypter to said second encrypter.
-
-
2. In a packet switched network, method for changing keys used for encrypted permanent virtual circuit communication between a first Data Terminal Equipment (DTE) and a second DTE, said first and second DTE having an associated first and second encryption device, comprising the steps of:
-
issuing a call request packet from a key management center to said first encryption device; issuing a call request packet from said key management center to said second encryption device; from said key management center, sending a stop packet flow message from said first DTE to said second DTE and obtaining a last MAC from said first data encryption device and transferring a new key to said first data encryption device; from said key management center, sending a stop packet flow message from said second DTE to said first DTE and obtaining a last MAC from said second data encryption device and transferring a new key to said first data encryption device; from said key management center, sending a restart packet flow message to restart packet flow between said first and second DTE; and balancing link counters at said first and second links by transmission of dummy packets in order to make frame send and receive sequence numbers equal and packet send and receive sequence numbers equal.
-
Specification
-
- Resources
-
Current AssigneeRacal-Guardata Limited
-
Original AssigneeRacal Data Communications Incorporated
-
InventorsCampbell, Thomas D., Trbovich, Nick G.
-
Primary Examiner(s)Tarcza, Thomas H.
-
Assistant Examiner(s)CAIN, DAVID C
-
Application NumberUS07/601,159Time in Patent Office329 DaysField of Search380/43, 380/44, 380/45, 340/825.07, 364/242.95US Class Current380/43CPC Class CodesH04L 9/083 involving central third par...H04L 9/0891 Revocation or update of sec...
