Packet authentication and packet encryption/decryption scheme for security gateway
First Claim
1. A method for encrypting a packet at a packet processing device provided at it boundary between one computer network and an external of said one computer network in a network system formed by a plurality of computer networks, the method comprising the steps of:
- storing an address information for computers which are directly managed by the packet processing device;
judging whether a source computer of a packet passing through the packet processing device is one of the computers which are directly managed by the packet processing device, by comparing a source address in the packet with the address information stored at the storing step; and
encrypting a data portion of the packet at the packet processing device when the source computer of the packet is judged as one of the computers which are directly managed by the packet processing device at the judging step.
0 Assignments
0 Petitions
Accused Products
Abstract
A packet authentication and packet encryption/decryption scheme for a security gateway suitable for a hierarchically organized network system and a mobile computing environment. For the packet authentication, in addition to the end-to-end authentication at the destination side packet processing device, the link-by-link authentication at each intermediate packet processing device in the packet transfer route is used. For the packet encryption/decryption, each packet processing device determines whether or not to encrypt/decrypt the packet according to: an information on the computers which are directly managed by this packet processing device; or the encryption information and the signature information provided in the packet; or the encryption information, the signature information, and the encryption/decryption level information provided in the packer.
-
Citations
22 Claims
-
1. A method for encrypting a packet at a packet processing device provided at it boundary between one computer network and an external of said one computer network in a network system formed by a plurality of computer networks, the method comprising the steps of:
-
storing an address information for computers which are directly managed by the packet processing device;
judging whether a source computer of a packet passing through the packet processing device is one of the computers which are directly managed by the packet processing device, by comparing a source address in the packet with the address information stored at the storing step; and
encrypting a data portion of the packet at the packet processing device when the source computer of the packet is judged as one of the computers which are directly managed by the packet processing device at the judging step. - View Dependent Claims (2)
-
-
3. A method for encrypting a packet at a packet processing device provided at a boundary between one computer network and an external of said one computer network in a network system formed by a pluralily of computer networks the method comprising the steps of:
-
checking an encryption information and a presence/absence of a signature information in a packet passing through the packet processing device, the encryption information indicating whether the packet is encrypted or non-encrypted; and
encrypting a data portion of the packet at the packet processing device when the encryption information indicates that the packet is non-encrypted and the signature information is absent as a result of the checking step, while changing the encryption information in the packet to indicate that the packet is encrypted, and attaching the signature information of the packet processing device to the packet. - View Dependent Claims (4, 5)
carrying out an error processing at the packet processing device when the encryption information indicates that the packet is encrypted and the signature information is absent, or the encryption information indicates that the packet is non-encrypted and the signature information is present, as a result of the checking step.
-
-
5. The method of claim 3, wherein a source computer of the packet is a mobile computer capable of carrying out communications by moving among the computer networks in the network system, and the packet processing device is implemented in the mobile computer, so that the data portion of the packet is encrypted by the packet processing device in the mobile computer at the encrypting step.
-
6. A method for encrypting a packet at a packet processing device provided at a boundary between one computer network and an external of said one computer network in a network system formed by a plurality of computer networks, the method comprising the steps of:
-
storing an address information for computers which are connected to lower level computer networks of said one computer network, in correspondence to a level information for each computer indicating a number of packet processing devices to be passed in reaching to each computer;
checking an encryption information and a presence/absence of a signature information in a packet passing through the packet processing device, the encryption information indicating whether the packet is encrypted or non-encrypted;
obtaining the level information for a source computer of the packet from a source address in the packet, according to the address information and the level information stored at the storing step, when the encryption information indicates that the packer is non-encrypted and the signature information is absent as a result of the checking step; and
encrypting a data portion of the packet at the packet processing device when an encryption level information in the packet coincides with the level information for the source computer of the packet obtained au the obtaining step, while changing the encryption information in the packet to indicate that the packet is encrypted, and attaching the signature information of the packet processing device to the packet. - View Dependent Claims (7, 8, 9)
carrying out an error processing at the packet processing device when a contradiction is found in the encryption information and the signature information checked at the checking step and the encryption level information in the packet.
-
-
8. The method of claim 6, wherein the encryption level information in the packet indicates a desired packet processing device for encrypting the packet which is specified at the source computer of the packet in advance.
-
9. The method of claim 6, wherein the source computer is a mobile computer capable of carrying out communications by moving among the computer networks in the network system, and the packet processing device is implemented in the mobile computer, so that the data portion of the packet is encrypted by the data processing device in the mobile computer at the encrypting step.
-
10. A method for decrypting a packet at a packet processing device provided at a boundary between one computer network and an external of said one computer network in a network system formed by a plurality of computer networks, the method comprising the steps of:
-
storing an address information for computers which are directly managed by the packet processing device;
judging whether a destination computer of a packet passing through the packet processing device is one of the computers which are directly managed by the packet processing device, by comparing a destination address in the packet with the address information stored at the storing step; and
decrypting a data portion of the packet at the packet processing device when the destination computer of the packet is judged as one of the computers which are directly managed by the packet processing device at the judging step. - View Dependent Claims (11)
-
-
12. A method for decrypting a packet at a packet processing device provided at a boundary between one computer network and an external of said one computer network in a network system formed by a plurality of computer networks, the method comprising the steps of:
-
storing an address information for computers which are connected to loses level computer networks of said one computer network, in correspondence to a level information for each computer indicating a number of packet processing devices to be passed in reaching to each computer;
checking an encryption information and a presence/absence of a signature information in a packet passing through the packet processing device, the encryption information indicating whether the packet is encrypted or non-encrypted;
obtaining the level information for a destination computer of the packer from a destination address in the packet, according to the address information and the level information stored at the storing step, when the encryption information indicates that the packet is encrypted and the signature information is present as a result of the checking step; and
decrypting a data portion of the packet at the packet processing device when a decryption level information in the packet coincides with the level information for the destination computer of the packet obtained at the obtaining step. - View Dependent Claims (13, 14, 15)
-
-
16. A packet processing device for encrypting a packet, the device being provided at a boundary between one computer network and an external of said one computer network in a network system formed by a plurality of computer networks, and the device comprising:
-
a memory for storing an address information for computers which are directly managed by the packet processing device;
judging means for judging whether a source computer of a packet passing through the packet processing device is one of the computers which are directly managed by the packet processing device, by comparing a source address in the packet with the address information stored in the memory; and
encryption means for encrypting a data portion of the packet when the source computer of the packet is judged as one of the computers which are directly managed by the packet processing device by the judging means.
-
-
17. A packet processing device for encrypting a packet, the device being provided at a boundary between one computer network and an external of said one computer network in a network system formed by a plurality of computer networks, and the device comprising:
-
checking means for checking an encryption information and a presence/absence of a signature information in a packet passing through the packet processing device, the encryption information indicating whether the packet is encrypted or non-encrypted; and
encryption means for encrypting a data portion of the packet when the encryption information indicates that the packet is non-encrypted and the signature information is absent as a result of checking by the checking means, while changing the encryption information in the packet to indicate that the packet is encrypted, and attaching the signature information of the packet processing device to the packet.
-
-
18. A packet processing device for encrypting a packet, the device being provided at a boundary between one computer network and an external of said one computer network in a network system formed by a plurality of computer networks, and the device comprising:
-
a memory for storing an address information for computers which are connected to lower level computer networks of said one computer network, in correspondence to a level information for each computer indicating a number of packet processing devices to be passed in reaching to each computer;
checking means for checking an encryption information and a presence/absence of a signature information in a packet passing through the packet processing device, the encryption information indicating whether the packet is encrypted or non-encrypted;
obtaining means for obtaining the level information for a source computer of the packet from a source address in the packet, according to the address information and the level information stored in the memory, when the encryption information indicates that the packet is non-encryption and the signature information is absent as a result of checking by the checking means; and
encryption means for encrypting a data portion of the packet when an encryption level information in the packet coincides with the level information for the source computer of the packet obtained by the obtaining means, while changing the encryption information in the packet to indicate that the packet is encryption, and attaching the signature information of the packet processing device to the packet.
-
-
19. A packet processing device for encrypting a packet, the device being provided at a boundary between one computer network and an external of said one computer network in a network system formed by a plurality of computer networks, and the device comprising:
-
a memory for storing an address information for computers which are directly managed by the packet processing device;
judging means for judging whether a destination computer of a packet passing through the packet processing device is one of the computers which are directly managed by the packet processing device, by comparing a destination address in the packet with the address information stored in the memory; and
decryption means for decrypting a data portion of the packet when the destination computer of the packet is judged as one of the computers which are directly managed by the packer processing device by the judging means.
-
-
20. A packet processing device for decrypting a packet, the device being provided at a boundary between one computer network and an external of said one computer network in a network system formed by a plurality of computer networks, and the device comprising:
-
a memory for storing an address information for computers which are connected to lower level computer networks of said one computer network, in correspondence to a level information for each computer indicating a number of packet processing devices be passed in reaching to each computer;
checking means for checking an encryption information and a presence/absence of a signature information in a packet passing through the packet processing device, the encryption information indicating whether the packet is encrypted or non-encrypted;
obtaining means for obtaining the level information for a destination computer of the packet from a destination address in the packet, according to the address information and the level information stored in the memory, when the encryption information indicates that the packet is encrypted and the signature information is present as a result of checking by the checking means; and
decryption means for decrypting a data portion of the packet when a decryption level information in the packet coincides with the level information for the destination computer of the packet obtained by the obtaining means.
-
-
21. An article of manufacture, comprising:
-
a computer usable medium having computer readable program code means embodied therein for causing a computer to function as a packet processing device for encrypting a packet, the packet processing device being provided at a boundary between one computer network and an external of said one computer network in a network system formed by a plurality of computer networks, the computer readable program code means including;
first computer readable program code means for causing said computer to store an address information for computers which are directly managed by the packet processing device;
second computer readable program code means for causing said computer to judge whether a source computer of a packet passing through the packet processing device is one of the computers which are directly managed by the packet processing device, by comparing a source address in the packet with the address information stored by the first computer readable program code means; and
third computer readable program code means for causing said computer to encrypt a data portion of the packet when the source computer of the packet is judged as one of the computers which are directly managed by the packet processing device by the second computer readable program code means.
-
-
22. An article of manufacture, comprising:
-
a computer usable medium having computer readable program code means embodied therein for causing a computer to function as a packet processing device for decrypting a packet, the packet processing device being provided at a boundary between one computer network and an external of said one computer network in a network system formed, by a plurality of computer networks, the computer readable program code means including;
first computer readable program code means for causing said computer to store an address information for computers which are directly managed by the packet processing device;
second computer readable program code means for causing said computer to judge whether a destination computer of a packet passing through the packet processing device is one of the computers which are directly managed by the packet processing device, by comparing a destination address in the packet with the address information stored by the first computer readable program code means; and
third computer readable program code means for causing said computer to decrypt a data portion of the packet when the destination computer of the packet is judged as one of the computers which are directly managed by the packet processing device by the second computer readable program code means.
-
Specification