Cryptographic information and flow control
First Claim
1. A method of securing data, sent by a user, before the data is transmitted over a network, comprising:
- providing a network packet having a data portion and a header portion, the header portion including a destination address;
determining, based at least in part on the destination address, a domain identifier;
determining, based at least in part on said domain identifier, a domain algorithm identifier, a domain credential identifier, and a domain key split;
accessing a credential store associated with the user, the credential store comprising at least one user algorithm identifier, at least one user credential identifier, and for each user credential identifier, at least one user key split associated with the respective user credential identifier;
generating a random working key;
encrypting the data portion of said network packet with said random working key;
binding together a plurality of key splits to form a cryptographic key;
encrypting said random working key with the cryptographic key according to a cryptographic algorithm designated by said domain algorithm identifier; and
if said domain algorithm identifier and said domain credential identifier are represented by the at least one user algorithm identifier and the at least one user credential identifier, respectively, then forwarding at least part of the header portion, the encrypted random working key, and the encrypted data portion to the network in a packet format;
wherein said plurality of key splits includes the domain key split and one or more of the at least one user key split associated with the at least one user credential identifier representative of said domain credential identifier.
1 Assignment
0 Petitions
Accused Products
Abstract
A method of providing cryptographic information and flow control includes first determining a target domain from an IP address. An organization policy is looked up from a credential store, and an algorithm and credentials specified for the target domain are looked up in a domain-credential map. Any further credentials that are provided and that are permitted by the organizational policy are added. A working key is then generated, and information is received in the form of a receive packet. Any packet header is stripped from the receive packet and the remaining data is encrypted. Key splits are retrieved from the credential store, and are combined to form a key-encrypting key. The working key is the encrypted with the key-encrypting key, and a CKM header is encrypted. The encrypted CKM header is concatenated to the beginning of the encrypted data to form transmit data, and the packet header and the transmit data are concatenated to form a transmit packet. The transmit packet is then provided to a network interface card for transmission on a network.
124 Citations
19 Claims
-
1. A method of securing data, sent by a user, before the data is transmitted over a network, comprising:
-
providing a network packet having a data portion and a header portion, the header portion including a destination address;
determining, based at least in part on the destination address, a domain identifier;
determining, based at least in part on said domain identifier, a domain algorithm identifier, a domain credential identifier, and a domain key split;
accessing a credential store associated with the user, the credential store comprising at least one user algorithm identifier, at least one user credential identifier, and for each user credential identifier, at least one user key split associated with the respective user credential identifier;
generating a random working key;
encrypting the data portion of said network packet with said random working key;
binding together a plurality of key splits to form a cryptographic key;
encrypting said random working key with the cryptographic key according to a cryptographic algorithm designated by said domain algorithm identifier; and
if said domain algorithm identifier and said domain credential identifier are represented by the at least one user algorithm identifier and the at least one user credential identifier, respectively, then forwarding at least part of the header portion, the encrypted random working key, and the encrypted data portion to the network in a packet format;
wherein said plurality of key splits includes the domain key split and one or more of the at least one user key split associated with the at least one user credential identifier representative of said domain credential identifier. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 12, 13, 14, 15, 16, 17, 18, 19)
said credential store further comprises a domain policy that permits the user to provide at least one of the domain algorithm identifier and the domain credential identifier, and determining the domain algorithm identifier, the domain credential identifier, and the domain split, includes determining that the at least one of the domain algorithm identifier and the domain credential identifier is not represented in a domain-credential map, and obtaining the at least one of the domain algorithm identifier and the domain credential identifier from the user. -
6. The method of claim 5, further comprising
adding the domain identifier and the at least one of the domain algorithm identifier and the domain credential identifier to the domain-credential map. -
7. The method of claim 1, wherein
the packet format includes the header portion, the encrypted data portion, and a security header comprising the encrypted random working key. -
8. The method of claim 7, further comprising encrypting the security header.
-
9. A secure packet formed by the method of claim 1.
-
10. The method of claim 1, wherein said method is performed at least in part by a processor residing on a network interface.
-
12. The article of manufacture of claim 10, wherein the destination address is an internet protocol address.
-
13. The article of manufacture of claim 10, wherein determining the domain identifier includes submitting the domain identifier to a domain name system.
-
14. The article of manufacture of claim 10, wherein said credential store includes at least one token key split.
-
15. The article of manufacture of claim 10, wherein
said credential store further comprises a domain policy that permits the user to provide at least one of the domain algorithm identifier and the domain credential identifier, and determining the domain algorithm identifier, the domain credential identifier, and the domain split includes determining that the at least one of the domain algorithm identifier and the domain credential identifier is not represented in a domain-credential map, and obtaining the at least one of the domain algorithm identifier and the domain credential identifier from the user. -
16. The article of manufacture of claim 14, wherein the method further comprises adding the domain identifier and the at least one of the domain algorithm identifier and the domain credential identifier to the domain-credential map.
-
17. The article of manufacture of claim 10, wherein
the packet format includes the header portion, the encrypted data portion, and a security header comprising the encrypted random working key. -
18. The article of manufacture of claim 16, wherein the method further comprises encrypting the security header.
-
19. The article of manufacture of claim 10, wherein the computer is a network interface comprising a processor and a memory accessible to the processor, and the method is cooperatively performed at least in part by the processor and the memory.
-
-
11. An article of manufacture comprising a program storage medium tangibly embodying one or more programs of instructions executable by a computer to perform a method of securing data, sent by a user, before the data is transmitted over a network, the method comprising:
-
providing a network packet having a data portion and a header portion, the header portion including a destination address;
determining, based at least in part on the destination address, a domain identifier;
determining, based at least in part on said domain identifier, a domain algorithm identifier, a domain credential identifier, and a domain key split;
accessing a credential store associated with the user, the credential store comprising at least one user algorithm identifier, at least one user credential identifier, and for each user credential identifier, at least one user key split associated with the respective user credential identifier;
generating a random working key;
encrypting the data portion of said network packet with said random working key;
binding together a plurality of key splits to form a cryptographic key;
encrypting said random working key with the cryptographic key according to a cryptographic algorithm designated by said domain algorithm identifier; and
if said domain algorithm identifier and said domain credential identifier are represented by the at least one user algorithm identifier and the at least one user credential identifier, respectively, then forwarding at least part of the header portion, the encrypted random working key, and the encrypted data portion to the network in a packet format;
wherein said plurality of key splits includes the domain key split and one or more of the at least one user key split associated with the at least one user credential identifier representative of said domain credential identifier.
-
Specification