Security system for a network concentrator

US 5,311,593 A
Filed: 05/13/1992
Issued: 05/10/1994
Est. Priority Date: 05/13/1992
Status: Expired due to Term

First Claim

Patent Images

1. A secure communication network comprising:

a plurality of end stations;

a plurality of end station link means for providing a communication path to and from each of said plurality of said end stations;

concentrator means for connecting said plurality of end station link means and for transferring data packets between said plurality of end stations, said concentrator means having a plurality of ports, each of said plurality of ports having a unique affiliated port address, each of said plurality of ports being affiliated with a specific one of said plurality of end stations and end station link means said concentrator means receiving a data packet from one end station of said plurality of end stations through an affiliated port of said one end station, and then transmitting the data packet through affiliated ports of other end stations to said other end stations, the data packet having a destination address, a source address and a data portion; and

a plurality of security means for cyphering and decyphering said data packet passing into and out of each of said ports based on a comparison of said destination address and said source address with said affiliated port address of said each port, each of said plurality of said security means being affiliated with a port of said concentrator.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for providing secure communication on open networks. Each port of the network is provided with a security entity which monitors the communication between one port to the other. End stations connected to the ports communicate with other end stations by transmitting data to the port and receiving data from the port. The data is sent out in data packets with a destination address and a source address. Each port has its own unique address. The security entity checks data packets coming into the port for a destination address. The destination address of incoming data packets is compared with the port address of the affiliated port. Also, outgoing data packets from an end station to a port are also monitored by the security entity. The security entity compares the destination and source address of the data packet with the affiliated port address. The security entity cyphers and decyphers a data portion of the data packet depending on whether or not the source address, destination address and port address match. In this way, end stations not destined to read the data portions are thus prevented from doing so. Also end stations which are not authorized to transmit onto the network are prevented from having any users on the network understand their data.

274 Citations

15 Claims

1. A secure communication network comprising:
- a plurality of end stations;
  
  a plurality of end station link means for providing a communication path to and from each of said plurality of said end stations;
  
  concentrator means for connecting said plurality of end station link means and for transferring data packets between said plurality of end stations, said concentrator means having a plurality of ports, each of said plurality of ports having a unique affiliated port address, each of said plurality of ports being affiliated with a specific one of said plurality of end stations and end station link means said concentrator means receiving a data packet from one end station of said plurality of end stations through an affiliated port of said one end station, and then transmitting the data packet through affiliated ports of other end stations to said other end stations, the data packet having a destination address, a source address and a data portion; and
  
  a plurality of security means for cyphering and decyphering said data packet passing into and out of each of said ports based on a comparison of said destination address and said source address with said affiliated port address of said each port, each of said plurality of said security means being affiliated with a port of said concentrator.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. A network in accordance with claim 1, wherein:
    - each of said plurality of security means compares said affiliated port address with said destination address of an incoming data packet of an affiliated port, said each security means cyphering a data portion of said incoming data packet if said destination address does not match said affiliated port address, said each security means also comparing said affiliated port address with a source address of an outgoing data packet received from said affiliated end station, said each security means decyphering a data portion of said outgoing data packet if said source address of said outgoing data packet does not match said port address of said affiliated port.
  - 3. A network in accordance with claim 1, wherein:
    - each of said security means compares said affiliated port address with a source address of an outgoing data packet from said affiliated end station, said each security means cyphering a data portion of said outgoing data packet if said source address matches said affiliated port address, said each security means comparing said affiliated port address with a destination address of an incoming data packet for said affiliated port, said security means decyphering a data portion of said incoming data packet if said destination address of said incoming data packet matches said affiliated port address.
  - 4. A network in accordance with claim 3, wherein:
    - said security means delivers said outgoing data packet unmodified to another port if said source address does not match said affiliated port address; and
      
      said security means transmits said incoming data packet unmodified to said affiliated end station if said destination address of said incoming data packet does not match said affiliated port address.
  - 5. A network in accordance with claim 1, wherein:
    - each of said plurality of security means compares said affiliated port address with a destination address of an incoming data packet of an affiliated port, said each security means cyphering a data portion of said incoming data packet if said destination address does not match said affiliated port address, and said security means decyphering a data portion of said incoming data packet if said destination address of said incoming data packet matches said affiliated port address, said each security means also comparing said affiliated port address with a source address of an outgoing data packet received from said affiliated end station, said each security means decyphering a data portion of said outgoing data packet if said source address of said outgoing data packet does not match said port address of said affiliated port, and said each security means cyphering a data portion of said outgoing data packet if said source address matches said affiliated port address.
  - 6. A network in accordance with claim 1, wherein:
    - said concentrator means deliberately transmits the data packet to a port of an end station not authorized to receive the data packet.

7. A secured network communication method comprising the steps of:
- providing a plurality of end stations;
  
  connecting each of said end stations to an affiliated port of a plurality of ports of a concentrator, assigning each of said plurality of ports a unique affiliated port address;
  
  communicating between said plurality of end stations by passing data packets from one of said plurality of end stations through an affiliated port of said one end station, and then transmitted a data packet through affiliated ports of other end stations to said other end stations;
  
  assigning each of said data packets a destination address and a source address; and
  
  cyphering and decyphering said data packets passing into and out of each of said ports based on a comparison of said destination address and said source address with said affiliated port address of said each port.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
- - 8. A method in accordance with claim 7, further comprising:
    - comparing a destination address of an incoming data packet for each port of said plurality of ports with said affiliated port address;
      
      cyphering a data portion of said incoming data packet if said destination address of said incoming data packet does not match said affiliated port address;
      
      comparing a source address of an outgoing data packet from each of said plurality of end stations with said affiliated port address; and
      
      decyphering a data portion of said outgoing data packet if said source address of said outgoing data packet does not match said affiliated port address.
  - 9. A method in accordance with claim 8, further comprising:
    - transferring said incoming data packet unmodified to said each port if said data address of said incoming data packet matches said affiliated port address; and
      
      transferring said outgoing data packet unmodified to another port if said source address of said outgoing data packet matches said affiliated port address.
  - 10. A method in accordance with claim 7, further comprising:
    - comparing a source address of an outgoing data packet from each of said plurality of end station with said affiliated port address;
      
      cyphering a data portion of said outgoing data packet if said source address of said outgoing data packet matches said affiliated port address;
      
      comparing a destination address of an incoming data packet for each of said plurality of ports with said affiliated port address; and
      
      decyphering a data portion of said incoming data packet if said destination address of said incoming data packet matches said affiliated port address.
  - 11. A method in accordance with claim 7, further comprising:
    - comparing a destination address of an incoming data packet for each port of said plurality of ports with an affiliated port address;
      
      decyphering a data portion of said incoming data packet if said destination address of said incoming data packet matches said affiliated port address;
      
      cyphering a data portion of said incoming data packet if said destination address of said incoming data packet does not match said affiliated port address;
      
      comparing a source address of an outgoing data packet from each of said plurality of end stations with an affiliated port address;
      
      decyphering a data portion of said outgoing data packet if said source address of said outgoing data packet does not match said affiliated port address; and
      
      cyphering a data portion of said outgoing data packet if said source address of said outgoing data packet matches said affiliated port address.
  - 12. A method in accordance with claim 7, wherein:
    - the data packet is deliberately past through a port of an end station not authorized to receive the data packet.
  - 13. A method in accordance with claim 7, wherein:
    - the data packet is past into and out of successive ports of said plurality of end stations until reaching a destination end station.
  - 14. A method in accordance with claim 7, wherein:
    - the data packet is past in a token ring topology.
  - 15. A method in accordance with claim 7, wherein:
    - the data packet is past substantially simultaneously to said affiliated ports of said other end stations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Chipcom Corp. (HP Inc.)
Inventors
Carmi, Ilan
Primary Examiner(s)
Buczinski, Stephen C.

Application Number

US07/882,517
Time in Patent Office

727 Days
Field of Search

380/23, 380/48, 370/60, 370/85.15
US Class Current

713/162
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/105   Multiple levels of security

H04L 63/1408   by monitoring network traff...

Security system for a network concentrator

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

274 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Security system for a network concentrator

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

274 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links