Computer network with modified host-to-host encryption keys
First Claim
1. A computer network packet receiver, coupled to a first host computer and to a computer network from which data packets originated by other host computers are received, said computer network packet receiver comprising:
- key storage means for storing a master key;
receiver means coupled to said computer network for receiving data packets, wherein each received data packet includes (A) a first, unencrypted portion in which is stored a buffer queue value corresponding to a memory address in said first host computer to which said data packet is to be delivered, (B) an encrypted host-to-host key, and (C) a second portion that is encrypted;
logic means, coupled to said receiver means and said key storage means, for (A) extracting from each received data packet said buffer queue value, (B) decrypting with said master key said encrypted host-to-host key in said each received data packet, and (C) generating a corresponding decryption key by computing a predefined combination of (1) said extracted buffer queue value and (2) said decrypted host-to-host key for said each received data packet;
packet processing means, coupled to said logic means, for decrypting said second portion of said each received data packet using said corresponding decryption key generated by said logic means, and for delivering said first portion and second decrypted second portion of said each received data packet to said memory address in said first host computer corresponding to said each received data packet'"'"'s buffer queue value.
6 Assignments
0 Petitions
Accused Products
Abstract
In a computer network, each pair of host computers that need to exchange data packets establish a single host-to-host encryption/decryption key. Then, whenever one host computer sends a data packet to the other host computer, it first forms a predefined logical combination of the established host-to-host key and the destination buffer index to which the data packet is being sent, and then uses the resulting value to encrypt the secure portions of the data packet. The destination buffer index is included in the data packet'"'"'s header, which is not encrypted. When the receiving host computer receives the encrypted data packet, it reads the destination buffer index from the packet header, forms the same predefined logical combination of the established host-to-host key and the destination buffer index to generate a decryption key, and uses the computed decryption key to decrypt the secure portions of the received data packet. If the destination buffer index in the received data packet has been modified either by noise or by an interloper, the decryption key computed by the receiving host computer will be different from the encryption key used by the sending host computer, and therefore the portions of the received data packet decrypted using the computed decryption key will be unintelligible. Thus, interlopers are prevented from breaching the confidentiality of encrypted data.
81 Citations
26 Claims
-
1. A computer network packet receiver, coupled to a first host computer and to a computer network from which data packets originated by other host computers are received, said computer network packet receiver comprising:
-
key storage means for storing a master key; receiver means coupled to said computer network for receiving data packets, wherein each received data packet includes (A) a first, unencrypted portion in which is stored a buffer queue value corresponding to a memory address in said first host computer to which said data packet is to be delivered, (B) an encrypted host-to-host key, and (C) a second portion that is encrypted; logic means, coupled to said receiver means and said key storage means, for (A) extracting from each received data packet said buffer queue value, (B) decrypting with said master key said encrypted host-to-host key in said each received data packet, and (C) generating a corresponding decryption key by computing a predefined combination of (1) said extracted buffer queue value and (2) said decrypted host-to-host key for said each received data packet; packet processing means, coupled to said logic means, for decrypting said second portion of said each received data packet using said corresponding decryption key generated by said logic means, and for delivering said first portion and second decrypted second portion of said each received data packet to said memory address in said first host computer corresponding to said each received data packet'"'"'s buffer queue value. - View Dependent Claims (2, 3, 4)
-
-
5. A computer network packet receiver, coupled to a first host computer and to a computer network from which data packets originated by other host computers are received, said computer network packet receiver comprising:
-
key storage means for storing a distinct host-to-host key for each host computer from which said computer network packet receiver may receive data packets; receiver means coupled to said computer network for receiving data packets, wherein each received data packet includes (A) a first, unencrypted portion in which is stored source identifying data indicating which other host computer originated said data packet and a buffer queue value corresponding to a memory address in said first host computer to which said data packet is to be delivered, and (B) a second portion that is encrypted; logic means, coupled to said receiver means and said key storage means, for (A) extracting from each received data packet said buffer queue value, (B) retrieving from said key storage means the host-to-host key corresponding to the host computer that originated said each received data packet, and (C) generating a corresponding decryption key by computing a predefined combination of (1) said extracted buffer queue value and (2) said retrieved host-to-host key for said each received data packet; packet processing means, coupled to said logic means, for decrypting said second portion of said each received data packet using said corresponding decryption key generated by said logic means, and for delivering said first portion and second decrypted second portion of said each received data packet to said memory address in said first host computer corresponding to said each received data packet'"'"'s buffer queue value. - View Dependent Claims (6, 7, 8)
-
-
9. A computer network packet receiver, coupled to a first host computer and to a computer network from which data packets originated by other host computers are received, said computer network packet receiver comprising:
-
means for establishing a host-to-host key for each host computer from which said computer network packet receiver may receive data packets; receiver means coupled to said computer network for receiving data packets, wherein each received data packet includes (A) a first, unencrypted portion in which is stored source identifying data indicating which other host computer originated said data packet and a buffer queue value corresponding to a memory address in said first host computer to which said data packet is to be delivered, and (B) a second portion that is encrypted; logic means, coupled to said receiver means and said key storage means, including means for extracting from each received data packet said buffer queue value, means for determining said established host-to-host key corresponding to the host computer that originated said each received data packet, and decryption key generating means for generating a corresponding decryption key by computing a predefined combination of (1) said extracted buffer queue value and (2) said determined host-to-host key for said each received data packet; packet processing means, coupled to said logic means, for decrypting said second portion of said each received data packet using said corresponding decryption key generated by said logic means, and for delivering said first portion and second decrypted second portion of said each received data packet to said memory address in said first host computer corresponding to said each received data packet'"'"'s buffer queue value. - View Dependent Claims (10)
-
-
11. A computer system, comprising:
-
a multiplicity of host computers, each host computer having a corresponding network controller that couples said host computer to a common computer network; means for establishing, for each pair of host computers of said multiplicity of host computers that will transmit data packets therebetween, a host-to-host encryption key; each network controller including packet transmitting means for transmitting data packets, originated by its corresponding host computer, to other ones of said multiplicity of host computers via said computer network, and packet receiving means coupled to said computer network for receiving data packets; wherein each transmitted data packet includes (A) a first, unencrypted portion in which is stored source identifying data indicating that said corresponding host computer originated said data packet and a buffer queue value corresponding to a memory address in a specified one of said multiplicity of host computers to which said data packet is to be delivered, and (B) a second portion that is encrypted; said packet transmitting means of said each network controller including means for encrypting said second portion of each data packet transmitted thereby using an encryption key comprising a predefined combination of (1) said transmitted data packet'"'"'s buffer queue value and (2) said established host-to-host encryption key corresponding to the pair of host computers comprising said originating host computer and said specified one of said multiplicity of host computers to which said data packet is being transmitted; said packet receiving means of said each network controller including first logic means for extracting from each received data packet said buffer queue value, second logic means for determining said established host-to-host encryption key corresponding to the one of said multiplicity of host computers that originated said each received data packet, and decryption key generating means for generating a corresponding decryption key by computing said predefined combination of (1) said extracted buffer queue value and (2) said determined host-to-host encryption key for said each received data packet; said packet receiving means of said each network controller further including packet processing means, for decrypting said second portion of said each received data packet using said corresponding decryption key generated by said decryption key generating means, and for delivering said first portion and second decrypted second portion of said each received data packet to said memory address in said network controller'"'"'s host computer corresponding to said each received data packet'"'"'s buffer queue value. - View Dependent Claims (12, 13, 14)
-
-
15. A method of receiving at a first host computer data packets originated by other host computers and transmitted therebetween via a communications network, the steps of the method comprising:
-
receiving at said first host computer data packets from said communications network, wherein each received data packet includes (A) a first, unencrypted portion in which is stored a buffer queue value corresponding to a memory address in said first host computer to which said data packet is to be delivered, (B) an encrypted host-to-host key, and (C) a second portion that is encrypted; extracting from each received data packet said buffer queue value; decrypting, using a predefined master key, said encrypted host-to-host key in said each received data packet; generating a decryption key corresponding to said each received data packet by computing a predefined combination of (1) said extracted buffer queue value and (2) said decrypted host-to-host key for said each received data packet; decrypting said second portion of said each received data packet using said corresponding decryption key computed by said generating step, and delivering said first portion and second decrypted second portion of said each received data packet to said memory address in said first host computer corresponding to said each received data packet'"'"'s buffer queue value. - View Dependent Claims (16, 17)
-
-
18. A method of receiving at a first host computer data packets originated by other host computers and transmitted therebetween via a communications network, the steps of the method comprising:
-
storing, in a memory device associated with said first host computer, a distinct host-to-host key for each other host computer from which said first host computer may receive data packets; receiving at said first host computer data packets from said communications network, wherein each received data packet includes (A) a first, unencrypted portion in which is stored source identifying data indicating which other host computer originated said data packet and a buffer queue value corresponding to a memory address in said first host computer to which said data packet is to be delivered, and (B) a second portion that is encrypted; extracting from each received data packet said buffer queue value; retrieving from said memory device the host-to-host key corresponding to the other host computer that originated said each received data packet; generating a decryption key corresponding to said each received data packet by computing a predefined combination of (1) said extracted buffer queue value and (2) said retrieved host-to-host key for said each received data packet; decrypting said second portion of said each received data packet using said corresponding decryption key computed by said generating step, and delivering said first portion and second decrypted second portion of said each received data packet to said memory address in said first host computer corresponding to said each received data packet'"'"'s buffer queue value. - View Dependent Claims (19, 20)
-
-
21. A method of receiving at a first host computer data packets originated by other host computers and transmitted therebetween via a communications network, the steps of the method comprising:
-
establishing a single host-to-host key for each host computer from which said first host computer may receive data packets; receiving at said first host computer data packets from said communications network, wherein each received data packet includes (A) a first, unencrypted portion in which is stored source identifying data indicating which other host computer originated said data packet and a buffer queue value corresponding to a memory address in said first host computer to which said data packet is to be delivered, and (B) a second portion that is encrypted; extracting from each received data packet said buffer queue value; determining said established host-to-host key corresponding to the host computer that originated said each received data packet; generating a decryption key corresponding to said each received data packet by computing a predefined combination of (1) said extracted buffer queue value and (2) said determined host-to-host key for said each received data packet; decrypting said second portion of said each received data packet using said corresponding decryption key computed by said generating step, and delivering said first portion and second decrypted second portion of said each received data packet to said memory address in said first host computer corresponding to said each received data packet'"'"'s buffer queue value. - View Dependent Claims (22, 23)
-
-
24. A method of transmitting data packets between a multiplicity of host computers via a communications network, the steps of the method comprising:
-
establishing, for each pair of host computers of said multiplicity of host computers that will transmit data packets therebetween, a host-to-host encryption key; each host computer transmitting data packets to other ones of said multiplicity of host computers via said communications network;
each transmitted data packet including (A) a first, unencrypted portion in which is stored source identifying data including an originating host computer, comprising a first one of said multiplicity of host computers that originated said data packet, and a buffer queue value corresponding to a memory address in a destination host computer, comprising a second one of said multiplicity of host computers to which said data packet is to be delivered, and (B) a second portion;before transmitting each said data packet, encrypting said second portion of said each data packet using an encryption key comprising a predefined combination of (1) said each data packet'"'"'s buffer queue value and (2) said established host-to-host encryption key corresponding to the pair of host computers comprising said originating host computer and said destination host computer associated with said each data packet; upon receiving a data packet at any one of said multiplicity of host computers;
extracting from each received data packet said buffer queue value;
determining said established host-to-host encryption key corresponding to the one of said multiplicity of host computers that originated said each received data packet;
generating a decryption key by computing a predefined combination of (1) said extracted buffer queue value and (2) said determined host-to-host encryption key for said received data packet;
decrypting said second portion of said each received data packet using said generated decryption key; and
delivering said received data packet, with said second portion decrypted, to said memory address in said network controller'"'"'s host computer corresponding to said received data packet'"'"'s buffer queue value. - View Dependent Claims (25, 26)
-
Specification