Packet authentication and packet encryption/decryption scheme for security gateway

US 6,185,680 B1
Filed: 03/29/2000
Issued: 02/06/2001
Est. Priority Date: 11/30/1995
Status: Expired due to Fees

First Claim

Patent Images

1. A method for encrypting a packet at a packet processing device provided at it boundary between one computer network and an external of said one computer network in a network system formed by a plurality of computer networks, the method comprising the steps of:

storing an address information for computers which are directly managed by the packet processing device;

judging whether a source computer of a packet passing through the packet processing device is one of the computers which are directly managed by the packet processing device, by comparing a source address in the packet with the address information stored at the storing step; and

encrypting a data portion of the packet at the packet processing device when the source computer of the packet is judged as one of the computers which are directly managed by the packet processing device at the judging step.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A packet authentication and packet encryption/decryption scheme for a security gateway suitable for a hierarchically organized network system and a mobile computing environment. For the packet authentication, in addition to the end-to-end authentication at the destination side packet processing device, the link-by-link authentication at each intermediate packet processing device in the packet transfer route is used. For the packet encryption/decryption, each packet processing device determines whether or not to encrypt/decrypt the packet according to: an information on the computers which are directly managed by this packet processing device; or the encryption information and the signature information provided in the packet; or the encryption information, the signature information, and the encryption/decryption level information provided in the packer.

Citations

22 Claims

1. A method for encrypting a packet at a packet processing device provided at it boundary between one computer network and an external of said one computer network in a network system formed by a plurality of computer networks, the method comprising the steps of:
- storing an address information for computers which are directly managed by the packet processing device;
  
  judging whether a source computer of a packet passing through the packet processing device is one of the computers which are directly managed by the packet processing device, by comparing a source address in the packet with the address information stored at the storing step; and
  
  encrypting a data portion of the packet at the packet processing device when the source computer of the packet is judged as one of the computers which are directly managed by the packet processing device at the judging step.
- View Dependent Claims (2)
- - 2. The method of claim 1, wherein the source computer is a mobile computer capable of carrying out communications by moving among the computer networks in the network system, and the packet processing device is implemented in the mobile computer, so that the data portion of the packet is encrypted by the packet processing device in the mobile computer at the encrypting step.

3. A method for encrypting a packet at a packet processing device provided at a boundary between one computer network and an external of said one computer network in a network system formed by a pluralily of computer networks the method comprising the steps of:
- checking an encryption information and a presence/absence of a signature information in a packet passing through the packet processing device, the encryption information indicating whether the packet is encrypted or non-encrypted; and
  
  encrypting a data portion of the packet at the packet processing device when the encryption information indicates that the packet is non-encrypted and the signature information is absent as a result of the checking step, while changing the encryption information in the packet to indicate that the packet is encrypted, and attaching the signature information of the packet processing device to the packet.
- View Dependent Claims (4, 5)
- - 4. The method of claim 3, further comprising the step of:
5. The method of claim 3, wherein a source computer of the packet is a mobile computer capable of carrying out communications by moving among the computer networks in the network system, and the packet processing device is implemented in the mobile computer, so that the data portion of the packet is encrypted by the packet processing device in the mobile computer at the encrypting step.

6. A method for encrypting a packet at a packet processing device provided at a boundary between one computer network and an external of said one computer network in a network system formed by a plurality of computer networks, the method comprising the steps of:
- storing an address information for computers which are connected to lower level computer networks of said one computer network, in correspondence to a level information for each computer indicating a number of packet processing devices to be passed in reaching to each computer;
  
  checking an encryption information and a presence/absence of a signature information in a packet passing through the packet processing device, the encryption information indicating whether the packet is encrypted or non-encrypted;
  
  obtaining the level information for a source computer of the packet from a source address in the packet, according to the address information and the level information stored at the storing step, when the encryption information indicates that the packer is non-encrypted and the signature information is absent as a result of the checking step; and
  
  encrypting a data portion of the packet at the packet processing device when an encryption level information in the packet coincides with the level information for the source computer of the packet obtained au the obtaining step, while changing the encryption information in the packet to indicate that the packet is encrypted, and attaching the signature information of the packet processing device to the packet.
- View Dependent Claims (7, 8, 9)
- - 7. The method of claim 6, further comprising the step of:
8. The method of claim 6, wherein the encryption level information in the packet indicates a desired packet processing device for encrypting the packet which is specified at the source computer of the packet in advance.
9. The method of claim 6, wherein the source computer is a mobile computer capable of carrying out communications by moving among the computer networks in the network system, and the packet processing device is implemented in the mobile computer, so that the data portion of the packet is encrypted by the data processing device in the mobile computer at the encrypting step.

10. A method for decrypting a packet at a packet processing device provided at a boundary between one computer network and an external of said one computer network in a network system formed by a plurality of computer networks, the method comprising the steps of:
- storing an address information for computers which are directly managed by the packet processing device;
  
  judging whether a destination computer of a packet passing through the packet processing device is one of the computers which are directly managed by the packet processing device, by comparing a destination address in the packet with the address information stored at the storing step; and
  
  decrypting a data portion of the packet at the packet processing device when the destination computer of the packet is judged as one of the computers which are directly managed by the packet processing device at the judging step.
- View Dependent Claims (11)
- - 11. The method of claim 10, wherein the destination computer is a mobile computer capable of carrying out communications by moving among the computer networks in the network system, and the packet processing device is implemented in the mobile computer, so that the data portion of the packet is decrypted by the data processing device in the mobile computer at the decrypting step.

12. A method for decrypting a packet at a packet processing device provided at a boundary between one computer network and an external of said one computer network in a network system formed by a plurality of computer networks, the method comprising the steps of:
- storing an address information for computers which are connected to loses level computer networks of said one computer network, in correspondence to a level information for each computer indicating a number of packet processing devices to be passed in reaching to each computer;
  
  checking an encryption information and a presence/absence of a signature information in a packet passing through the packet processing device, the encryption information indicating whether the packet is encrypted or non-encrypted;
  
  obtaining the level information for a destination computer of the packer from a destination address in the packet, according to the address information and the level information stored at the storing step, when the encryption information indicates that the packet is encrypted and the signature information is present as a result of the checking step; and
  
  decrypting a data portion of the packet at the packet processing device when a decryption level information in the packet coincides with the level information for the destination computer of the packet obtained at the obtaining step.
- View Dependent Claims (13, 14, 15)
- - 13. The method of claim 12, wherein the decryption level information in the packet indicates a desired packet processing device for decrypting the packet which is specified at a source computer of the packet in advance.
  - 14. The method of claim 12, wherein the decryption level information in the packet is set identical to an encryption level information in the packet indicating a desired packet processing device for encrypting the packet which is specified at a source computer of the packet in advance.
  - 15. The method of claim 12, wherein the destination computer is a mobile computer capable of carrying out communications by moving among the computer networks in the network system, and the packet processing device is implemented in the mobile computer, so that the data portion of the packet is decrypted by the data processing device in the mobile computer at the decrypting step.

16. A packet processing device for encrypting a packet, the device being provided at a boundary between one computer network and an external of said one computer network in a network system formed by a plurality of computer networks, and the device comprising:
- a memory for storing an address information for computers which are directly managed by the packet processing device;
  
  judging means for judging whether a source computer of a packet passing through the packet processing device is one of the computers which are directly managed by the packet processing device, by comparing a source address in the packet with the address information stored in the memory; and
  
  encryption means for encrypting a data portion of the packet when the source computer of the packet is judged as one of the computers which are directly managed by the packet processing device by the judging means.

17. A packet processing device for encrypting a packet, the device being provided at a boundary between one computer network and an external of said one computer network in a network system formed by a plurality of computer networks, and the device comprising:
- checking means for checking an encryption information and a presence/absence of a signature information in a packet passing through the packet processing device, the encryption information indicating whether the packet is encrypted or non-encrypted; and
  
  encryption means for encrypting a data portion of the packet when the encryption information indicates that the packet is non-encrypted and the signature information is absent as a result of checking by the checking means, while changing the encryption information in the packet to indicate that the packet is encrypted, and attaching the signature information of the packet processing device to the packet.

18. A packet processing device for encrypting a packet, the device being provided at a boundary between one computer network and an external of said one computer network in a network system formed by a plurality of computer networks, and the device comprising:
- a memory for storing an address information for computers which are connected to lower level computer networks of said one computer network, in correspondence to a level information for each computer indicating a number of packet processing devices to be passed in reaching to each computer;
  
  checking means for checking an encryption information and a presence/absence of a signature information in a packet passing through the packet processing device, the encryption information indicating whether the packet is encrypted or non-encrypted;
  
  obtaining means for obtaining the level information for a source computer of the packet from a source address in the packet, according to the address information and the level information stored in the memory, when the encryption information indicates that the packet is non-encryption and the signature information is absent as a result of checking by the checking means; and
  
  encryption means for encrypting a data portion of the packet when an encryption level information in the packet coincides with the level information for the source computer of the packet obtained by the obtaining means, while changing the encryption information in the packet to indicate that the packet is encryption, and attaching the signature information of the packet processing device to the packet.

19. A packet processing device for encrypting a packet, the device being provided at a boundary between one computer network and an external of said one computer network in a network system formed by a plurality of computer networks, and the device comprising:
- a memory for storing an address information for computers which are directly managed by the packet processing device;
  
  judging means for judging whether a destination computer of a packet passing through the packet processing device is one of the computers which are directly managed by the packet processing device, by comparing a destination address in the packet with the address information stored in the memory; and
  
  decryption means for decrypting a data portion of the packet when the destination computer of the packet is judged as one of the computers which are directly managed by the packer processing device by the judging means.

20. A packet processing device for decrypting a packet, the device being provided at a boundary between one computer network and an external of said one computer network in a network system formed by a plurality of computer networks, and the device comprising:
- a memory for storing an address information for computers which are connected to lower level computer networks of said one computer network, in correspondence to a level information for each computer indicating a number of packet processing devices be passed in reaching to each computer;
  
  checking means for checking an encryption information and a presence/absence of a signature information in a packet passing through the packet processing device, the encryption information indicating whether the packet is encrypted or non-encrypted;
  
  obtaining means for obtaining the level information for a destination computer of the packet from a destination address in the packet, according to the address information and the level information stored in the memory, when the encryption information indicates that the packet is encrypted and the signature information is present as a result of checking by the checking means; and
  
  decryption means for decrypting a data portion of the packet when a decryption level information in the packet coincides with the level information for the destination computer of the packet obtained by the obtaining means.

21. An article of manufacture, comprising:
- a computer usable medium having computer readable program code means embodied therein for causing a computer to function as a packet processing device for encrypting a packet, the packet processing device being provided at a boundary between one computer network and an external of said one computer network in a network system formed by a plurality of computer networks, the computer readable program code means including;
  
  first computer readable program code means for causing said computer to store an address information for computers which are directly managed by the packet processing device;
  
  second computer readable program code means for causing said computer to judge whether a source computer of a packet passing through the packet processing device is one of the computers which are directly managed by the packet processing device, by comparing a source address in the packet with the address information stored by the first computer readable program code means; and
  
  third computer readable program code means for causing said computer to encrypt a data portion of the packet when the source computer of the packet is judged as one of the computers which are directly managed by the packet processing device by the second computer readable program code means.

22. An article of manufacture, comprising:
- a computer usable medium having computer readable program code means embodied therein for causing a computer to function as a packet processing device for decrypting a packet, the packet processing device being provided at a boundary between one computer network and an external of said one computer network in a network system formed, by a plurality of computer networks, the computer readable program code means including;
  
  first computer readable program code means for causing said computer to store an address information for computers which are directly managed by the packet processing device;
  
  second computer readable program code means for causing said computer to judge whether a destination computer of a packet passing through the packet processing device is one of the computers which are directly managed by the packet processing device, by comparing a destination address in the packet with the address information stored by the first computer readable program code means; and
  
  third computer readable program code means for causing said computer to decrypt a data portion of the packet when the destination computer of the packet is judged as one of the computers which are directly managed by the packet processing device by the second computer readable program code means.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kabushiki Kaisha Toshiba (Toshiba Corporation)
Original Assignee
Kabushiki Kaisha Toshiba (Toshiba Corporation)
Inventors
Okamoto, Toshio, Inque, Atsushi, Ishiyama, Masahiro, Shimbo, Atsushi
Primary Examiner(s)
Peeso, Thomas R.

Application Number

US09/537,517
Time in Patent Office

314 Days
Field of Search

713/160, 713/161, 713/162, 713/166, 713/168, 713/179, 713/182, 380/28, 380/37
US Class Current

713/160
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/12   Applying verification of th...

H04L 63/164   at the network layer

Packet authentication and packet encryption/decryption scheme for security gateway

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Packet authentication and packet encryption/decryption scheme for security gateway

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links