Cryptographic processing in a communication network, using a single cryptographic engine

US 5,228,083 A
Filed: 10/13/1992
Issued: 07/13/1993
Est. Priority Date: 06/28/1991
Status: Expired due to Term

First Claim

Patent Images

1. A method for cryptographic processing of data outbound from a half-duplex client interface to a communication network, and inbound from the communication network to the client interface, using only a single cryptographic engine, the method comprising the steps of:

parsing to determine whether each outbound data packet received from the client interface must be cryptographically processed;

cryptographically processing, if necessary as determined in the preceding step, outbound data packets as they are received from the client interface;

parsing to determine whether each inbound data packet to be transmitted onto the client interface must be cryptographically processed;

cryptographically processing, if necessary as determined in the preceding step, inbound data packets as they are transmitted onto the client interface; and

storing inbound and outbound data packets in temporary buffer storage, as needed, before forwarding;

whereby only a single cryptographic engine is needed because the client interface cannot handle an outbound packet and an inbound packet at the same time.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A device and related method for cryptographically processing data packets being forwarded in both directions between a communication network and a client interface, using only a single cryptographic engine, but without any degradation in latency or throughput performance, as compared with a device using two cryptographic engines Outbound data packets received from the client interface are immediately parsed to determine if cryptographic processing is required, and an appropriate portion of each packet may be cryptographically processed as the packet is received and stored in an outbound buffer memory, until forwarded onto the communication network. Inbound data packets received from the communication network are not immediately parsed but are stored in an inbound buffer memory until the client interface is available. Parsing and any needed cryptographic processing of an inbound packet is not performed until the client interface becomes available and the packet is retrieved from the inbound buffer memory for forwarding. Since the client buffer cannot receive an inbound packet at the same time that it is sending an outbound packet, the single cryptographic engine serves to process traffic in both directions.

115 Citations

13 Claims

1. A method for cryptographic processing of data outbound from a half-duplex client interface to a communication network, and inbound from the communication network to the client interface, using only a single cryptographic engine, the method comprising the steps of:
- parsing to determine whether each outbound data packet received from the client interface must be cryptographically processed;
  
  cryptographically processing, if necessary as determined in the preceding step, outbound data packets as they are received from the client interface;
  
  parsing to determine whether each inbound data packet to be transmitted onto the client interface must be cryptographically processed;
  
  cryptographically processing, if necessary as determined in the preceding step, inbound data packets as they are transmitted onto the client interface; and
  
  storing inbound and outbound data packets in temporary buffer storage, as needed, before forwarding;
  
  whereby only a single cryptographic engine is needed because the client interface cannot handle an outbound packet and an inbound packet at the same time.
- View Dependent Claims (2, 3)
- - 2. A method as defined in claim 1, wherein the step of storing inbound and outbound packets in temporary buffer storage includes:
    - storing inbound packets if the client interface is unavailable; and
      
      storing outbound packets if the communication network is unavailable.
  - 3. A method as defined in claim 2, and further comprising the steps of:
    - receiving a loopback packet from the client interface;
      
      immediately parsing and cryptographically processing the loopback packet, if necessary; and
      
      storing the loopback packet if the client interface is unavailable.

4. A method for cryptographic processing of data outbound from a half-duplex client interface to a communication network, and inbound from the communication network to the client interface, using only a single cryptographic engine, the method comprising the steps of:
- receiving inbound data packets from a communication network;
  
  determining for each received packet whether a client interface is available;
  
  if the client interface is unavailable, storing the inbound data packet until the client interface becomes available, then retrieving the packet;
  
  parsing the packet to determine whether it should be cryptographically processed, cryptographically processing the data packet if necessary, and transmitting the packet onto the client interface;
  
  receiving outbound data packets from the client interface;
  
  parsing each packet as it is received from the client interface;
  
  cryptographically processing each packet received from the client interface if processing is determined to be necessary by the preceding parsing step;
  
  determining whether the communication network is available;
  
  if the communication network is unavailable, storing the each outbound data packet until the communication network becomes available, then retrieving the outbound data packet; and
  
  transmitting the outbound data packet onto the communication network;
  
  whereby a single cryptographic engine is sufficient to perform the steps of cryptographically processing the data, because cryptographic processing of outbound packets is performed as the packets are received from the client interface, and processing of inbound packets is performed as the packets are transmitted to the client interface, but half-duplex operation of the client interface precludes the possibility of both these functions occurring at the same time.
- View Dependent Claims (5, 6)
- - 5. A method as defined in claim 4, and further comprising the steps of:
    - receiving a loopback packet from the client interface;
      
      immediately parsing and cryptographically processing the loopback packet, if parsing determines that such processing is necessary; and
      
      storing the loopback packet if the client interface in unavailable.
  - 6. A method as defined in claim 4, and further comprising, prior to transmitting a packet onto the client interface, the steps of:
    - parsing a portion of the packet before the client interface becomes available;
      
      storing the parsed portion of the packet in a first-in-first-out buffer, to be ready to transmit;
      
      retrieving data from the first-in-first-out buffer when the client interface becomes available; and
      
      beginning transmission of the retrieved data onto the client interface while additional data of the same packet is stored and retrieved in the first-in-first-out buffer.

7. Apparatus for cryptographic processing of data packets outbound from a half-duplex client interface to a communication network, and inbound from the communication network to the client interface, using only a single cryptographic engine, the apparatus comprising:
- means for parsing each outbound data packet to determine whether cryptographic processing is necessary and the type of processing to be performed;
  
  means for parsing each inbound data packet to determined whether processing is necessary and the type of processing to be performed;
  
  a single cryptographic engine, for cryptographically processing, if necessary, outbound data packets as they are received from the client interface and, if necessary, inbound data packets as they are transmitted onto the client interface; and
  
  buffer storage means for storing, as needed, inbound and outbound data packets before forwarding;
  
  whereby only a single cryptographic engine is needed because the client interface cannot handle an outbound packet and an inbound packet at the same time.
- View Dependent Claims (8, 9)
- - 8. Apparatus as defined in claim 7, wherein the buffer storage means includes:
    - means for storing inbound packets if the client interface is unavailable; and
      
      means for storing outbound packets if the communication network is unavailable.
  - 9. Apparatus as defined in claim 8, and further comprising;
    - means for storing a loopback data packet received from the client interface and cryptographically processed as needed in the cryptographic engine, until the client interface is available.

10. Apparatus for cryptographic processing of data packets outbound from a half-duplex client interface to a communication network, and inbound from the communication network to the client interface, using only a single cryptographic engine, the apparatus comprising:
- means for receiving inbound data packets from a communication network;
  
  means for determining whether the client interface is available;
  
  means for storing each inbound data packet if the client interface is unavailable;
  
  means operable when the client interface becomes available, for retrieving a stored data packet;
  
  means for parsing each inbound packet to determine whether it should be cryptographically processed;
  
  a cryptographic engine, operable to cryptographically process the inbound data packet if necessary as determined by the means for parsing each inbound packet;
  
  means for transmitting the inbound data packet onto the client interface;
  
  means for receiving outbound data packets from the client interface;
  
  means for parsing each outbound data packet as it is received from the client interface, and for forwarding each packet for processing in the cryptographic engine, if necessary;
  
  means for determining whether the communication network is available;
  
  means for storing each outbound data packet if the communicating network is unavailable;
  
  means operable when the communication network becomes available, for retrieving a stored data packet and transmitting it onto the communication network;
  
  whereby a single cryptographic engine is sufficient to perform cryptographic processing of the data, because cryptographic processing of outbound packets is performed as the packets are received from the client interface, and processing of inbound packets is performed as the packets are transmitted to the client interface, but half-duplex operation of the client interface precludes the possibility of both these functions occurring at the same time.
- View Dependent Claims (11, 12, 13)
- - 11. Apparatus as defined in claim 10, and further comprising:
    - means for storing a loopback data packet;
      
      and wherein the means for receiving and parsing outbound packets also serve to receive and parse loopback packets as received from the client interface, and the cryptographic engine also serves to cryptographically process loopback packets, as necessary.
  - 12. Apparatus as defined in claim 11, and further comprising:
    - a high-speed data bus providing bidirectional access to the means for storing data packets.
  - 13. Apparatus as defined in claim 10, and further comprising:
    - a first-in-first-out buffer, for storing a portion of an inbound data packet prior to its transmission onto the client interface;
      
      means for initiating parsing of a portion of the packet before the client interface becomes available, wherein the parsed portion of the packet is stored in the first-in-first-out buffer, to be ready to transmit; and
      
      means for retrieving data from the first-in-first-out buffer when the client interface becomes available, and beginning transmission of the retrieved data onto the client interface while additional data of the same packet is stored and retrieved in the first-in-first-out buffer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Digital Equipment Corporation (HP Inc.)
Inventors
Ben-Michael, Siman-Tov, Lozowick, Philip P.
Primary Examiner(s)
CANGIALOSI, SALVATORE A

Application Number

US07/960,308
Time in Patent Office

273 Days
Field of Search

380/9, 380/21, 380/50
US Class Current

713/160
CPC Class Codes

G06F 21/00   Security arrangements for p...

G09C 1/00   Apparatus or methods whereb...

H04L 12/40143   involving priority mechanis...

H04L 63/0428   wherein the data content is...

H04L 63/20   for managing network securi...

H04L 9/40   Network security protocols

Cryptographic processing in a communication network, using a single cryptographic engine

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

115 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Cryptographic processing in a communication network, using a single cryptographic engine

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

115 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links