Packet authentication and packet encryption/decryption scheme for security gateway
First Claim
1. A method for transferring a packet from a source computer to a destination computer in a network system formed by a plurality of computer networks in which a packet processing device is provided it a boundary between each computer network and an external of said each computer network, the method comprising the steps of:
- (a) transferring the packet transmitted by the source computer from a source side packet processing device managing the source computer to an adjacent packet processing device in a packet transfer route, after attaching to the packet an end-to-end authentication data for inspection by a destination side packet processing device managing the destination computer and not by any intermediate packet processing device in the packet transfer route and a link-by-link authentication data for inspection by at least one intermediate packet processing device in the packet transfer route;
(b) inspecting the link-by-link authentication data attached to the packet at said at least one intermediate packet processing device without inspecting the end-to-end authentication data, and transferring the packet from said at least one intermediate packet processing device to a next packet processing device in the packet transfer route when the packet is authenticated by an inspection of the link-by-link authentication data; and
(c) inspecting the end-to-end authentication data attached to the packet at the destination side packet processing device, and transferring the packet from the destination side packet processing device to the destination computer when the packet is authenticated by an inspection of the end-to-end authentication data.
1 Assignment
0 Petitions
Accused Products
Abstract
A packet authentication and packet encryption/decryption scheme for a security gateway suitable for a hierarchically organized network system and a mobile computing environment. For the packet authentication, in addition to the end-to-end authentication at the destination side packet processing device, the link-by-link authentication at each intermediate packet processing device in the packet transfer route is used. The link-to-link authentication data being inspected by intermediate nodes and end-to-end data (different from link-to-link data) being inspected by destination node but not being inspected by intermediate nodes. For the packet encryption/decryption, each packet processing device determines whether or not to encrypt/decrypt the packet according to: an information on the computers which are directly managed by this packet processing device; or the encryption information and the signature information provided in the packet; or the encryption information, the signature information, and the encryption/decryption level information provided in the packer.
-
Citations
35 Claims
-
1. A method for transferring a packet from a source computer to a destination computer in a network system formed by a plurality of computer networks in which a packet processing device is provided it a boundary between each computer network and an external of said each computer network, the method comprising the steps of:
-
(a) transferring the packet transmitted by the source computer from a source side packet processing device managing the source computer to an adjacent packet processing device in a packet transfer route, after attaching to the packet an end-to-end authentication data for inspection by a destination side packet processing device managing the destination computer and not by any intermediate packet processing device in the packet transfer route and a link-by-link authentication data for inspection by at least one intermediate packet processing device in the packet transfer route; (b) inspecting the link-by-link authentication data attached to the packet at said at least one intermediate packet processing device without inspecting the end-to-end authentication data, and transferring the packet from said at least one intermediate packet processing device to a next packet processing device in the packet transfer route when the packet is authenticated by an inspection of the link-by-link authentication data; and (c) inspecting the end-to-end authentication data attached to the packet at the destination side packet processing device, and transferring the packet from the destination side packet processing device to the destination computer when the packet is authenticated by an inspection of the end-to-end authentication data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A packet processing device for transferring a packet transmitted from a source computer to a destination computer in a network system formed by a plurality of computer networks, the device being provided at a boundary between one computer network and an external of said one computer network, and the device comprising:
-
authentication data generation means for generating an end-to-end authentication data for inspection by a destination side packet processing device managing the destination computer and not by any intermediate packet processing device in a packet transfer route and a link-by-link authentication data for inspection by at least one intermediate packet processing device in the packet transfer route; packet formatting means for attaching the end-to-end authentication data and the link-by-link authentication data generated by the authentication data generation means to the packet transmitted by the source computer; and transfer means for transferring the packet with the end-to-end authentication data and the link-by-link authentication data attached thereto by the packet formatting means, to an adjacent packet processing device in the packet transfer route. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A packet processing device for relaying a packet transmitted from a source computer to a destination computer in a network system formed by a plurality of computer networks, the device being provided at a boundary between one computer network and an external of said one computer network, and the device comprising;
-
inspection means for inspecting a corresponding link-by-link authentication data attached to the packet received from an adjacent packet processing device in the packet transfer route, without inspecting an end-to-end authentication data for inspection by a destination side packet processing device managing the destination computer and not by any intermediate packet processing device in the packet transfer route which is also attached to the packet; and transfer means for transferring the packet to a next packet processing device in the packet transfer route when the packet is authenticated by an inspection of the corresponding link-by-link authentication data by the inspection means. - View Dependent Claims (30, 31, 32, 33)
-
-
34. An article of manufacture, comprising;
-
a computer usable medium having computer readable program code means embodied therein for causing a computer to function as a packet processing device for transferring a packet transmitted from a source computer to a destination computer in a network system formed by a plurality of computer networks, the packet processing device being provided at a boundary between one computer network and an external of said one computer network, the computer readable program code means including; first computer readable program code means for causing said computer to generate an end-to-end authentication data for inspection by a destination side packet processing device managing the destination computer and not by any intermediate packet processing device in a packet transfer route and a link-by-link authentication data for inspection by at least one intermediate packet processing device in the packet transfer route; second computer readable program code means for causing said computer to attach the end-to-end authentication data and the link-by-link authentication data generated by the first computer readable program code means to the packet transmitted by the source computer; and third computer readable program code means for causing said computer to transfer the packet with the end-to-end authentication data and the link-by-link authentication data attached thereto by the second computer readable program code means, to an adjacent packet processing device in the packet transfer route.
-
-
35. An article of manufacture, comprising:
a computer usable medium having computer readable program code means embodied therein for causing a computer to function as a packet processing device for relaying a packet transmitted from a source computer to a destination computer in a network system formed by a plurality of computer networks, the packet processing device being provided at a boundary between one computer network and an external of said one computer network, the compute readable program code means including; first computer readable program code means for causing said computer to inspect a corresponding link-by-link authentication data attached to the packet received from an adjacent packet processing device in the packet transfer route, without inspecting an end-to-end authentication data for inspection by a destination side packet processing device managing the destination computer and not by any intermediate packet processing device in the packet transfer route which is also attached to the packet; and second computer readable program code means for causing said computer to transfer the packet to a next packet processing device in the packet transfer route when the packet is authenticated by an inspection of the corresponding link-by-link authentication data by the first computer readable program code means.
Specification