Apparatus and method for performing and controlling encryption/decryption for data to be transmitted on local area network
First Claim
Patent Images
1. A communication controller for performing data encryption and data decryption of data communication packages to be transferred in a network (such as a LAN:
- Local Area Network, or a WAN;
Wide Area Network), said data communication package containing a first section of non-encrypted data and a second section containing encrypted data, and comprising a session key LUT unit (186) and a transmission and encryption section comprising;
(a) a data read transmission control unit (102) connected to a system bus of a host system and receiving input data therefrom and communicating with said session key LUT (186), said session key LUT (186) providing a transmission encryption key for said data communication package, (b) a data compressing unit (118) providing compression of a part of said input data thereby producing a compressed part of said input data contained in said second section of said data communication package, (c) a data encryption unit (126) providing an encryption of said second section of said data communication package according to said transmission encryption key transferred from said session key LUT (186) to said data encryption unit (126), (d) an integrity check value calculation unit (122) constituting a first series configuration from said data compression unit (118) intercommunicating through said integrity check value calculation unit (122) to said data encryption unit (126), (e) a network transmission controller (134) providing said data communication package through a connection to said network, supplying said input data to said network in a transmission rate determined by said network transmission controller (134) and said network, and (f) a first switch means (108) enabling switching between two modes of operation, a first mode of operation providing bypassing or disabling of said first series configuration and enabling communication between said data read transmission control unit (102) and said network transmission controller (134) for transferring said input data directly hereto and a second mode of operation enabling communication between said data read transmission control unit (102) through said first series configuration to said network transmission controller (134), said communication controller further comprising a receiving and decrypting section comprising;
(g) a network receiving controller (140) providing a connection to said network and receiving a received data communication package from said network, (h) a data receiving control unit (148) receiving said received data communication package through communication with said network receiving controller (140), and communicating with said session key LUT (186), said session key LUT (186) providing a reception encryption key for said received data communication package, (i) a data decompression unit (172) providing decompression of said second section of said received data communication package, (j) a data decryption unit (164) providing a decryption of said second section of said received data communication package according to a reception encryption key transferred from said session key LUT (186) to said data decryption unit (164), (k) an integrity check value verification unit (168) receiving said received data communication package from said data decryption unit (164), and constituting a second series configuration from said data decryption unit (164) intercommunicating through said integrity check value verification unit (166) to said data decompression unit (172), said integrity check value verification unit (166) transferring said second section of said received data communication package to said data decompression unit (172), (l) a data write unit (180) connected to said system bus of said host system, supplying said system bus with said received data communication package, and (m) a second switch means (154) enabling switching between two modes of operation, a third mode of operation providing bypassing or disabling of said second series configuration and enabling communication between said data receiving control unit (148) and said data write unit (180) for transferring said first section of said received data communication package directly hereto, and a fourth mode of operation enabling communication between said data receiving control unit (148) through said second series configuration to said data write unit (180).
1 Assignment
0 Petitions
Accused Products
Abstract
A technique for performing compression, encryption and transmission, and reception, decryption and decompression, respectively, of data communication packages on an area network.
138 Citations
75 Claims
-
1. A communication controller for performing data encryption and data decryption of data communication packages to be transferred in a network (such as a LAN:
- Local Area Network, or a WAN;
Wide Area Network), said data communication package containing a first section of non-encrypted data and a second section containing encrypted data, and comprising a session key LUT unit (186) and a transmission and encryption section comprising;(a) a data read transmission control unit (102) connected to a system bus of a host system and receiving input data therefrom and communicating with said session key LUT (186), said session key LUT (186) providing a transmission encryption key for said data communication package, (b) a data compressing unit (118) providing compression of a part of said input data thereby producing a compressed part of said input data contained in said second section of said data communication package, (c) a data encryption unit (126) providing an encryption of said second section of said data communication package according to said transmission encryption key transferred from said session key LUT (186) to said data encryption unit (126), (d) an integrity check value calculation unit (122) constituting a first series configuration from said data compression unit (118) intercommunicating through said integrity check value calculation unit (122) to said data encryption unit (126), (e) a network transmission controller (134) providing said data communication package through a connection to said network, supplying said input data to said network in a transmission rate determined by said network transmission controller (134) and said network, and (f) a first switch means (108) enabling switching between two modes of operation, a first mode of operation providing bypassing or disabling of said first series configuration and enabling communication between said data read transmission control unit (102) and said network transmission controller (134) for transferring said input data directly hereto and a second mode of operation enabling communication between said data read transmission control unit (102) through said first series configuration to said network transmission controller (134), said communication controller further comprising a receiving and decrypting section comprising; (g) a network receiving controller (140) providing a connection to said network and receiving a received data communication package from said network, (h) a data receiving control unit (148) receiving said received data communication package through communication with said network receiving controller (140), and communicating with said session key LUT (186), said session key LUT (186) providing a reception encryption key for said received data communication package, (i) a data decompression unit (172) providing decompression of said second section of said received data communication package, (j) a data decryption unit (164) providing a decryption of said second section of said received data communication package according to a reception encryption key transferred from said session key LUT (186) to said data decryption unit (164), (k) an integrity check value verification unit (168) receiving said received data communication package from said data decryption unit (164), and constituting a second series configuration from said data decryption unit (164) intercommunicating through said integrity check value verification unit (166) to said data decompression unit (172), said integrity check value verification unit (166) transferring said second section of said received data communication package to said data decompression unit (172), (l) a data write unit (180) connected to said system bus of said host system, supplying said system bus with said received data communication package, and (m) a second switch means (154) enabling switching between two modes of operation, a third mode of operation providing bypassing or disabling of said second series configuration and enabling communication between said data receiving control unit (148) and said data write unit (180) for transferring said first section of said received data communication package directly hereto, and a fourth mode of operation enabling communication between said data receiving control unit (148) through said second series configuration to said data write unit (180). - View Dependent Claims (2, 3, 4)
- Local Area Network, or a WAN;
-
5. A communication controller for performing data encryption and data decryption of data communication packages to be transferred in a network (such as a LAN:
- Local Area Network, or a WAN;
Wide Area Network), said data communication package containing a first section of non-encrypted data and a second section containing encrypted data, and comprising a session key LUT unit (186) and a transmission and encryption section comprising;(a) a data read transmission control unit (102) connected to a system bus of a host system and receiving input data therefrom and communicating with said session key LUT (186), said session key LUT (186) providing a transmission encryption key for said data communication package, (b) a data compressing unit (118) providing compression of a part of said input data thereby producing a compressed part of said input data contained in said second section of said data communication package, (c) a data encryption unit (126) providing an encryption of said second section of said data communication package according to said transmission encryption key transferred from said session key LUT (186) to said data encryption unit (126), (d) an integrity check value calculation unit (122) constituting a first series configuration from said data compression unit (118) intercommunicating through said integrity check value calculation unit (122) to said data encryption unit (126), (e) a network transmission controller (134) providing said data communication package through a connection to said network, supplying said input data to said network in a transmission rate determined by said network transmission controller (134) and said network, and (f) a first switch means (108) enabling switching between two modes of operation, a first mode of operation providing bypassing or disabling of said first series configuration and enabling communication between said data read transmission control unit (102) and said network transmission controller (134) for transferring said input data directly hereto and a second mode of operation enabling communication between said data read transmission control unit (102) through said first series configuration to said network transmission controller (134), said communication controller further comprising a receiving and decrypting section comprising; (g) a network receiving controller (140) providing a connection to said network and receiving a received data communication package from said network, (h) a data receiving control unit (148) receiving said received data communication package through communication with said network receiving controller (140), and communicating with said session key LUT (186), said session key LUT (186) providing a reception encryption key for said received data communication package, (i) a data decompression unit (172) providing decompression of said second section of said received data communication package, (j) a data decryption unit (164) providing a decryption of said second section of said received data communication package according to a reception encryption key transferred from said session key LUT (186) to said data decryption unit (164), (k) an integrity check value verification unit (168) receiving said received data communication package from said data decryption unit (164), and constituting a second series configuration from said data decryption unit (164) intercommunicating through said integrity check value verification unit (166) to said data decompression unit (172), said integrity check value verification unit (166) transferring said second section of said received data communication package to said data decompression unit (172), (l) a data write unit (180) connected to said system bus of said host system, supplying said system bus with said received data communication package, and (m) a second switch means (154) enabling switching between two modes of operation, a third mode of operation providing bypassing or disabling of said second series configuration and enabling communication between said data receiving control unit (148) and said data write unit (180) for transferring said first section of said received data communication package directly hereto, and a fourth mode of operation enabling communication between said data receiving control unit (148) through said second series configuration to said data write unit (180), and said data read transmission control (102) being adapted to monitor the compression and encryption of said part of said input data for determining whether or not said part of said input data exceeds the amount of data containable within said second section of data communication package. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- Local Area Network, or a WAN;
-
20. A transmission and encryption section of a communication controller for performing data encryption and data decryption of data communication packages to be transferred in a network (such as a LAN:
- Local Area Network, or a WAN;
Wide Area Network), said data communication package containing a first section of non-encrypted data and a second section containing encrypted data, and said communication controller comprising a session key LUT unit (186), and comprising;(a) a data read transmission control unit (102) connected to a system bus of a host system and receiving input data therefrom and communicating with said session key LUT (186), said session key LUT (186) providing a transmission encryption key for said data communication package, (b) a data compressing unit (118) providing compression of a part of said input data thereby producing a compressed part of said input data contained in said second section of said data communication package, (c) a data encryption unit (126) providing an encryption of said second section of said data communication package according to said transmission encryption key transferred from said session key LUT (186) to said data encryption unit (126), (d) an integrity check value calculation unit (122) constituting a first series configuration from said data compression unit (118) intercommunicating through said integrity check value calculation unit (122) to said data encryption unit (126), (e) a network transmission controller (134) providing said data communication package through a connection to said network, supplying said input data to said network in a transmission rate determined by said network transmission controller (134) and said network, and (f) a first switch means (108) enabling switching between two modes of operation, a first mode of operation providing bypassing or disabling of said first series configuration and enabling communication between said data read transmission control unit (102) and said network transmission controller (134) for transferring said input data directly hereto and a second mode of operation enabling communication between said data read transmission control unit (102) through said first series configuration to said network transmission controller (134).
- Local Area Network, or a WAN;
- 21. The transmission and encryption section further comprising a transmission FIFO (130) (first in first out storage means). constituting an input section of said network transmission controller (134).
-
23. A transmission and encryption section of a communication controller for performing data encryption and data decryption of data communication packages to be transferred in a network (such as a LAN:
- Local Area Network, or a WAN;
Wide Area Network), said data communication package containing a first section of non-encrypted data and a second section containing encrypted data, and said communication controller comprising a session key LUT unit (186), and comprising;(a) a data read transmission control unit (102) connected to a system bus of a host system and receiving input data therefrom and communicating with said session key LUT (186), said session key LUT (186) providing a transmission encryption key for said data communication package, (b) a data compressing unit (118) providing compression of a part of said input data thereby producing a compressed part of said input data contained in said second section of said data communication package, (c) a data encryption unit (126) providing an encryption of said second section of said data communication package according to said transmission encryption key transferred from said session key LUT (186) to said data encryption unit (126), (d) an integrity check value calculation unit (122) constituting a first series configuration from said data compression unit (118) intercomnunicating through said integrity check value calculation unit (122) to said data encryption unit (126), (e) a network transmission controller (134) providing said data communication package through a connection to said network, supplying said input data to said network in a transmission rate determined by said network transmission controller (134) and said network, (f) a first switch means (108) enabling switching between two modes of operation, a first mode of operation providing bypassing or disabling of said first series configuration and enabling communication between said data read transmission control unit (102) and said network transmission controller (134) for transferring said input data directly hereto and a second mode of operation enabling communication between said data read transmission control unit (102) through said first series configuration to said network transmission controller (134), and said data read transmission control (102) being adapted to monitor the compression and encryption of said part of said input data for determining whether or not said part of said input data exceeds the amount of data containable within said second section of data communication package. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32)
- Local Area Network, or a WAN;
- 33. A network controller of a communication controller comprising means for producing a data communication package comprising a non encrypted first section including clear header, and a encrypted second section including a protected header, a data section, a fragment ID, flags, padding and a ICV.
- 35. A data communication package comprising a data section including compressed data and uncompressed data.
-
40. A communication controller chip for performing data encryption and data decryption of a multiplicity of data communication packages to be transferred in a network such as LAN (local area network) or WAN (wide area network) and including a plurality of processing units, each of said multiplicity of data communication packages containing a first section of non-encrypted data and a second section containing encrypted data and each said of multiplicity of data communication packages having an associated processing descriptor defining source, destination, process configuration of said plurality of processing units and processing of said data communication package, and said communication controller chip comprising:
-
(a) a bridge unit (86) connecting said communication controller through a bus (85) to a central processing unit (CPU) or a host, (b) a random access memory RAM (82) for keys, processing descriptors and for temporary storage of data, (c) a data transmission control unit (88) for providing access for said CPU to information regarding general configuration of said communication controller, (d) an in-queue unit (90a) comprising a plurality of queues for pointers referencing processing descriptors for data communication packages in said RAM (82) to be processed by said plurality of processing units, (e) an out-queue unit (90b) comprising a go-queue of pointers referencing processing descriptors for data communication packages in RAM (82) to be processed by a plurality of processing units, which process is monitored and analysed by said CPU or host system so as to establish if further processing is required, and said out-queue unit (90b) comprising a complete-queue of pointers referencing processing descriptors for data communication packages in said RAM (82) having completed processing in accordance with requirements of said CPU or host system, (f) a decompression processing unit (92a) included in said plurality of processing units providing decompression of compressed data of said second section of said data communication packages thereby producing decompressed data in said RAM (82) or memory of said host in accordance with processing descriptors associated with said data communication packages, (g) a compression processing unit (92b) providing compression of said second section of said outgoing data communication packages thereby producing compressed data in said RAM (82) or memory of said host in accordance with processing descriptors associated with said data communication packages, (h) a decryption processing unit (94a) providing a decryption of said second section of a data communication package according to a reception decryption key provided in a decryption key space of said RAM (82), said decryption key space being referenced by a key pointer included in said processing descriptors, and said decryption processing unit (94a) providing generation of said second section of said data communication package, (i) an encryption processing unit (94b) providing an encryption of said second section of a data communication package according to a transmission encryption key provided in an encryption key space of said RAM (82), said encryption key space being referenced by said key pointer of said processing descriptors, and said encryption processing unit (94b) providing generation said second section of said outgoing data communication package, (j) a bus designated as first in first out (FIFO) bus (80) enabling communication between said bridge unit (86), said RAM (82), said data transmission control unit (88), said in-queue unit (90a), said out-queue unit (90b), said compressing processing unit (92b), said decompression processing unit (92a), said encryption processing unit (94b) and said decryption processing unit (94a), and (k) a management bus (84) providing signaling and configuration between said data transmission control unit (88), said in-queue unit (90a), said out-queue unit (90b), said compressing processing unit (92b), said decompression processing unit (92a), said encryption processing unit (94b) and said decryption processing unit (94a), said communication controller allowing for parallel processing of said multiplicity of said data communication packages to be performed in any arbitrary order in accordance said processing descriptors in RAM (82). - View Dependent Claims (41, 42, 43, 44, 45, 46, 47, 48, 49)
(l) a first authentication processing unit (96a) providing calculation of an integrity check value (ICV) to be included in an outgoing data communication package, said calculation utilising an ICV key provided in a ICV key space of said RAM (82), said ICV key space being referenced by said processing descriptors, (m) a second authentication processing unit (96b) providing verification of an ICV to be extracted from an incoming data communication package, said calculation utilising a ICV key provided in said ICV key space of said RAM (82), said ICV key space being referenced by said processing descriptors, (n) a receiving media access control unit (98a) (RX-MAC) constituting an address filter for said communication controller and providing a receiving gate for said network, said receiving media access control unit (98a) filtering all data communication packages on said network and communicating incoming data communication packages to a incoming data communication package space in said RAM (82), said receiving media access control unit (98a) simultaneously generating a processing descriptor for every incoming data communication packages, said processing descriptor including a start address of associated incoming data communication package in a incoming data communication package space in said RAM (82), said receiving media access control unit (98a) communicating said processing descriptor to said in-queue unit (90a), and said receiving media access control unit (98a) communicating an end address of said incoming data communication package space in said processing descriptor at completion of reception of said incoming data communication package, and (o) a transmitting media access control unit (98b) (TX-MAC) providing a transmitting gate for said communication controller on said network and performing a transmission on said network of outgoing data communication packages identified by said processing descriptors in said RAM (82), said transmitting media access control unit (98b) performing evaluation of length of said outgoing data communication package and writing said length in said first section of said outgoing data communication package, and said transmitting media access control unit (98b) communicating said processing descriptors to said complete queue of said out-queue on completion of transmission of said data communication package.
-
-
42. The communication controller chip according to claim 41, wherein said first in first out (FIFO) bus (80) further enabling communication between said bridge unit (86), said RAM (82), said data transmission control unit (88), said in-queue unit (90a), said out-queue unit (90b), said compressing processing unit (92b), said decompression processing unit (92a), said encryption processing unit (94b), said decryption processing unit (94a), said first authentication processing unit (96a), said second authentication processing unit (96b), said receiving media access control unit (98a), and said transmitting media access control unit (98b).
-
43. The communication controller chip according to claim 41, wherein said communication controller chip further comprises an additional part similar to a communication controller chip for performing data encryption and data decryption of a multiplicity of data communication packages to be transferred in a network such as LAN (local area network) or WAN (wide area network) and including a plurality of processing units, each of said multiplicity of data communication packages containing a first section of non-encrypted data and a second section containing encrypted data and each of said multiplicity of data communication pages having an associated processing descriptor defining source, destination, process configuration of said plurality of processing units and processing of said data communication package, and said communication controller chip comprising:
-
(a) a bridge unit (86) connecting said communication controller through a bus (85) to a central process unit (CPU) or a host, (b) a random access memory RAM (82) for keys, processing descriptors and for temporary storage of data, (c) a data transmission control unit (88) for providing access for said CPU to information regarding general configuration of said communication controller, (d) an in-queue unit (90a) comprising a plurality of queues for pointers referencing processing descriptors for data communication packages in said RAM (82) to be processed by said plurality of processing units, (e) an out-queue unit (90b) comprising a go-queue of pointers referencing processing descriptors for data communication packages in RAM (82) to be processed by a plurality of processing units, which process is monitored and analyzed by said CPU or host system so as to establish if further processing is required, and said out-queue unit (90b) comprising a complete-queue of pointers referencing processing descriptors for data communication packages in said RAM (82) having completed processing in accordance with requirements of said CPU or host system, (f) a decompression processing unit (92a) included in said plurality of processing units providing decompression of compressed data of said second section of said data communication packages thereby producing decompressed data in said RAM (82) or memory of said host in accordance with processing descriptors associated with said data communication packages, (g) a compression processing unit (92b) providing compression of said second section of said outgoing data communication packages thereby producing compressed data in said RAM (82) or memory of said host in accordance with processing descriptors associated with said data communication packages, (h) a decryption processing unit (94a) providing a decryption of said second section of a data communication package according to a reception decryption key provided in a decryption key space of said RAM (82), said decryption key space being referenced by a key pointer included in said processing descriptors, and said decryption processing unit (94a) providing generation of said second section of said data communication package, (i) an encryption processing unit (94b) providing an encryption of said second section of a data communication package according to a transmission encryption key provided in an encryption key space of said RAM (82), said encryption key space being referenced by said key pointer of said processing descriptors, and said encryption processing unit (94b) providing generation of said second section of said outgoing data communication package, (j) a bus designated as first in first out (FIFO) bus (80) enabling communication between said bridge unit (86), said RAM (82), said data transmission control unit (88), said in-queue unit (90a) said out-queue unit (90b), said compressing processing unit (92b), said decompression processing unit (92a), said encryption processing unit (94b) and said decryption processing unit (94a) and (k) a management bus (84) providing signaling and configuration between said data transmission control unit (88), said in-queue unit (90a), said out-queue unit (90b), said compressing processing unit (92b), said decompression processing unit (92a), said encryption processing unit (94b) and said decryption processing unit (94a), said communication controller allowing for parallel processing of said multiplicity of said data communication packages to be performed in any arbitrary order in accordance with said processing descriptors in RAM (82), aid communication controller further comprising; (l) a first authentication processing unit (96a) providing calculation of an integrity check value (ICV) to be included in an outgoing data communication package, said calculation utilizing an ICV key provided in an ICV key space of said RAM (82), said ICV key space being referenced by said processing descriptors, (m) a second authentication processing unit (96b) providing verification of an ICV to be extracted from an incoming data communication package, said calculation utilizing an ICV key provided in said ICV key space of said RAM (82), said ICV key space being referenced by said processing descriptors, (n) a receiving media access control unit (98a) (RX-MAC) constituting an address filter for said communication controller and providing a receiving gate for said network, said receiving media access control unit (98a) filtering all data communication packages on said network and communicating incoming data communication packages to an incoming data communication package space in said RAM (82), said receiving media access control unit (98a) simultaneously generating a processing descriptor for every incoming data communication package, said processing descriptor including a start address of associated incoming data communication package in an incoming data communication package space in said RAM (82), said receiving media access control unit (98a) communicating said processing descriptor to said in-queue unit (90a), and said receiving media access control unit (98a) communicating an end address of said incoming data communication package space in said processing descriptor at completion of reception of said incoming data communication package, and (o) a transmitting media access control unit (98b) (TX-MAC) providing a transmitting gate for said communication controller on said network and performing a transmission on said network of outgoing data communication packages identified by said processing descriptors in said RAM (82), said transmitting media access control unit (98b) performing evaluation of length of said outgoing data communication package and writing said length in said first section of said outgoing data communication package, and said transmitting media access control unit (98b) communicating said processing descriptors to said complete queue of said out-queue on completion of transmission of said data communication package, and said communication controller separately including the features (a) to (o) enabling parallel transmission and reception of said data communication packages on a LAN and/or a WAN.
-
-
44. The communication controller chip according to claim 40, wherein said management bus (84) further providing signaling and configuration for said first authentication processing unit (96a), said second authentication processing unit (96b), said receiving media access control unit (98a), and said transmitting media access control unit (98b).
-
45. The communication controller chip according to claim 40, wherein said compressing processing unit (92b) has a maximum allowable space on said RAM (82) for compressed data included in said second section of said outgoing data communication package.
-
46. The communication controller chip according to claim 40, wherein said decompressing processing unit (92a) has a maximum allowable space on said RAM (82) for decompressed data included in said second section of said incoming data communication packages to be communicated to said CPU or said host.
-
47. The communication controller chip according to claim 40, wherein said RAM (82) is constituted by SRAM, DRAM, or SDRAM or any combinations thereof.
-
48. The communication controller chip according to claim 40, wherein said compression processing unit (92b) may be configured to detect compression efficiency and in accordance to said compression efficiency continue compression of data or disengage further compression.
-
49. The communication controller chip according to claim 48, wherein said communication controller chip being implemented on a single housing or an in two or more housing.
-
50. A communication controller for performing data encryption and data decryption of data communication packages to be transferred in a network (such as a LAN:
- Local Area Network, or a WAN;
Wide Area Network), said data communication package containing a first section of non-encrypted data and a second section containing encrypted data, and comprising a session key LUT unit (186) and a transmission and encryption section comprising;(a) a data read transmission control unit (102) connected to a system bus of a host system and receiving input data therefrom and communicating with said session key LUT (186), said session key LUT (186) providing a transmission encryption key for said data communication package, (b) a data compressing unit (118) providing compression of a part of said input data thereby producing a compressed part of said input data contained in said second section of said data communication package, (c) a data encryption unit (126) providing an encryption of said second section of said data communication package according to said transmission encryption key transferred from said session key LUT (186) to said data encryption unit (126), (d) an integrity check value calculation unit (122) constituting a first series configuration from said data compression unit (118) intercommunicating through said integrity check value calculation unit (122) to said data encryption unit (126), (e) a network transmission controller (134) providing said data communication package through a connection to said network, supplying said input data to said network in a transmission rate determined by said network transmission controller (134) and said network, and (f) a first switch means (108) enabling switching between two modes of operation, a first mode of operation providing bypassing or disabling of said first series configuration and enabling communication between said data read transmission control unit (102) and said network transmission controller (134) for transferring said input data directly hereto and a second mode of operation enabling communication between said data read transmission control unit (102) through said first series configuration to said network transmission controller (134), said communication controller further comprising a receiving and decrypting section comprising; (g) a network receiving controller (140) providing a connection to said network and receiving a received data communication package from said network, (h) a data receiving control unit (148) receiving said received data communication package through communication with said network receiving controller (140), and communicating with said session key LUT (186), said session key LUT (186) providing a reception encryption key for said received data communication package, (i) a data decompression unit (172) providing decompression of said second section of said received data communication package, (j) a data decryption unit (164) providing a decryption of said second section of said received data communication package according to a reception encryption key transferred from said session key LUT (186) to said data decryption unit (164), (k) an integrity check value verification unit (168) receiving said received data communication package from said data decryption unit (164), and constituting a second series configuration from said data decryption unit (164) intercommunicating through said integrity check value verification unit (166) to said data decompression unit (172), said integrity check value verification unit (166) transferring said second section of said received data communication package to said data decompression unit (172), (l) a data write unit (180) connected to said system bus of said host system, supplying said system bus with said received data communication package, and (m) a second switch means (154) enabling switching between two modes of operation, a third mode of operation providing bypassing or disabling of said second series configuration and enabling communication between said data receiving control unit (148) and said data write unit (180) for transferring said first section of said received data communication package directly hereto, and a fourth mode of operation enabling communication between said data receiving control unit (148) through said second series configuration to said data write unit (180), and said transmission and encryption section further comprising a transmission FIFO (130) (first in first out storage means) constituting an input section of said network transmission controller (134), and said data compression unit (118) comprising two modes of operation, a high compression mode of operation handling compression of said part of said input data substantially simultaneously to transmission of said data communication package, and a low compression mode of operation applying a reduced compression efficiency to said compression substantially simultaneously to transmission of said data communication package, said high compression mode of operation operating according to an amount of accumulated data in said transmission FIFO (130) and said data compression unit (118) being notified by said network transmission controller in case of said amount of accumulated data in transmission FIFO (130) is less than a predetermined value hence activating said low compression mode of operation.
- Local Area Network, or a WAN;
-
51. A communication controller for performing data encryption and data decryption of data communication packages to be transferred in a network (such as a LAN:
- Local Area Network, or a WAN;
Wide Area Network), said data communication package containing a first section of non-encrypted data and a second section containing encrypted data, and comprising a session key LUT unit (186) and a transmission and encryption section comprising;(a) a data read transmission control unit (102) connected to a system bus of a host system and receiving input data therefrom and communicating with said session key LUT (186), said session key LUT (186) providing a transmission encryption key for said data communication package, (b) a data compressing unit (118) providing compression of a part of said input data thereby producing a compressed part of said input data contained in said second section of said data communication package, (c) a data encryption unit (126) providing an encryption of said second section of said data communication package according to said transmission encryption key transferred from said session key LUT (186) to said data encryption unit (126), (d) an integrity check value calculation unit (122) constituting a first series configuration from said data compression unit (118) intercommunicating through said integrity check value calculation unit (122) to said data encryption unit (126), (e) a network transmission controller (134) providing said data communication package through a connection to said network, supplying said input data to said network in a transmission rate determined by said network transmission controller (134) and said network, and (f) a first switch means (108) enabling switching between two modes of operation, a first mode of operation providing bypassing or disabling of said first series configuration and enabling communication between said data read transmission control unit (102) and said network transmission controller (134) for transferring said input data directly hereto and a second mode of operation enabling communication between said data read transmission control unit (102) through said first series configuration to said network transmission controller (134), said communication controller further comprising a receiving and decrypting section comprising; (g) a network receiving controller (140) providing a connection to said network and receiving a received data communication package from said network, (h) a data receiving control unit (148) receiving said received data communication package through communication with said network receiving controller (140), and communicating with said session key LUT (186), said session key LUT (186) providing a reception encryption key for said received data communication package, (i) a data decompression unit (172) providing decompression of said second section of said received data communication package, (j) a data decryption unit (164) providing a decryption of said second section of said received data communication package according to a reception encryption key transferred from said session key LUT (186) to said data decryption unit (164), (k) an integrity check value verification unit (168) receiving said received data communication package from said data decryption unit (164), and constituting a second series configuration from said data decryption unit (164) intercommunicating through said integrity check value verification unit (166) to said data decompression unit (172), said integrity check value verification unit (166) transferring said second section of said received data communication package to said data decompression unit (172), (l) a data write unit (180) connected to said system bus of said host system, supplying said system bus with said received data communication package, and (m) a second switch means (154) enabling switching between two modes of operation, a third mode of operation providing bypassing or disabling of said second series configuration and enabling communication between said data receiving control unit (148) and said data write unit (180) for transferring said first section of said received data communication package directly hereto, and a fourth mode of operation enabling communication between said data receiving control unit (148) through said second series configuration to said data write unit (180), and said transmission and encryption section further comprising a transmission FIFO (130) (first in first out storage means) constituting an input section of said network transmission controller (134), said data read transmission control (102) being adapted to monitor the compression and encryption of said part of said input data for determining whether or not said part of said input data exceeds the amount of data containable within said second section of data communication package, and said data compression unit (118) comprising two modes of operation, a high compression mode of operation handling compression of said part of said input data substantially simultaneously to transmission of said data communication package, and a low compression mode of operation applying a reduced compression efficiency to said compression substantially simultaneously to transmission of said data communication package, said high compression mode of operation operating according to an amount of accumulated data in said transmission FIFO (130) and said data compression unit (118) being notified by said network transmission controller in case of said amount of accumulated data in transmission FIFO (130) is less than a predetermined value hence activating said low compression mode of operation. - View Dependent Claims (52)
- Local Area Network, or a WAN;
-
53. A transmission and encryption section of a communication controller for performing data encryption and data decryption of data communication packages to be transferred in a network (such as a LAN:
- Local Area Network, or a WAN;
Wide Area Network), said data communication package containing a first section of non-encrypted data and a second section containing encrypted data, and said communication controller comprising a session key LUT unit (186), and comprising;(a) a data read transmission control unit (102) connected to a system bus of a host system and receiving input data therefrom and communicating with said session key LUT (186), said session key LUT (186) providing a transmission encryption key for said data communication package, (b) a data compressing unit (118) providing compression of a part of said input data thereby producing a compressed part of said input data contained in said second section of said data communication package, (c) a data encryption unit (126) providing an encryption of said second section of said data communication package according to said transmission encryption key transferred from said session key LUT (186) to said data encryption unit (126), (d) an integrity check value calculation unit (122) constituting a first series configuration from said data compression unit (118) intercommunicating through said integrity check value calculation unit (122) to said data encryption unit (126), (e) a network transmission controller (134) providing said data communication package through a connection to said network, supplying said input data to said network in a transmission rate determined by said network transmission controller (134) and said network, and (f) a first switch means (108) enabling switching between two modes of operation, a first mode of operation providing bypassing or disabling of said first series configuration and enabling communication between said data read transmission control unit (102) and said network transmission controller (134) for transferring said input data directly hereto and a second mode of operation enabling communication between said data read transmission control unit (102) through said first series configuration to said network transmission controller (134), and said transmission and encryption section further comprising a transmission FIFO (130) (first in first out storage means) constituting an input section of said network transmission controller (134), and said data compression unit (118) comprising two modes of operation, a high compression mode of operation handling compression of said part of said input data substantially simultaneously to transmission of said data communication package, and a low compression mode of operation applying a reduced compression efficiency to said compression substantially simultaneously to transmission of said data communication package, said high compression mode of operation operating according to an amount of accumulated data in said transmission FIFO (130) and said data compression unit (118) being notified by said network transmission controller (134) in case of said amount of accumulated data transmission FIFO (130) is less than a predetermined value hence activating said low compression mode of operation.
- Local Area Network, or a WAN;
-
54. A transmission and encryption section of a communication controller for performing data encryption and data decryption of data communication packages to be transferred in a network (such as a LAN:
- Local Area Network, or a WAN;
Wide Area Network), said data communication package containing a first section of non-encrypted data and a second section containing encrypted data, and said communication controller comprising a session key LUT unit (186), and comprising;(a) a data read transmission control unit (102) connected to a system bus of a host system and receiving input data therefrom and communicating with said session key LUT (186), said session key LUT (186) providing a transmission encryption key for said data communication package, (b) a data compressing unit (118) providing compression of a part of said input data thereby producing a compressed part of said input data contained in said second section of said data communication package, (c) a data encryption unit (126) providing an encryption of said second section of said data communication package according to said transmission encryption key transferred from said session key LUT (186) to said data encryption unit (126), (d) an integrity check value calculation unit (122) constituting a first series configuration from said data compression unit (118) intercommunicating through said integrity check value calculation unit (122) to said data encryption unit (126), (e) a network transmission controller (134) providing said data communication package through a connection to said network, supplying said input data to said network in a transmission rate determined by said network transmission controller (134) and said network, and (f) a first switch means (108) enabling switching between two modes of operation, a first mode of operation providing bypassing or disabling of said first series configuration and enabling communication between said data read transmission control unit (102) and said network transmission controller (134) for transferring said input data directly hereto and a second mode of operation enabling communication between said data read transmission control unit (102) through said first series configuration to said network transmission controller (134), said transmission and encryption section further comprising a transmission FIFO (130) (first in first out storage means) constituting an input section of said network transmission controller (134), said data read transmission control (102) being adapted to monitor the compression and encryption of said part of said input data for determining whether or not said part of said input data exceeds the amount of data containable within said second section of data communication package, and said data compression unit (118) comprising two modes of operation, a high compression mode of operation handling compression of said part of said input data substantially simultaneously to transmission of said data communication package, and a low compression mode of operation applying a reduced compression efficiency to said compression substantially simultaneously to transmission of said data communication package, said high compression mode of operation operating according to an amount of accumulated data in said transmission FIFO (130) and said data compression unit (118) being notified by said network transmission controller (134) in case of said amount of accumulated data transmission FIFO (130) is less than a predetermined value hence activating said low compression mode of operation.
- Local Area Network, or a WAN;
-
55. A method for transmitting and encrypting in a communication controller for performing data encryption and data decryption of data communication packages to be transferred in a network (such as a LAN:
- Local Area Network, or a WAN;
Wide Area Network), said data communication package containing a first section of non-encrypted data and a second section containing encrypted data, and said communication controller comprising a session key storage means, a data read transmission control means, a data encryption means, a data compression means and an integrity check value calculation means constituting a first series configuration from said data compression means intercommunicating through said integrity check value calculation means to said data encryption means, said method for transmitting and encrypting, comprising;(a) receiving input data from a system bus of a host system by means of said data read transmission control means connected to said session key storage means, providing a transmission encryption key for said data communication package by means of said session key storage means, (b) providing compression of a part of said input data thereby producing a compressed part of said input data contained in said second section of said data communication package by means of said data compressing means, (c) providing an encryption by means of said data encryption means, according to said transmission encryption key transferred from said session key storage means, of said second section of said data communication package transferred from said data compressing means, (d) supplying said data communication package to said network in a transmission rate determined by said controller means for network transmission and said network by means of a connection to said network from a controller means for network transmission, and (e) switching by means of a first switching means between two modes of operation, a first mode of operation providing bypassing or disabling of said first series configuration and enabling communication between said data read transmission control means and said controller means for network transmission and transferring said input data directly hereto and a second mode of operation enabling communication between said data read transmission control means through said first series configuration to said controller means for network transmission, and further comprising monitoring the compression and encrypting of said part of said input data by means of said data read transmission control means for determining whether or not said part of said input data exceeds the amount of data containable within said second section of data communication package. - View Dependent Claims (56, 57, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73)
(f) providing a connection to said network and receiving a received data communication package from said network by means of controller means for network reception, (g) receiving said received data communication package through a communication between said controller means for network reception and communicating to said session key storage means by means of a data receiving control means, providing a reception encryption key for said data communication package by means of said session key storage means, (h) providing a decryption of said second section of said received data communication package according to said reception encryption key transferred from said session key storage means and providing a decrypted second section of said received data communication package by means of a data decryption means, (i) providing decompression of a compressed part of said decrypted second section of said received data communication package and providing a decompressed part in said second section of said received data communication package instead of said compressed part in said second section of said data communication package by means of a data decompression means, (j) supplying said system bus of said host system with received data communication package by means of said data writing means, and (k) switching by means of a second switching means enabling switching between two modes of operation, a third mode of operation providing bypassing or disabling of said second series configuration and enabling communication between said data receiving control means and said data writing means and transferring said received input data directly hereto, and a fourth mode of operation enabling communication between said data receiving control means through said second series configuration said data writing means.
- Local Area Network, or a WAN;
-
67. The method for transmitting and encrypting according to claim 66, further comprising receiving said received data communication package from said data receiving control means in said third mode of operation, receiving said received data communication package from said data decompression means in said fourth mode of operation and transferring said received data communication package to said data writing means by means of a write FIFO means, and receiving said received data communication package from said control means for network reception and transferring said data communication package to said data receiving control means by means of a receiving FIFO means.
-
68. The method for transmitting and encrypting according to claim 66, further comprising performing a subtraction, division, multiplication or preferably a summation of the data contained in said second section of a received data communication package, obtaining a second integrity check value and comparing said second integrity check value with said first integrity check value contained in said received data communication package by means of said integrity check value verification means.
-
69. The method for transmitting and encrypting according to claim 66, further comprising controlling said second switching means in said two modes of operations by means of said data receiving control means.
-
70. The method for transmitting and encrypting according to claim 66, further comprising providing interrupt routines for units included in said communication controller hereby insuring a continuous data transmission on said network by means of said receiving means for receiving said data communication packages on said network.
-
71. The method for transmitting and encrypting according to claim 66, further comprising extracting flag and fragment ID trailing said compressed part of said decrypted second section of said received data communication package by means of said data decompression means.
-
72. The method for transmitting and encrypting according to claim 55, further comprising updating encryption key information in said session key storage means according to a key management protocol by said host system.
-
73. The method for transmitting and encrypting according to claim 55, further comprising substantially simultaneously operating said data compression means and said data encryption means, and controlling by said controller means for network transmission so as to guarantee the continuous supply of bytes from said transmission FIFO means to said controller means for network transmission.
-
58. A method for transmitting and encrypting in a communication controller for performing data encryption and data decryption of data communication packages to be transferred in a network (such as a LAN:
- Local Area Network, or a WAN;
Wide Area Network), said data communication package containing a first section of non-encrypted data and a second section containing encrypted data, and said communication controller comprising a session key storage means, a data read transmission control means, a data encryption means, a data compression means and an integrity check value calculation means constituting a first series configuration from said data compression means intercommunicating through said integrity check value calculation means to said data encryption means, said method for transmitting and encrypting, comprising;(a) receiving input data from a system bus of a host system by means of said data read transmission control means connected to said session key storage means, providing a transmission encryption key for said data communication package by means of said session key storage means, (b) providing compression of a part of said input data thereby producing a compressed part of said input data contained in said second section of said data communication package by means of said data compressing means, (c) providing an encryption by means of said data encryption means, according to said transmission encryption key transferred from said session key storage means, of said second section of said data communication package transferred from said data compressing means, (d) supplying said data communication package to said network in a transmission rate determined by said controller means for network transmission and said network by means of a connection to said network from a controller means for network transmission, and (e) switching by means of a first switching means between two modes of operation, a first mode of operation providing bypassing or disabling of said first series configuration and enabling communication between said data read transmission control means and said controller means for network transmission and transferring said input data directly hereto and a second mode of operation enabling communication between said data read transmission control means through said first series configuration to said controller means for network transmission. - View Dependent Claims (59, 60)
- Local Area Network, or a WAN;
-
74. A method for transmitting and encrypting in a communication controller for performing data encryption and data decryption of data communication packages to be transferred in a network (such as a LAN:
- Local Area Network, or a WAN;
Wide Area Network), said data communication package containing a first section of non-encrypted data and a second section containing encrypted data, and said communication controller comprising a session key storage means, a data read transmission control means, a data encryption means, a data compression means and an integrity check value calculation means constituting a first series configuration from said data compression means intercommunicating through said integrity check value calculation means to said data encryption means, said method for transmitting and encrypting, comprising;(a) receiving input data from a system bus of a host system by means of said data read transmission control means connected to said session key storage means, providing a transmission encryption key for said data communication package by means of said session key storage means, (b) providing compression of a part of said input data thereby producing a compressed part of said input data contained in said second section of said data communication package by means of said data compressing means, (c) providing an encryption by means of said data encryption means, according to said transmission encryption key transferred from said session key storage means, of said second section of said data communication package transferred from said data compressing means, (d) supplying said data communication package to said network in a transmission rate determined by said controller means for network transmission and said network by means of a connection to said network from a controller means for network transmission, (e) switching by means of a first switching means between two modes of operation, a first mode of operation providing bypassing or disabling of said first series configuration and enabling communication between said data read transmission control means and said controller means for network transmission and transferring said input data directly hereto and a second mode of operation enabling communication between said data read transmission control means through said first series configuration to said controller means for network transmission, constituting an input section of said controller means for network transmission by means of a transmission FIFO means (first in first out storage means), and operating said data compression means in two modes of operation, a high compression mode of operation handling compression of said part of said input data substantially simultaneously to transmission of said data communication package, and a low compression mode of operation applying a reduced compression efficiency to said compression substantially simultaneously to transmission of said data communication package, said high compression mode of operation operating according to an amount of accumulated data in said transmission FIFO means and said data compression means being notified by said controller means for network transmission in case of said amount of accumulated data in said transmission FIFO means is less than a predetermined value hence activating said low compression mode of operation.
- Local Area Network, or a WAN;
-
75. A method for transmitting and encrypting in a communication controller for performing data encryption and data decryption of data communication packages to be transferred in a network (such as a LAN:
- Local Area Network, or a WAN;
Wide Area Network), said data communication package containing a first section of non-encrypted data and a second section containing encrypted data, and said communication controller comprising a session key storage means, a data read transmission control means, a data encryption means, a data compression means and an integrity check value calculation means constituting a first series configuration from said data compression means intercommunicating through said integrity check value calculation means to said data encryption means, said method for transmitting and encrypting, comprising;(a) receiving input data from a system bus of a host system by means of said data read transmission control means connected to said session key storage means, providing a transmission encryption key for said data communication package by means of said session key storage means, (b) providing compression of a part of said input data thereby producing a compressed part of said input data contained in said second section of said data communication package by means of said data compressing means, (c) providing an encryption by means of said data encryption means, according to said transmission encryption key transferred from said session key storage means, of said second section of said data communication package transferred from said data compressing means, (d) supplying said data communication package to said network in a transmission rate determined by said controller means for network transmission and said network by means of a connection to said network from a controller means for network transmission, (e) switching by means of a first switching means between two modes of operation, a first mode of operation providing bypassing or disabling of said first series configuration and enabling communication between said data read transmission control means and said controller means for network transmission and transferring said input data directly hereto and a second mode of operation enabling communication between said data read transmission control means through said first series configuration to said controller means for network transmission, (f) constituting an input section of said controller means for network transmission by means of a transmission FIFO means (first in first out storage means), and monitoring the compression and encrypting of said part of said input data by means of said data read transmission control means for determining whether or not said part of said input data exceeds the amount of data containable within said second section of data communication package, and operating said data compression means in two modes of operation, a high compression mode of operation handling compression of said part of said input data substantially simultaneously to transmission of said data communication package, and a low compression mode of operation applying a reduced compression efficiency to said compression substantially simultaneously to transmission of said data communication package, said high compression mode of operation operating according to an amount of accumulated data in said transmission FIFO means and said data compression means being notified by said controller means for network transmission in case of said amount of accumulated data in said transmission FIFO means is less than a predetermined value hence activating said low compression mode of operation.
- Local Area Network, or a WAN;
Specification