System for signatureless transmission and reception of data packets between computer networks
First Claim
1. A method for transmitting and receiving packets of data via an internetwork from a first host computer on a first computer network to a second host computer on a second computer network, the first and second computer networks including, respectively, first and second bridge computers, each of said first and second host computers and first and second bridge computers including a processor and a memory for storing instructions for execution by the processor, each of said first and second bridge computers further including memory storing at least one predetermined encryption/decryption mechanism and information identifying a predetermined plurality of host computers as hosts requiring security for packets transmitted between them, the method being carded out by means of the instructions stored in said respective memories and including the steps of:
- (1) generating, by the first host computer, a first data packet for transmission to the second host computer, a portion of the data packet including information representing an internetwork address of the first host computer and an internetwork address of the second host computer;
(2) in the first bridge computer, intercepting the first data packet and determining whether the first and second host computers are among the predetermined plurality of host computers for which security is required, and if not, proceeding to step 5, and if so, proceeding to step 3;
(3) encrypting the first data packet in the first bridge computer;
(4) in the first bridge computer, generating and appending to the first data packet an enapsulation header, including;
(a) key management information identifying the predetermined encryption method, and(b) a new address header representing the source and destination for the data packet,thereby generating a modified data packet;
(5) transmitting the data packet from the first bridge computer via the internetwork to the second computer network;
(6) intercepting the data packet at the second bridge computer;
(7) in the second bridge computer, reading the encapsulation header, and determining therefrom whether the data packet was encrypted, and if not, proceeding to step 10, and if so, proceeding to step 8;
(8) in the second bridge computer, determining which encryption mechanism was used to encrypt the first data packet;
(9) decrypting the first data packet by the second bridge computer;
(10) transmitting the first data packet from the second bridge computer to the second host computer; and
(11) receiving the unencrypted data packet at the second host computer.
2 Assignments
0 Petitions
Accused Products
Abstract
A system for automatically encrypting and decrypting data packet sent from a source host to a destination host across a public internetwork. A tunnelling bridge is positioned at each network, and intercepts all packets transmitted to or from its associated network. The tunnelling bridge includes tables indicated pairs of hosts or pairs of networks between which packets should be encrypted. When a packet is transmitted from a first host, the tunnelling bridge of that host'"'"'s network intercepts the packet, and determines from its header information whether packets from that host that are directed to the specified destination host should be encrypted; or, alternatively, whether packets from the source host'"'"'s network that are directed to the destination host'"'"'s network should be encrypted. If so, the packet is encrypted, and transmitted to the destination network along with an encapsulation header indicating source and destination information: either source and destination host addresses, or the broadcast addresses of the source and destination networks (in the latter case, concealing by encryption the hosts'"'"' respective addresses). An identifier of the source network'"'"'s tunnelling bridge may also be included in the encapsulation header. At the destination network, the associated tunnelling bridge intercepts the packet, inspects the encapsulation header, from an internal table determines whether the packet was encrypted, and from either the source (host or network) address or the tunnelling bridge identifier determines whether and how the packet was encrypted. If the packet was encrypted, it is now decrypted using a key stored in the destination tunnelling bridge'"'"'s memory, and is sent on to the destination host. The tunnelling bridge identifier is used particularly in an embodiment where a given network has more than one tunnelling bridge, and hence multiple possible encryption/decryption schemes and keys. In an alternative embodiment, the automatic encryption and decryption may be carried out by the source and destination hosts themselves, without the use of additional tunnelling bridges, in which case the encapsulation header includes the source and destination host addresses.
-
Citations
17 Claims
-
1. A method for transmitting and receiving packets of data via an internetwork from a first host computer on a first computer network to a second host computer on a second computer network, the first and second computer networks including, respectively, first and second bridge computers, each of said first and second host computers and first and second bridge computers including a processor and a memory for storing instructions for execution by the processor, each of said first and second bridge computers further including memory storing at least one predetermined encryption/decryption mechanism and information identifying a predetermined plurality of host computers as hosts requiring security for packets transmitted between them, the method being carded out by means of the instructions stored in said respective memories and including the steps of:
-
(1) generating, by the first host computer, a first data packet for transmission to the second host computer, a portion of the data packet including information representing an internetwork address of the first host computer and an internetwork address of the second host computer; (2) in the first bridge computer, intercepting the first data packet and determining whether the first and second host computers are among the predetermined plurality of host computers for which security is required, and if not, proceeding to step 5, and if so, proceeding to step 3; (3) encrypting the first data packet in the first bridge computer; (4) in the first bridge computer, generating and appending to the first data packet an enapsulation header, including; (a) key management information identifying the predetermined encryption method, and (b) a new address header representing the source and destination for the data packet, thereby generating a modified data packet; (5) transmitting the data packet from the first bridge computer via the internetwork to the second computer network; (6) intercepting the data packet at the second bridge computer; (7) in the second bridge computer, reading the encapsulation header, and determining therefrom whether the data packet was encrypted, and if not, proceeding to step 10, and if so, proceeding to step 8; (8) in the second bridge computer, determining which encryption mechanism was used to encrypt the first data packet; (9) decrypting the first data packet by the second bridge computer; (10) transmitting the first data packet from the second bridge computer to the second host computer; and (11) receiving the unencrypted data packet at the second host computer. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A system for automatically encrypting and decrypting data packets transmitted from a first host computer on a first computer network to a second host computer on a second computer network, including:
-
a first bridge computer coupled to the first computer network for intercepting data packets transmitted from said first computer network, the first bridge computer including a first processor and a first memory storing instructions for executing encryption of data packets according to a predetermined encryption/decryption mechanism; a second bridge computer coupled to the second computer network for intercepting data packets transmitted to said second computer network, the second bridge computer including a second processor and a second memory storing instructions for executing decryption of the data packets; said first host computer including a third processor and a third memory including instructions for transmitting a first said data packet from said first host to said second host; a table stored in said first memory including a correlation of at least one of the first host computer and the first network with one of the second host computer and the second network, respectively; instructions stored in said first memory for intercepting said first data packet before departure from said first network, determining whether said correlation is present in said table, and if so, then executing encryption of said first data packet according to said predetermined encryption/decryption mechanism, generating a new address header and appending said new address header to said first data packet, thereby generating a modified first data packet, and transmitting said modified data packet on to the second host computer; instructions stored in said second memory for intercepting said first data packet upon arrival at said second network, determining whether said correlation is present in said table, and if so, then executing decryption of said first data packet according to said predetermined encryption/decryption mechanism, and transmitting the first data packet to the second host computer. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A method for transmitting and receiving packets of data via an internetwork from a first host computer on a first computer network to a second host computer on a second computer network, the first and second computer networks, each of said first and second host computers including a processor and a memory for storing instructions for execution by the processor, each said memory storing at least one predetermined encryption/decryption mechanism and a source/destination table identifying a predetermined plurality of sources and destinations requiring security for packets transmitted between them, the method being carded out by means of the instructions stored in said respective memories and including the steps of:
-
(1) generating, by the first host computer, a first data packet for transmission to the second host computer, a portion of the data packet including information representing an internetwork address of a source of the packet and an internetwork address of a destination of the packet; (2) in the first host computer, determining whether the source and destination of the first data packet are among the predetermined plurality of sources and destinations identified in said source/destination table for which security is required, and if not, proceeding to step 5, and if so, proceeding to step 3; (3) encrypting the first data packet in the first host computer; (4) in the first host computer, generating and appending to the first data packet an enapsulation header, including; (a) key management information identifying the predetermined encryption method, and (b) a new address header identifying the source and destination for the data packet, thereby generating a modified data packet; (5) transmitting the data packet from the first host computer via the internetwork to the second computer network; (6) in the second host computer, reading the encapsulation header, and determining therefrom whether the data packet was encrypted, and if not, ending the method, and if so, proceeding to step 7; (7) in the second host computer, determining which encryption mechanism was used to encrypt the first data packet; and (8) decrypting the first data packet by the second host computer. - View Dependent Claims (12, 13)
-
-
14. A system for automatically encrypting and decrypting data packets transmitted from a first host computer on a first computer network and having a first processor and a first memory, via an internetwork to a second host computer on a second computer network and having a second processor and a second memory, the system including:
-
security data stored said first and memories indicating that data packets meeting at least one predetermined criterion are to be encrypted; a predetermined encryption/decryption mechanism stored in said first and second memories; a decryption key stored in said second memory; instructions stored in said first memory for determining whether to encrypt data packets, by determining whether said predetermined criterion is met by said data packet; instructions stored in said first memory for executing encryption according to said predetermined encryption/decryption mechanism of at least a first said data packet, when said criterion is met, for generating a new address header for said first data packet and for appending an encapsulation header to said first data packet and transmitting said first data packet to said second host, said encapsulation header including at least said new address header; instructions stored in said second memory for receiving said first data packet, determining whether it has been encrypted by reference to said security data, and if so then determining which encryption/decryption mechanism was used for encryption, and decrypting said data packet by use of said decryption key. - View Dependent Claims (15)
-
-
16. A system for automatically encrypting data packets for transmission from a first host computer on a first computer network to a second host computer on a second computer network, said first host computer including a first processor and a first memory including instructions for transmitting said data packets from said first host to said second host, the system including:
-
a bridge computer coupled to the first computer network for intercepting at least a first said data packet transmitted from said first computer network, said bridge computer including a second processor and a second memory storing instructions for executing encryption of said first data packet according to a predetermined encryption/decryption mechanism; information stored in said second memory correlating at least one of the first host computer and the first network with one of the second host computer and the second network, respectively; instructions stored in said second memory for intercepting said first data packet before departure from said first network, determining whether said correlation is present, and if so, then executing encryption of said first data packet according to said predetermined encryption/decryption mechanism, generating a new address header and appending said new address header to said first data packet, thereby generating a modified first data packet, and transmitting said modified first data packet on to the second host computer.
-
-
17. A method for transmitting packets of data via an internetwork from a first host computer on a first computer network to a second host computer on a second computer network, the first computer networks including a first bridge computer, each of said first and second host computers and said bridge computer including a processor and a memory for storing instructions for execution by the processor, said bridge computer further including memory storing at least one predetermined encryption/decryption mechanism and information identifying a predetermined plurality of host computers as hosts requiring security for packets transmitted between them, the method being carried out according to the instructions stored in said respective memories and including the steps of:
-
(1) generating, by the first host computer, a first data packet for transmission to the second host computer, a portion of the data packet including information representing an internetwork address of the first host computer and an internetwork address of the second host computer; (2) in the first bridge computer, intercepting the first data packet and determining whether the first and second host computers are among the predetermined plurality of host computers for which security is required, and if not, proceeding to step 5, and if so, proceeding to step 3; (3) encrypting the first data packet in the first bridge computer; (4) in the first bridge computer, generating and appending to the first data packet an enapsulation header, including; (a) key management information identifying the predetermined encryption method, and (b) a new address header representing the source and destination for the data packet, thereby generating a modified data packet; and (5) transmitting the data packet from the first bridge computer via the internetwork to the second computer network.
-
Specification