Encryption-based control of network traffic
First Claim
Patent Images
1. A computer-implemented method for protecting a private computer network, comprising:
- providing a private protected computer network;
receiving at a gateway between a public network and the private protected computer network, data transmitted from a source address outside the private protected network over the public network, for delivery to a destination on the private protected computer network;
encrypting the data at the gateway using an encryption key, selected in a pseudo random process, when the data is received, from a set of one or more keys that are not available to the source address;
transmitting the encrypted data over the private computer network toward the destination;
receiving the transmitted encrypted data, and decrypting the data for use at the destination by means of a corresponding decryption key; and
conveying the corresponding decryption key to the destination over the private computer network together with at least a portion of the encrypted data,wherein conveying the decryption key comprises transmitting the decryption key in the clear to the destination, together with at least a portion of the encrypted data.
1 Assignment
0 Petitions
Accused Products
Abstract
A computer-implemented method for protecting a computer network (22) includes receiving at a gateway (24) data transmitted from a source address for delivery to a destination on the computer network. The data are encrypted at the gateway using an encryption key selected from a set of one or more keys that are not available to the source address. The encrypted data are transmitted over the computer network toward the destination. The transmitted encrypted data are received and decrypted for use at the destination by means of one of the keys in the set.
127 Citations
23 Claims
-
1. A computer-implemented method for protecting a private computer network, comprising:
-
providing a private protected computer network; receiving at a gateway between a public network and the private protected computer network, data transmitted from a source address outside the private protected network over the public network, for delivery to a destination on the private protected computer network; encrypting the data at the gateway using an encryption key, selected in a pseudo random process, when the data is received, from a set of one or more keys that are not available to the source address; transmitting the encrypted data over the private computer network toward the destination; receiving the transmitted encrypted data, and decrypting the data for use at the destination by means of a corresponding decryption key; and conveying the corresponding decryption key to the destination over the private computer network together with at least a portion of the encrypted data, wherein conveying the decryption key comprises transmitting the decryption key in the clear to the destination, together with at least a portion of the encrypted data. - View Dependent Claims (2, 3, 4, 5, 6, 14, 15, 16, 17, 18, 19, 23)
-
-
7. A computer-implemented method for protecting a private protected computer network, comprising:
-
receiving at a gateway between a public network and a private protected computer network, a first data packet, comprising a header and a payload, transmitted from a source address outside the private protected network for delivery to a destination on the private computer network; encrypting, by the gateway, at least the header of the first data packet, thereby generating an encrypted data packet; encapsulating, by the gateway, the encrypted data packet in a second data packet, and transmitting the second data packet over the private computer network toward the destination; transmitting a decryption key suitable for decrypting the encrypted data packet in the clear together with at least a portion of the encrypted data, from the gateway to the destination over the private computer network; and receiving and processing the transmitted second data packet so as to decapsulate and decrypt the first data packet for use at the destination. - View Dependent Claims (20, 21)
-
-
8. Apparatus for protecting a computer network, comprising:
-
a gateway between a public network and a private protected computer network, which is configured to receive data transmitted from a source address outside the private protected network, for delivery to a destination on the private computer network, and to encrypt the data using an encryption key selected in a pseudo random process, when the data is received, from a set of one or more keys that are not available to the source address, encrypting the data using the key, to transmit the encrypted data over the private computer network toward the destination, to convey a decryption key corresponding to the encrypted data to the destination in the clear over the private computer network together with at least a portion of the encrypted data; and a receiver, which is configured to receive the transmitted encrypted data, and to decrypt the data for use at the destination by means of one of the keys in the set.
-
-
9. A computer-implemented method for protecting data, comprising:
-
receiving at a gateway data transmitted from a source within a protected computer network for delivery to a destination outside the protected computer network; encrypting the data at the gateway using an encryption key selected from a set of one or more keys that are not available to the source or to the destination prior to receiving the data at the gateway; transmitting the encrypted data to the destination; receiving at the gateway, from the source, a confirmation of an authorization to transmit a decryption key, after beginning the transmission of the encrypted data to the destination; and responsively to the confirmation, conveying the decryption key suitable for decrypting the data to the destination. - View Dependent Claims (10, 11, 12, 22)
-
-
13. Apparatus for protecting data, comprising:
-
a source computer, which is configured to be deployed in a protected computer network and to generate data for delivery to a destination outside the protected computer network; and a gateway, which is coupled to receive and encrypt the data from the source computer using an encryption key selected from a set of one or more keys that are not available to the source computer or to the destination prior to receiving the data at the gateway, to transmit the encrypted data to the destination, to receive, from the source, a confirmation of an authorization to transmit a decryption key, after beginning the transmission of the encrypted data to the destination, and responsively to the confirmation, to convey the decryption key suitable for decrypting the data at the destination.
-
Specification