Computer network with modified host-to-host encryption keys

US 5,268,962 A
Filed: 07/21/1992
Issued: 12/07/1993
Est. Priority Date: 07/21/1992
Status: Expired due to Term

First Claim

Patent Images

1. A computer network packet receiver, coupled to a first host computer and to a computer network from which data packets originated by other host computers are received, said computer network packet receiver comprising:

key storage means for storing a master key;

receiver means coupled to said computer network for receiving data packets, wherein each received data packet includes (A) a first, unencrypted portion in which is stored a buffer queue value corresponding to a memory address in said first host computer to which said data packet is to be delivered, (B) an encrypted host-to-host key, and (C) a second portion that is encrypted;

logic means, coupled to said receiver means and said key storage means, for (A) extracting from each received data packet said buffer queue value, (B) decrypting with said master key said encrypted host-to-host key in said each received data packet, and (C) generating a corresponding decryption key by computing a predefined combination of (1) said extracted buffer queue value and (2) said decrypted host-to-host key for said each received data packet;

packet processing means, coupled to said logic means, for decrypting said second portion of said each received data packet using said corresponding decryption key generated by said logic means, and for delivering said first portion and second decrypted second portion of said each received data packet to said memory address in said first host computer corresponding to said each received data packet'"'"'s buffer queue value.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a computer network, each pair of host computers that need to exchange data packets establish a single host-to-host encryption/decryption key. Then, whenever one host computer sends a data packet to the other host computer, it first forms a predefined logical combination of the established host-to-host key and the destination buffer index to which the data packet is being sent, and then uses the resulting value to encrypt the secure portions of the data packet. The destination buffer index is included in the data packet'"'"'s header, which is not encrypted. When the receiving host computer receives the encrypted data packet, it reads the destination buffer index from the packet header, forms the same predefined logical combination of the established host-to-host key and the destination buffer index to generate a decryption key, and uses the computed decryption key to decrypt the secure portions of the received data packet. If the destination buffer index in the received data packet has been modified either by noise or by an interloper, the decryption key computed by the receiving host computer will be different from the encryption key used by the sending host computer, and therefore the portions of the received data packet decrypted using the computed decryption key will be unintelligible. Thus, interlopers are prevented from breaching the confidentiality of encrypted data.

81 Citations

View as Search Results

26 Claims

1. A computer network packet receiver, coupled to a first host computer and to a computer network from which data packets originated by other host computers are received, said computer network packet receiver comprising:
- key storage means for storing a master key;
  
  receiver means coupled to said computer network for receiving data packets, wherein each received data packet includes (A) a first, unencrypted portion in which is stored a buffer queue value corresponding to a memory address in said first host computer to which said data packet is to be delivered, (B) an encrypted host-to-host key, and (C) a second portion that is encrypted;
  
  logic means, coupled to said receiver means and said key storage means, for (A) extracting from each received data packet said buffer queue value, (B) decrypting with said master key said encrypted host-to-host key in said each received data packet, and (C) generating a corresponding decryption key by computing a predefined combination of (1) said extracted buffer queue value and (2) said decrypted host-to-host key for said each received data packet;
  
  packet processing means, coupled to said logic means, for decrypting said second portion of said each received data packet using said corresponding decryption key generated by said logic means, and for delivering said first portion and second decrypted second portion of said each received data packet to said memory address in said first host computer corresponding to said each received data packet'"'"'s buffer queue value.
- View Dependent Claims (2, 3, 4)
- - 2. The network packet receiver of claim 1,each received data packet incorporating an embedded error checking value to enable error checking thereof;
    - said packet processing means including means for error checking said each received data packet as it is delivered to said first host computer.
  - 3. The network packet receiver of claim 1,each received data packet incorporating an embedded error checking value to enable error checking thereof;
    - said packet processing means including pipelined decryption means and error checking means that, respectively, decrypt the encrypted portion of said each received data packet and error check said each received data packet as said each received data packet is delivered to said first host computer;
      
      wherein said packet processing means includes means for delivering portions of said each received data packet to said first host computer before said error checking means error checks other portions of said each received packet.
  - 4. The network packet receiver of claim 1, wherein said logic means generates said corresponding decryption key by exclusive ORing said extracted buffer queue value with said decrypted host-to-host key for said each received data packet.

5. A computer network packet receiver, coupled to a first host computer and to a computer network from which data packets originated by other host computers are received, said computer network packet receiver comprising:
- key storage means for storing a distinct host-to-host key for each host computer from which said computer network packet receiver may receive data packets;
  
  receiver means coupled to said computer network for receiving data packets, wherein each received data packet includes (A) a first, unencrypted portion in which is stored source identifying data indicating which other host computer originated said data packet and a buffer queue value corresponding to a memory address in said first host computer to which said data packet is to be delivered, and (B) a second portion that is encrypted;
  
  logic means, coupled to said receiver means and said key storage means, for (A) extracting from each received data packet said buffer queue value, (B) retrieving from said key storage means the host-to-host key corresponding to the host computer that originated said each received data packet, and (C) generating a corresponding decryption key by computing a predefined combination of (1) said extracted buffer queue value and (2) said retrieved host-to-host key for said each received data packet;
  
  packet processing means, coupled to said logic means, for decrypting said second portion of said each received data packet using said corresponding decryption key generated by said logic means, and for delivering said first portion and second decrypted second portion of said each received data packet to said memory address in said first host computer corresponding to said each received data packet'"'"'s buffer queue value.
- View Dependent Claims (6, 7, 8)
- - 6. The network packet receiver of claim 5,each received data packet incorporating an embedded error checking value to enable error checking thereof;
    - said packet processing means including means for error checking said each received data packet as it is delivered to said first host computer.
  - 7. The network packet receiver of claim 5,each received data packet incorporating an embedded error checking value to enable error checking thereof;
    - said packet processing means including pipelined decryption means and error checking means that, respectively, decrypt the encrypted portion of said each received data packet and error check said each received data packet as said each received data packet is delivered to said first host computer;
      
      wherein said packet processing means includes means for delivering portions of said each received data packet to said first host computer before said error checking means error checks other portions of said each received packet.
  - 8. The network packet receiver of claim 5, wherein said logic means generates said corresponding decryption key by exclusive ORing said extracted buffer queue value with said retrieved host-to-host key for said each received data packet.

9. A computer network packet receiver, coupled to a first host computer and to a computer network from which data packets originated by other host computers are received, said computer network packet receiver comprising:
- means for establishing a host-to-host key for each host computer from which said computer network packet receiver may receive data packets;
  
  receiver means coupled to said computer network for receiving data packets, wherein each received data packet includes (A) a first, unencrypted portion in which is stored source identifying data indicating which other host computer originated said data packet and a buffer queue value corresponding to a memory address in said first host computer to which said data packet is to be delivered, and (B) a second portion that is encrypted;
  
  logic means, coupled to said receiver means and said key storage means, including means for extracting from each received data packet said buffer queue value, means for determining said established host-to-host key corresponding to the host computer that originated said each received data packet, and decryption key generating means for generating a corresponding decryption key by computing a predefined combination of (1) said extracted buffer queue value and (2) said determined host-to-host key for said each received data packet;
  
  packet processing means, coupled to said logic means, for decrypting said second portion of said each received data packet using said corresponding decryption key generated by said logic means, and for delivering said first portion and second decrypted second portion of said each received data packet to said memory address in said first host computer corresponding to said each received data packet'"'"'s buffer queue value.
- View Dependent Claims (10)
- - 10. The network packet receiver of claim 9, wherein said logic means generates said corresponding decryption key by exclusive ORing said extracted buffer queue value with said determined host-to-host key for said each received data packet.

11. A computer system, comprising:
- a multiplicity of host computers, each host computer having a corresponding network controller that couples said host computer to a common computer network;
  
  means for establishing, for each pair of host computers of said multiplicity of host computers that will transmit data packets therebetween, a host-to-host encryption key;
  
  each network controller including packet transmitting means for transmitting data packets, originated by its corresponding host computer, to other ones of said multiplicity of host computers via said computer network, and packet receiving means coupled to said computer network for receiving data packets;
  
  wherein each transmitted data packet includes (A) a first, unencrypted portion in which is stored source identifying data indicating that said corresponding host computer originated said data packet and a buffer queue value corresponding to a memory address in a specified one of said multiplicity of host computers to which said data packet is to be delivered, and (B) a second portion that is encrypted;
  
  said packet transmitting means of said each network controller including means for encrypting said second portion of each data packet transmitted thereby using an encryption key comprising a predefined combination of (1) said transmitted data packet'"'"'s buffer queue value and (2) said established host-to-host encryption key corresponding to the pair of host computers comprising said originating host computer and said specified one of said multiplicity of host computers to which said data packet is being transmitted;
  
  said packet receiving means of said each network controller including first logic means for extracting from each received data packet said buffer queue value, second logic means for determining said established host-to-host encryption key corresponding to the one of said multiplicity of host computers that originated said each received data packet, and decryption key generating means for generating a corresponding decryption key by computing said predefined combination of (1) said extracted buffer queue value and (2) said determined host-to-host encryption key for said each received data packet;
  
  said packet receiving means of said each network controller further including packet processing means, for decrypting said second portion of said each received data packet using said corresponding decryption key generated by said decryption key generating means, and for delivering said first portion and second decrypted second portion of said each received data packet to said memory address in said network controller'"'"'s host computer corresponding to said each received data packet'"'"'s buffer queue value.
- View Dependent Claims (12, 13, 14)
- - 12. The computer system of claim 11,each said transmitted data packet incorporating an embedded error checking value to enable error checking thereof;
    - each said packet receiving means including means for error checking said each received data packet as it is delivered to said network controller'"'"'s host computer.
  - 13. The computer system of claim 11,each said transmitted data packet incorporating an embedded error checking value to enable error checking thereof;
    - said packet receiving means including pipelined decryption means and error checking means that, respectively, decrypt the encrypted portion of said each received data packet and error check said each received data packet as said each received data packet is delivered to said network controller'"'"'s host computer;
      
      wherein said packet processing means includes means for delivering portions of said each received data packet to said first host computer before said error checking means error checks other portions of said each received packet.
  - 14. The network packet receiver of claim 11, wherein said predefined combination of said extracted buffer queue value and said determined host-to-host encryption key for said each received data packet comprises said extracted buffer queue value exclusive ORed with said determined host-to-host key for said each received data packet.

15. A method of receiving at a first host computer data packets originated by other host computers and transmitted therebetween via a communications network, the steps of the method comprising:
- receiving at said first host computer data packets from said communications network, wherein each received data packet includes (A) a first, unencrypted portion in which is stored a buffer queue value corresponding to a memory address in said first host computer to which said data packet is to be delivered, (B) an encrypted host-to-host key, and (C) a second portion that is encrypted;
  
  extracting from each received data packet said buffer queue value;
  
  decrypting, using a predefined master key, said encrypted host-to-host key in said each received data packet;
  
  generating a decryption key corresponding to said each received data packet by computing a predefined combination of (1) said extracted buffer queue value and (2) said decrypted host-to-host key for said each received data packet;
  
  decrypting said second portion of said each received data packet using said corresponding decryption key computed by said generating step, and delivering said first portion and second decrypted second portion of said each received data packet to said memory address in said first host computer corresponding to said each received data packet'"'"'s buffer queue value.
- View Dependent Claims (16, 17)
- - 16. The method of claim 15, said each received data packet incorporating an embedded error checking value to enable error checking thereof;
    - said method further including;
      
      error checking said each received data packet as it is delivered to said first host computer; and
      
      delivering portions of said each received data packet to said first host computer before said error checking step error checks other portions of said each received packet.
  - 17. The method of claim 15,said generating step including exclusive ORing said extracted buffer queue value with said decrypted host-to-host key for said each received data packet.

18. A method of receiving at a first host computer data packets originated by other host computers and transmitted therebetween via a communications network, the steps of the method comprising:
- storing, in a memory device associated with said first host computer, a distinct host-to-host key for each other host computer from which said first host computer may receive data packets;
  
  receiving at said first host computer data packets from said communications network, wherein each received data packet includes (A) a first, unencrypted portion in which is stored source identifying data indicating which other host computer originated said data packet and a buffer queue value corresponding to a memory address in said first host computer to which said data packet is to be delivered, and (B) a second portion that is encrypted;
  
  extracting from each received data packet said buffer queue value;
  
  retrieving from said memory device the host-to-host key corresponding to the other host computer that originated said each received data packet;
  
  generating a decryption key corresponding to said each received data packet by computing a predefined combination of (1) said extracted buffer queue value and (2) said retrieved host-to-host key for said each received data packet;
  
  decrypting said second portion of said each received data packet using said corresponding decryption key computed by said generating step, and delivering said first portion and second decrypted second portion of said each received data packet to said memory address in said first host computer corresponding to said each received data packet'"'"'s buffer queue value.
- View Dependent Claims (19, 20)
- - 19. The method of claim 18, said each received data packet incorporating an embedded error checking value to enable error checking thereof;
    - said method further including;
      
      error checking said each received data packet as it is delivered to said first host computer; and
      
      delivering portions of said each received data packet to said first host computer before said error checking step error checks other portions of said each received packet.
  - 20. The method of claim 18,said generating step including exclusive ORing said extracted buffer queue value with said retrieved host-to-host key for said each received data packet.

21. A method of receiving at a first host computer data packets originated by other host computers and transmitted therebetween via a communications network, the steps of the method comprising:
- establishing a single host-to-host key for each host computer from which said first host computer may receive data packets;
  
  receiving at said first host computer data packets from said communications network, wherein each received data packet includes (A) a first, unencrypted portion in which is stored source identifying data indicating which other host computer originated said data packet and a buffer queue value corresponding to a memory address in said first host computer to which said data packet is to be delivered, and (B) a second portion that is encrypted;
  
  extracting from each received data packet said buffer queue value;
  
  determining said established host-to-host key corresponding to the host computer that originated said each received data packet;
  
  generating a decryption key corresponding to said each received data packet by computing a predefined combination of (1) said extracted buffer queue value and (2) said determined host-to-host key for said each received data packet;
  
  decrypting said second portion of said each received data packet using said corresponding decryption key computed by said generating step, and delivering said first portion and second decrypted second portion of said each received data packet to said memory address in said first host computer corresponding to said each received data packet'"'"'s buffer queue value.
- View Dependent Claims (22, 23)
- - 22. The method of claim 21, said each received data packet incorporating an embedded error checking value to enable error checking thereof;
    - said method further including;
      
      error checking said each received data packet as it is delivered to said first host computer; and
      
      delivering portions of said each received data packet to said first host computer before said error checking step error checks other portions of said each received packet.
  - 23. The method of claim 21,said generating step including exclusive ORing said extracted buffer queue value with said determined host-to-host key for said each received data packet.

24. A method of transmitting data packets between a multiplicity of host computers via a communications network, the steps of the method comprising:
- establishing, for each pair of host computers of said multiplicity of host computers that will transmit data packets therebetween, a host-to-host encryption key;
  
  each host computer transmitting data packets to other ones of said multiplicity of host computers via said communications network;
  
  each transmitted data packet including (A) a first, unencrypted portion in which is stored source identifying data including an originating host computer, comprising a first one of said multiplicity of host computers that originated said data packet, and a buffer queue value corresponding to a memory address in a destination host computer, comprising a second one of said multiplicity of host computers to which said data packet is to be delivered, and (B) a second portion;
  
  before transmitting each said data packet, encrypting said second portion of said each data packet using an encryption key comprising a predefined combination of (1) said each data packet'"'"'s buffer queue value and (2) said established host-to-host encryption key corresponding to the pair of host computers comprising said originating host computer and said destination host computer associated with said each data packet;
  
  upon receiving a data packet at any one of said multiplicity of host computers;
  
  extracting from each received data packet said buffer queue value;
  
  determining said established host-to-host encryption key corresponding to the one of said multiplicity of host computers that originated said each received data packet;
  
  generating a decryption key by computing a predefined combination of (1) said extracted buffer queue value and (2) said determined host-to-host encryption key for said received data packet;
  
  decrypting said second portion of said each received data packet using said generated decryption key; and
  
  delivering said received data packet, with said second portion decrypted, to said memory address in said network controller'"'"'s host computer corresponding to said received data packet'"'"'s buffer queue value.
- View Dependent Claims (25, 26)
- - 25. The method of claim 24, each said data packet incorporating an embedded error checking value to enable error checking thereof;
    - said method further including;
      
      error checking each said received data packet as it is delivered; and
      
      delivering portions of each said received data packet to said first host computer before said error checking step error checks other portions of each said received packet.
  - 26. The method of claim 24,said generating step including exclusive ORing said extracted buffer queue value with said determined host-to-host key for said each received data packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Digital Equipment Corporation (HP Inc.)
Inventors
Burrows, Michael, Abadi, Martin, Lampson, Butler
Primary Examiner(s)
Hellner, Mark

Application Number

US07/917,870
Time in Patent Office

504 Days
Field of Search

380/21, 380/25, 380/29, 380/49
US Class Current

713/161
CPC Class Codes

H04L 2209/125   Parallelization or pipelini...

H04L 2209/34   Encoding or coding, e.g. Hu...

H04L 63/1441   Countermeasures against mal...

H04L 63/1466   Active attacks involving in...

H04L 9/0838   Key agreement, i.e. key est...

Computer network with modified host-to-host encryption keys

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

81 Citations

26 Claims

Specification

Use Cases

Quick Links

Others

Computer network with modified host-to-host encryption keys

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

81 Citations

26 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others