Method and apparatus for a key-management scheme for internet protocols
First Claim
1. An improved method for a first data processing device (node I) to send data to a second data processing device (node J), comprising the steps of:
- providing an element for performing the step of providing a secret value i, and a public value ∝
i mod p to said node I;
providing an element for performing the step of providing a secret value j, and a public value ∝
j mod p to said node J;
said node I including an element for performing the steps of;
obtaining a Diffie-Helman (DH) certificate for node J and determining said public value ∝
i mod p from said DH certificate;
computing the value of ∝
ij mod p, said node I further deriving a key Kij from said value ∝
ij mod p;
utilizing said key Kij to encrypt a randomly generated transient key Kp, and encrypting a data packet to be transmitted to node J using said key Kp ;
providing an element for performing the step of said node I sending said data packet encrypted using said key Kp to said node J.
2 Assignments
0 Petitions
Accused Products
Abstract
A first data processing device (node I) is coupled to a private network which is in turn coupled to the Internet. A second data processing device (node J) is coupled to the same, or to a different network, which is also coupled to the Internet, such that node I communicates to node J using the Internet protocol. Node I is provided with a secret value i, and a public value ∝i mod p. Node J is provided with a secret value j, and a public value ∝j mod p. Data packets (referred to as "datagrams") are encrypted using the teachings of the present invention to enhance network security. A source node I obtains a Diffie-Helman (DH) certificate for node J, (either from a local cache, from a directory service, or directly from node J), and obtains node J'"'"'s public value ∝j mod p from the DH certificate. Node I then computes the value of ∝ij mod p, and derives a key Kij from the value ∝ij mod p. A transient key Kp is then generated at random, and Kp is used to encrypt the datagram to be sent by node I. Kp is then encrypted with key Kij. Upon receipt of the encrypted datagram by the receiving node J, the node J obtains a DH certificate for node I, (either from a local cache, from a directory service, or directly from node J), and obtains the public value ∝i mod p. Node J then computes the value of ∝ij mod p and derives the key Kij. Node J utilizes the key Kij to decrypt the transient key Kp, and using the decrypted transient key Kp, node J decrypts the datagram packet, thereby resulting in the original data in unencrypted form.
-
Citations
20 Claims
-
1. An improved method for a first data processing device (node I) to send data to a second data processing device (node J), comprising the steps of:
-
providing an element for performing the step of providing a secret value i, and a public value ∝
i mod p to said node I;providing an element for performing the step of providing a secret value j, and a public value ∝
j mod p to said node J;said node I including an element for performing the steps of; obtaining a Diffie-Helman (DH) certificate for node J and determining said public value ∝
i mod p from said DH certificate;computing the value of ∝
ij mod p, said node I further deriving a key Kij from said value ∝
ij mod p;utilizing said key Kij to encrypt a randomly generated transient key Kp, and encrypting a data packet to be transmitted to node J using said key Kp ; providing an element for performing the step of said node I sending said data packet encrypted using said key Kp to said node J. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An apparatus for encrypting data for transmission from a first data processing device (node I) to a second data processing device (node J), comprising:
-
node I including a first storage device for storing a secret value i, and a public value ∝
i mod p;node J including a second storage device for storing a secret value j, and a public value ∝
j mod p;node I including an encrypting device for encrypting a data packet to be transmitted to node J, said data packet being encrypted using a first Diffie-Helman (DH) certificate for node J to determine said public value ∝
j mod p;said encrypting device further computing the value of ∝
ij mod p and deriving a key Kij from said value ∝
ij mod p;said encrypting device encrypting a randomly generated transient key Kp from Kij, and encrypting said data packet using said transient key Kp ; node I further including an interface circuit for transmitting said encrypted data packet to said node J. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification