Packet processing device and mobile computer with reduced packet processing overhead
First Claim
1. A packet processing device for relating encrypted packets and functioning to transfer a packet received from one computer located outside a first network managed by said packet processing device to another computer having a home position within the first network and being currently moved outside the first network, said packet processing device comprising:
- a receiving unit for receiving a packet transferred to said packet processing device, the packet having a packet processing key to be used in a prescribed packet processing with respect to a data portion of the packet, the packet processing key being encrypted by using a first master key shared between a last device that applied a cipher communication related processing to the packet and said packet processing device and encoded within the packet;
a decryption unit for decrypting the packet processing key encoded within the packet received by the receiving unit, without carrying out the prescribed packet processing with respect to the data portion of the packet;
an encryption unit for re-encrypting the packet processing key decrypted by the decryption unit, by using a second master key shared between a next device to apply the cipher communication related processing to the packet and said packet processing device, and encoding the packet processing key in a re-encrypted form within the packet;
a transmission unit for transmitting the packet with the packet processing key encoded therein by the encryption unit, toward a destination of the packet;
a communication unit for communicating with a mobile computer management device and transferring a packet destined to a mobile computer currently being moved outside the first network to a current location of the mobile computer, the mobile computer management device having functions for managing information on the current location of the mobile computer having a home position within the first network; and
a memory unit for storing said information managed by the mobile computer management device;
wherein the receiving unit receives the packet transferred from a corresponding computer of the mobile computer, and the transmission unit transmits the packet with the packet processing key encoded therein by the encryption unit, toward the mobile computer, according to said information stored in the memory unit.
1 Assignment
0 Petitions
Accused Products
Abstract
A packet processing and packet transfer scheme capable of reducing the packet processing overhead by eliminating a need to decrypt and re-encrypt the entire packet at a time of relaying encrypted packets. In a packet processing device for relaying encrypted packets, a packet transferred to the packet processing device is received, where the packet has a packet processing key to be used in a prescribed packet processing with respect to a data portion of the packet, and the packet processing key is encrypted by using a first master key shared between a last device that applied a cipher communication related processing to the packet and the packet processing device. Then, the packet processing key in the received packet is decrypted, without carrying out the prescribed packet processing with respect to the data portion of the packet, and the decrypted packet processing key is re-encrypted by using a second master key shared between a next device to apply the cipher communication related processing to the packet and the packet processing device. Then, the packet with the re-encrypted packet processing key encoded therein is transmitted toward a destination of the received packet.
178 Citations
25 Claims
-
1. A packet processing device for relating encrypted packets and functioning to transfer a packet received from one computer located outside a first network managed by said packet processing device to another computer having a home position within the first network and being currently moved outside the first network, said packet processing device comprising:
-
a receiving unit for receiving a packet transferred to said packet processing device, the packet having a packet processing key to be used in a prescribed packet processing with respect to a data portion of the packet, the packet processing key being encrypted by using a first master key shared between a last device that applied a cipher communication related processing to the packet and said packet processing device and encoded within the packet;
a decryption unit for decrypting the packet processing key encoded within the packet received by the receiving unit, without carrying out the prescribed packet processing with respect to the data portion of the packet;
an encryption unit for re-encrypting the packet processing key decrypted by the decryption unit, by using a second master key shared between a next device to apply the cipher communication related processing to the packet and said packet processing device, and encoding the packet processing key in a re-encrypted form within the packet;
a transmission unit for transmitting the packet with the packet processing key encoded therein by the encryption unit, toward a destination of the packet;
a communication unit for communicating with a mobile computer management device and transferring a packet destined to a mobile computer currently being moved outside the first network to a current location of the mobile computer, the mobile computer management device having functions for managing information on the current location of the mobile computer having a home position within the first network; and
a memory unit for storing said information managed by the mobile computer management device;
wherein the receiving unit receives the packet transferred from a corresponding computer of the mobile computer, and the transmission unit transmits the packet with the packet processing key encoded therein by the encryption unit, toward the mobile computer, according to said information stored in the memory unit. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
a recognition unit for recognizing whether the mobile computer is located outside the own network or not and whether the correspondent computer is located outside the own network or not;
wherein the decryption unit, the encryption unit, and the transmission unit are operated when both of the mobile computer and the correspondent computer are recognized as located outside the own network by the recognition unit.
-
-
4. The packet processing device of claim 3, wherein when only one of the mobile computer and the correspondent computer is recognized as located outside the own network by the recognition unit, the packet as a whole is decrypted by the decryption unit and transmitted by the transmission unit toward the mobile computer in a case where the packet enters from outside the own network into inside the own network, and the packet as a whole is encrypted by the encryption unit and transmitted by the transmission unit toward the mobile computer in a case where the packet goes out from inside the own network to outside the own network.
-
5. The packet processing device of claim 3, wherein the recognition unit recognizes that both of the mobile computer and the correspondent computer are located outside the own network by referring to a database of an information indicating computers which are processing targets of said packet processing device.
-
6. The packet processing device of claim 1, wherein the packet processing key is to be used in the prescribed packet processing for generating a packet encryption key to be used in encrypting/decrypting the data portion of the packet and a packet authentication key to be used in generating an authentication code of the packet.
-
7. The packet processing device of claim 1, further comprising:
-
a judging unit for judging an outermost packet format of a received packet; and
a packet processing unit for executing a decapsulation processing and a decryption processing with respect to the received packet in an order determined according to the outermost packet format judged by the judging unit.
-
-
8. The packet processing device of claim 7, wherein the packet processing unit executes the decapsulation processing first and the decryption processing next when the judging unit judges that the outermost packet format is an encapsulation format, or the decryption processing first and the decapsulation processing next when the judging unit judges that the outermost packet format is an encryption format.
-
9. The packet processing device of claim 7, wherein the judging unit judges the outermost packet format according to an identification information indicating a packet format which is described within a packet header of the received packet.
-
10. The packet processing device of claim 1, further comprising:
-
a judging unit for judging an outermost packet format of a received encapsulated and encrypted packet; and
a packet processing unit for executing a decapsulation processing on the received encapsulated and encrypted packet and transferring a resulting encrypted packet to said another computer when the judging unit judges that the outermost packet format is an encapsulation format, or transferring the received encapsulated and encrypted packet to said another computer when the judging unit judges that the outermost packet format is an encryption format.
-
-
11. The packet processing device of claim 10, wherein the judging unit judges the outermost packet format according to an identification information indicating a packet format which is described within a packet header of the received packet.
-
12. A packet transfer method for relaying encrypted packets at a packet processing device to transfer a packet received from one computer located outside a first network managed by said packet processing device to another computer having a home position within the first network and currently being moved outside the first network, the method comprising the steps of:
-
receiving a packet transferred to said packet processing device, the packet having a packet processing key to be used in a prescribed packet processing with respect to a data portion of the packet, the packet processing key being encrypted by using a first master key shared between a last device that applied a cipher communication related processing to the packet and said packet processing device and encoded within the packet;
decrypting the packet processing key encoded within the packet received by the receiving step, without carrying out the prescribed packet processing with respect to the data portion of the packet;
re-encrypting the packet processing key decrypted by the decrypting step, by using a second master key shared between the next device to apply the cipher communication related processing to the packet and said packet processing device, and encoding the packet processing key in a re-encrypted form within the packet;
transmitting the packet with the packet processing key encoded therein by the re-encrypting step, toward a destination of the packet;
communicating with a mobile computer managed device and transferring a packet destined to a mobile computer that is currently moved outside the first network to a current location of the mobile computer, the mobile computer management device having functions for managing information on the current location of the mobile computer that has a home position within the first network; and
storing said information managed by the mobile computer management device in a memory of said packet processing device;
wherein the receiving step receives the packet transferred from a corresponding computer of the mobile computer, and the transmitting step transmits the packet with the packet processing key encoded therein by the encrypting step, toward the mobile computer, according to said information stored in the memory of said packet processing device. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
recognizing whether the mobile computer is located outside the own network or not and whether the correspondent computer is located outside the own network or not;
wherein the decrypting step, the re-encrypting step, and the transmitting step are executed when both of the mobile computer and the correspondent computer are recognized as located outside the own network by the recognizing step.
-
-
15. The packet transfer method of claim 14, wherein when only one of the mobile computer and the correspondent computer is recognized as located outside the own network by the recognizing step, the packet as a whole is decrypted and transmitted toward the mobile computer in a case where the packet enters from outside the own network into inside the own network, and the packet as a whole is encrypted and transmitted toward the mobile computer in a case where the packet goes out from inside the own network to outside the own network.
-
16. The packet transfer method of claim 14, wherein the recognizing step recognizes that both of the mobile computer and the correspondent computer are located outside the own network by referring to a database of an information indicating computers which are processing targets of said packet processing device.
-
17. The packet transfer method of claim 12, wherein the packet processing key is to be used in the prescribed packet processing for generating a packet encryption key to be used in encrypting/decrypting the data portion of the packet and a packet authentication key to be used in generating an authentication code of the packet.
-
18. The packet transfer method of claim 12, further comprising the steps of:
-
judging an outermost packet format of the received packet; and
executing a decapsulation processing and a decryption processing with respect to the received packet in an order determined according to the outermost packet format judged by the judging step.
-
-
19. The packet processing method of claim 18, wherein the executing step executes the decapsulation processing first and the decryption processing next when the judging step judges that the outermost packet format is an encapsulation format, or the decryption processing first and the decapsulation processing next when the judging step judges that the outermost packet format is an encryption format.
-
20. The packet processing method of claim 18, wherein the judging step judges the outermost packet format according to an identification information indicating a packet format which is described within a packet header of the received packet.
-
21. The packet transfer method of claim 12, further comprising the steps of:
-
judging an outermost packet format of a received encapsulated and encrypted packet; and
executing a decapsulation processing on the received encapsulated and encrypted packet and transferring a resulting encrypted packet to said another computer when the judging step judges that the outermost packet format is an encapsulation format, or transferring the received encapsulated and encrypted packet to said another computer when the judging step judges that the outermost packet format is an encryption format.
-
-
22. The packet transfer method of claim 21, wherein the judging step judges the outermost packet format according to an identification information indicating a packet format which is described within a packet header of the received packet.
-
23. A computer usable medium having computer readable program code embodied therein for causing a computer to function as a packet processing device for relating encrypted packets and functioning to transfer a packet received from one computer located outside a first network managed by said packet processing device to another computer having a home position within the first network and currently being moved outside the first network, the computer readable program code including:
-
a first computer readable program code for causing said computer to receive a packet transferred to said packet processing device, the packet having a packet processing key to be used in a prescribed packet processing with respect to a data portion of the packet, the packet processing key being encrypted by using a first master key shared between a last device that applied a cipher communication related processing to the packet and said packet processing device and encoded within the packet;
a second computer readable program code for causing said computer to decrypt the packet processing key encoded within the packet received by the first computer readable program code, without carrying out the prescribed packet processing with respect to the data portion of the packet;
a third computer readable program code for causing said computer to re-encrypt the packet processing key decrypted by the second computer readable program code, by using a second master key shared between a next device to apply the cipher communication related processing to the packet and said packet processing device, and encoding the packet processing key in a re-encrypted form within the packet;
a fourth computer readable program code for causing said computer to transmit the packet with the packet processing key encoded therein by the third computer readable program code, toward a destination of the packet;
a fifth computer readable program code for causing said computer to communicate with a mobile computer management device and transfer a packet destined to a mobile computer currently being moved outside the first network to a current location of the mobile computer, the mobile computer management device having functions for managing information on the current location of the mobile computer which has a home position within the first network; and
a sixth computer readable program code for causing said computer to store said information managed by the mobile computer management device;
wherein the first computer readable program code receives the packet transferred from a correspondent computer of the mobile computer, and the fourth computer readable program code transmits the packet with the packet processing key encoded therein by the third computer readable program code, toward the mobile computer, according to said information stored by the sixth computer readable program code. - View Dependent Claims (24, 25)
a fifth computer readable program code for causing said computer to judge an outermost packet format of a received packet; and
a sixth computer readable program code for causing said computer to execute a decapsulation processing and a decryption processing with respect to the received packet in an order determined according to the outermost packet format judged by the fifth computer readable program code.
-
-
25. The computer usable medium of claim 23, wherein the computer readable program code further includes:
-
a fifth computer readable program code for causing said computer to judge an outermost packet format of a received encapsulated and encrypted packet; and
a sixth computer readable program code for causing said computer to execute a decapsulation processing on the received encapsulated and encrypted packet and transfer a resulting encrypted packet to said another computer when the fifth computer readable program code judges that the outermost packet format is an encapsulation format, or transfer the received encapsulated and encrypted packet to said another computer when the fifth computer readable program code judges that the outermost packet format is an encryption format.
-
Specification