Encryption-based control of network traffic

US 8,635,441 B2
Filed: 08/29/2007
Issued: 01/21/2014
Est. Priority Date: 08/29/2006
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for protecting a private computer network, comprising:

providing a private protected computer network;

receiving at a gateway between a public network and the private protected computer network, data transmitted from a source address outside the private protected network over the public network, for delivery to a destination on the private protected computer network;

encrypting the data at the gateway using an encryption key, selected in a pseudo random process, when the data is received, from a set of one or more keys that are not available to the source address;

transmitting the encrypted data over the private computer network toward the destination;

receiving the transmitted encrypted data, and decrypting the data for use at the destination by means of a corresponding decryption key; and

conveying the corresponding decryption key to the destination over the private computer network together with at least a portion of the encrypted data,wherein conveying the decryption key comprises transmitting the decryption key in the clear to the destination, together with at least a portion of the encrypted data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for protecting a computer network (22) includes receiving at a gateway (24) data transmitted from a source address for delivery to a destination on the computer network. The data are encrypted at the gateway using an encryption key selected from a set of one or more keys that are not available to the source address. The encrypted data are transmitted over the computer network toward the destination. The transmitted encrypted data are received and decrypted for use at the destination by means of one of the keys in the set.

127 Citations

23 Claims

1. A computer-implemented method for protecting a private computer network, comprising:
- providing a private protected computer network;
  
  receiving at a gateway between a public network and the private protected computer network, data transmitted from a source address outside the private protected network over the public network, for delivery to a destination on the private protected computer network;
  
  encrypting the data at the gateway using an encryption key, selected in a pseudo random process, when the data is received, from a set of one or more keys that are not available to the source address;
  
  transmitting the encrypted data over the private computer network toward the destination;
  
  receiving the transmitted encrypted data, and decrypting the data for use at the destination by means of a corresponding decryption key; and
  
  conveying the corresponding decryption key to the destination over the private computer network together with at least a portion of the encrypted data,wherein conveying the decryption key comprises transmitting the decryption key in the clear to the destination, together with at least a portion of the encrypted data.
- View Dependent Claims (2, 3, 4, 5, 6, 14, 15, 16, 17, 18, 19, 23)
- - 2. The method according to claim 1, wherein encrypting and transmitting the data are performed automatically, without intervention by a human operator.
  - 3. The method according to claim 1, wherein receiving the data comprises receiving a data packet comprising a header and a payload, and wherein encrypting the data comprises encrypting both the header and the payload, andwherein conveying the encrypted data comprises encapsulating the encrypted header and payload in another packet for transmission over the computer network.
  - 4. The method according to claim 1, wherein conveying the decryption key comprises sending the decryption key together with at least the portion of the encrypted data in a single data packet.
  - 5. The method according to claim 1, wherein conveying the decryption key comprises waiting for a selected delay period between transmitting the encrypted data and transmitting the decryption key to the destination.
  - 6. The method according to claim 1, and comprising, upon decrypting the data, checking the data for malicious content,wherein decrypting the data comprises separately decrypting each of a sequence of segments of the encrypted data, and wherein checking the data comprises verifying each segment in the sequence to ensure that the segment does not contain the malicious content before proceeding to decrypt succeeding segments in the sequence.
  - 14. The method according to claim 1, wherein encrypting the data comprises encrypting a portion of the packet and leaving a portion of the packet unencrypted.
  - 15. The method according to claim 14, wherein the data packet comprises a plurality of headers and wherein encrypting a portion of the packet comprises encrypting at least one header of the packet and leaving at least one header unencrypted.
  - 16. The method according to claim 1, wherein receiving the data comprises receiving previously encrypted data.
  - 17. The method of claim 1, wherein encrypting the data comprises encrypting using an asymmetric encryption scheme.
  - 18. The method according to claim 1, wherein the decryption key comprises the encryption key.
  - 19. The method according to claim 1, wherein conveying the decryption key comprises transmitting the decryption key in the clear to the destination.
  - 23. The method according to claim 16, wherein encrypting the data at the gateway comprises encrypting the previously encrypted data, so as to add an additional layer of encryption to the received encrypted data.

7. A computer-implemented method for protecting a private protected computer network, comprising:
- receiving at a gateway between a public network and a private protected computer network, a first data packet, comprising a header and a payload, transmitted from a source address outside the private protected network for delivery to a destination on the private computer network;
  
  encrypting, by the gateway, at least the header of the first data packet, thereby generating an encrypted data packet;
  
  encapsulating, by the gateway, the encrypted data packet in a second data packet, and transmitting the second data packet over the private computer network toward the destination;
  
  transmitting a decryption key suitable for decrypting the encrypted data packet in the clear together with at least a portion of the encrypted data, from the gateway to the destination over the private computer network; and
  
  receiving and processing the transmitted second data packet so as to decapsulate and decrypt the first data packet for use at the destination.
- View Dependent Claims (20, 21)
- - 20. The method of claim 7, wherein encrypting at least the header of the first data packet comprises encrypting a portion of the packet and leaving a portion of the packet unencrypted.
  - 21. The method according to claim 7, wherein the data packet comprises a plurality of headers and wherein encrypting at least the header of the first data packet comprises encrypting at least one header of the packet and leaving at least one header unencrypted.

8. Apparatus for protecting a computer network, comprising:
- a gateway between a public network and a private protected computer network, which is configured to receive data transmitted from a source address outside the private protected network, for delivery to a destination on the private computer network, and to encrypt the data using an encryption key selected in a pseudo random process, when the data is received, from a set of one or more keys that are not available to the source address, encrypting the data using the key, to transmit the encrypted data over the private computer network toward the destination, to convey a decryption key corresponding to the encrypted data to the destination in the clear over the private computer network together with at least a portion of the encrypted data; and
  
  a receiver, which is configured to receive the transmitted encrypted data, and to decrypt the data for use at the destination by means of one of the keys in the set.

9. A computer-implemented method for protecting data, comprising:
- receiving at a gateway data transmitted from a source within a protected computer network for delivery to a destination outside the protected computer network;
  
  encrypting the data at the gateway using an encryption key selected from a set of one or more keys that are not available to the source or to the destination prior to receiving the data at the gateway;
  
  transmitting the encrypted data to the destination;
  
  receiving at the gateway, from the source, a confirmation of an authorization to transmit a decryption key, after beginning the transmission of the encrypted data to the destination; and
  
  responsively to the confirmation, conveying the decryption key suitable for decrypting the data to the destination.
- View Dependent Claims (10, 11, 12, 22)
- - 10. The method according to claim 9, wherein receiving the confirmation comprises receiving an electronic signature transmitted from the source.
  - 11. The method according to claim 9, wherein transmitting the encrypted data comprises transmitting the encrypted data over a one-way link from the gateway to destinations outside the protected computer network.
  - 12. The method according to claim 9, wherein encrypting and transmitting the data are performed automatically, without intervention by a human operator.
  - 22. The method according to claim 9, wherein the authorization to transmit the received data is received after completing the transmission of the encrypted data to the destination.

13. Apparatus for protecting data, comprising:
- a source computer, which is configured to be deployed in a protected computer network and to generate data for delivery to a destination outside the protected computer network; and
  
  a gateway, which is coupled to receive and encrypt the data from the source computer using an encryption key selected from a set of one or more keys that are not available to the source computer or to the destination prior to receiving the data at the gateway, to transmit the encrypted data to the destination, to receive, from the source, a confirmation of an authorization to transmit a decryption key, after beginning the transmission of the encrypted data to the destination, and responsively to the confirmation, to convey the decryption key suitable for decrypting the data at the destination.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Waterfall Security Solutions Ltd.
Original Assignee
Waterfall Security Solutions Ltd.
Inventors
Frenkel, Lior, Zilberstein, Amir
Primary Examiner(s)
LANIER, BENJAMIN E

Application Number

US12/438,548
Publication Number

US 20090319773A1
Time in Patent Office

2,337 Days
Field of Search

713/153
US Class Current

713/153
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 21/606   by securing the transmissio...

H04L 63/0428   wherein the data content is...

H04L 63/14   for detecting or protecting...

Encryption-based control of network traffic

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

127 Citations

23 Claims

Specification

Use Cases

Quick Links

Others

Encryption-based control of network traffic

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

127 Citations

23 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others