Cryptographic processing in a communication network, using a single cryptographic engine
First Claim
1. A method for cryptographic processing of data outbound from a half-duplex client interface to a communication network, and inbound from the communication network to the client interface, using only a single cryptographic engine, the method comprising the steps of:
- parsing to determine whether each outbound data packet received from the client interface must be cryptographically processed;
cryptographically processing, if necessary as determined in the preceding step, outbound data packets as they are received from the client interface;
parsing to determine whether each inbound data packet to be transmitted onto the client interface must be cryptographically processed;
cryptographically processing, if necessary as determined in the preceding step, inbound data packets as they are transmitted onto the client interface; and
storing inbound and outbound data packets in temporary buffer storage, as needed, before forwarding;
whereby only a single cryptographic engine is needed because the client interface cannot handle an outbound packet and an inbound packet at the same time.
2 Assignments
0 Petitions
Accused Products
Abstract
A device and related method for cryptographically processing data packets being forwarded in both directions between a communication network and a client interface, using only a single cryptographic engine, but without any degradation in latency or throughput performance, as compared with a device using two cryptographic engines Outbound data packets received from the client interface are immediately parsed to determine if cryptographic processing is required, and an appropriate portion of each packet may be cryptographically processed as the packet is received and stored in an outbound buffer memory, until forwarded onto the communication network. Inbound data packets received from the communication network are not immediately parsed but are stored in an inbound buffer memory until the client interface is available. Parsing and any needed cryptographic processing of an inbound packet is not performed until the client interface becomes available and the packet is retrieved from the inbound buffer memory for forwarding. Since the client buffer cannot receive an inbound packet at the same time that it is sending an outbound packet, the single cryptographic engine serves to process traffic in both directions.
-
Citations
13 Claims
-
1. A method for cryptographic processing of data outbound from a half-duplex client interface to a communication network, and inbound from the communication network to the client interface, using only a single cryptographic engine, the method comprising the steps of:
-
parsing to determine whether each outbound data packet received from the client interface must be cryptographically processed; cryptographically processing, if necessary as determined in the preceding step, outbound data packets as they are received from the client interface; parsing to determine whether each inbound data packet to be transmitted onto the client interface must be cryptographically processed; cryptographically processing, if necessary as determined in the preceding step, inbound data packets as they are transmitted onto the client interface; and storing inbound and outbound data packets in temporary buffer storage, as needed, before forwarding; whereby only a single cryptographic engine is needed because the client interface cannot handle an outbound packet and an inbound packet at the same time. - View Dependent Claims (2, 3)
-
-
4. A method for cryptographic processing of data outbound from a half-duplex client interface to a communication network, and inbound from the communication network to the client interface, using only a single cryptographic engine, the method comprising the steps of:
-
receiving inbound data packets from a communication network; determining for each received packet whether a client interface is available; if the client interface is unavailable, storing the inbound data packet until the client interface becomes available, then retrieving the packet; parsing the packet to determine whether it should be cryptographically processed, cryptographically processing the data packet if necessary, and transmitting the packet onto the client interface; receiving outbound data packets from the client interface; parsing each packet as it is received from the client interface; cryptographically processing each packet received from the client interface if processing is determined to be necessary by the preceding parsing step; determining whether the communication network is available; if the communication network is unavailable, storing the each outbound data packet until the communication network becomes available, then retrieving the outbound data packet; and transmitting the outbound data packet onto the communication network; whereby a single cryptographic engine is sufficient to perform the steps of cryptographically processing the data, because cryptographic processing of outbound packets is performed as the packets are received from the client interface, and processing of inbound packets is performed as the packets are transmitted to the client interface, but half-duplex operation of the client interface precludes the possibility of both these functions occurring at the same time. - View Dependent Claims (5, 6)
-
-
7. Apparatus for cryptographic processing of data packets outbound from a half-duplex client interface to a communication network, and inbound from the communication network to the client interface, using only a single cryptographic engine, the apparatus comprising:
-
means for parsing each outbound data packet to determine whether cryptographic processing is necessary and the type of processing to be performed; means for parsing each inbound data packet to determined whether processing is necessary and the type of processing to be performed; a single cryptographic engine, for cryptographically processing, if necessary, outbound data packets as they are received from the client interface and, if necessary, inbound data packets as they are transmitted onto the client interface; and buffer storage means for storing, as needed, inbound and outbound data packets before forwarding; whereby only a single cryptographic engine is needed because the client interface cannot handle an outbound packet and an inbound packet at the same time. - View Dependent Claims (8, 9)
-
-
10. Apparatus for cryptographic processing of data packets outbound from a half-duplex client interface to a communication network, and inbound from the communication network to the client interface, using only a single cryptographic engine, the apparatus comprising:
-
means for receiving inbound data packets from a communication network; means for determining whether the client interface is available; means for storing each inbound data packet if the client interface is unavailable; means operable when the client interface becomes available, for retrieving a stored data packet; means for parsing each inbound packet to determine whether it should be cryptographically processed; a cryptographic engine, operable to cryptographically process the inbound data packet if necessary as determined by the means for parsing each inbound packet; means for transmitting the inbound data packet onto the client interface; means for receiving outbound data packets from the client interface; means for parsing each outbound data packet as it is received from the client interface, and for forwarding each packet for processing in the cryptographic engine, if necessary; means for determining whether the communication network is available; means for storing each outbound data packet if the communicating network is unavailable; means operable when the communication network becomes available, for retrieving a stored data packet and transmitting it onto the communication network; whereby a single cryptographic engine is sufficient to perform cryptographic processing of the data, because cryptographic processing of outbound packets is performed as the packets are received from the client interface, and processing of inbound packets is performed as the packets are transmitted to the client interface, but half-duplex operation of the client interface precludes the possibility of both these functions occurring at the same time. - View Dependent Claims (11, 12, 13)
-
Specification