Migration from in-clear to encrypted working over a communications link
First Claim
1. A computer system comprising a first nodes, a second node and a communication link connecting the first node and the second node, wherein:
- (a) the system is initially capable of operating in a plurality of modes, including a first mode corresponding to in-clear working over the link, a second mode corresponding to encrypted working over the link, and a third mode, employed for migration from in-clear working over the link to encrypted working over the link, in which said first node is set to “
initiate encryption” and
said second node is set to “
accept encryption”
;
(b) the third mode provides in-clear working until means required for encrypted working are installed at both the first and the second nodes, when encrypted working is provided over the link and from which point in time only encrypted working is possible over the link;
(c) the means required for encrypted working comprise a long term key, which long term key is used to establish a message encryption key to be employed by the first and the second nodes for encryption and decryption of messages transmitted over the link;
(d) the first and second nodes include respective caches in which said message encryption key is stored upon its establishment; and
(e) when there is a failure to establish a said message encryption key a special key value is cached in the cache of said first node, the presence of which special key value serves to suspend attempts to establish a said message encryption key.
2 Assignments
0 Petitions
Accused Products
Abstract
A system involving a central computer (2) and a remote computer (3), which can communicate over a link (1), is migrated from in-clear working to encrypted working automatically as the computers receive and install long term keys necessary for encrypted communication. When migration is required, the settings at both ends of the link need to be changed to “encrypt” simultaneously and, particularly, if there are numerous remote computers and the possibility of connection of a remote computer to different central computers, as is possible in virtual private network (VPN) scenarios, severe problems can ensue. Hence, as well as the normal two modes of working “in-clear” and “encrypt”, a third mode in which “initiate encryption” is set at one end of the link and “accept encryption” is set at the other end of the link is proposed. This third mode ensures that working in-clear can continue over a particular link, such as between a particular VPN server and a particular gateway PC, until a long term key required for encrypted working is installed at both ends of the link, but that once key installation is complete, only encrypted working is possible over that link.
-
Citations
2 Claims
-
1. A computer system comprising a first nodes, a second node and a communication link connecting the first node and the second node, wherein:
-
(a) the system is initially capable of operating in a plurality of modes, including a first mode corresponding to in-clear working over the link, a second mode corresponding to encrypted working over the link, and a third mode, employed for migration from in-clear working over the link to encrypted working over the link, in which said first node is set to “
initiate encryption” and
said second node is set to “
accept encryption”
;
(b) the third mode provides in-clear working until means required for encrypted working are installed at both the first and the second nodes, when encrypted working is provided over the link and from which point in time only encrypted working is possible over the link;
(c) the means required for encrypted working comprise a long term key, which long term key is used to establish a message encryption key to be employed by the first and the second nodes for encryption and decryption of messages transmitted over the link;
(d) the first and second nodes include respective caches in which said message encryption key is stored upon its establishment; and
(e) when there is a failure to establish a said message encryption key a special key value is cached in the cache of said first node, the presence of which special key value serves to suspend attempts to establish a said message encryption key. - View Dependent Claims (2)
-
Specification