System for signatureless transmission and reception of data packets between computer networks
First Claim
1. A method for transmitting and receiving packets of data via a an internetwork from a first host computer on a first computer network to a second host computer on a second computer network, the first and second computer networks including, respectively, first and second bridge computers, each of said first and second host computers and first and second bridge computers including a processor and a memory for storing instructions for execution by the processor, each of said first and second bridge computers further including memory for storing at least one predetermined encryption/decryption mechanism and information identifying a predetermined plurality of host computers as hosts requiring security for packets transmitted between them, the method being carded carried out be by means of the instructions stored in said respective memories and including the steps of:
- (1) generating, by the first host computer, a first data packet for transmission to the second host computer, a portion of the first data packet including information representing an internetwork address of the first host computer and an internetwork address of the second host computer;
(2) in the first bridge computer, intercepting the first data packet and determining whether the first and second host computers are among the predetermined plurality of host computers for which security is required, and if not, proceeding to step 5, and if so, proceeding to step 3;
(3) encrypting the first data packet in the first bridge computer;
(4) in the first bridge computer, generating and appending to the encrypted first data packet an encapsulation header, including;
(a) key management information identifying providing a mechanism for identifying the predetermined encryption method, and (b) a new address header representing the source and destination for the first data packet, hereby generating a modified first data packet;
(5) transmitting the first data packet or the modified first data packet from the first bridge computer via the internetwork to the second computer network;
(6) intercepting the first data packet or the modified first data packet at the second bridge computer;
(7) in the second bridge computer, if the encapsulation header has been appended to the first data packet, reading the encapsulation header, and determining therefrom whether the first data packet was encrypted, and if not, proceeding to step 10, and if so, proceeding to step 8 and if it is determined that the first data packet has been encrypted, proceeding to step 8 and otherwise proceeding to step 10;
(8) in the second bridge computer, determining which encryption mechanism was used to encrypt the first data packet;
(9) decrypting the first data packet by the second bridge computer;
(10) transmitting the first data packet from the second bridge computer to the second host computer, ;
and (11) receiving the unencrypted first data packet at the second host computer.
0 Assignments
0 Petitions
Accused Products
Abstract
A system for automatically encrypting and decrypting data packet sent from a source host to a destination host across a public internetwork. A tunnelling bridge is positioned at each network, and intercepts all packets transmitted to or from its associated network. The tunnelling bridge includes tables indicated pairs of hosts or pairs of networks between which packets should be encrypted. When a packet is transmitted from a first host, the tunnelling bridge of that host'"'"'s network intercepts the packet, and determines from its header information whether packets from that host that are directed to the specified destination host should be encrypted; or, alternatively, whether packets from the source host'"'"'s network that are directed to the destination host'"'"'s network should be encrypted. If so, the packet is encrypted, and transmitted to the destination network along with an encapsulation header indicating source and destination information: either source and destination host addresses, or the broadcast addresses of the source and destination networks (in the latter case, concealing by encryption the hosts'"'"' respective addresses). An identifier of the source network'"'"'s tunnelling bridge may also be included in the encapsulation header. At the destination network, the associated tunnelling bridge intercepts the packet, inspects the encapsulation header, from an internal table determines whether the packet was encrypted, and from either the source (host or network) address or the tunnelling bridge identifier determines whether and how the packet was encrypted. If the packet was encrypted, it is now decrypted using a key stored in the destination tunnelling bridge'"'"'s memory, and is sent on to the destination host. The tunnelling bridge identifier is used particularly in an embodiment where a given network has more than one tunnelling bridge, and hence multiple possible encryption/decryption schemes and keys. In an alternative embodiment, the automatic encryption and decryption may be carried out by the source and destination hosts themselves, without the use of additional tunnelling bridges, in which case the encapsulation header includes the source and destination host addresses.
-
Citations
48 Claims
-
1. A method for transmitting and receiving packets of data via a an internetwork from a first host computer on a first computer network to a second host computer on a second computer network, the first and second computer networks including, respectively, first and second bridge computers, each of said first and second host computers and first and second bridge computers including a processor and a memory for storing instructions for execution by the processor, each of said first and second bridge computers further including memory for storing at least one predetermined encryption/decryption mechanism and information identifying a predetermined plurality of host computers as hosts requiring security for packets transmitted between them, the method being carded carried out be by means of the instructions stored in said respective memories and including the steps of:
-
(1) generating, by the first host computer, a first data packet for transmission to the second host computer, a portion of the first data packet including information representing an internetwork address of the first host computer and an internetwork address of the second host computer;
(2) in the first bridge computer, intercepting the first data packet and determining whether the first and second host computers are among the predetermined plurality of host computers for which security is required, and if not, proceeding to step 5, and if so, proceeding to step 3;
(3) encrypting the first data packet in the first bridge computer;
(4) in the first bridge computer, generating and appending to the encrypted first data packet an encapsulation header, including;
(a) key management information identifying providing a mechanism for identifying the predetermined encryption method, and (b) a new address header representing the source and destination for the first data packet, hereby generating a modified first data packet;
(5) transmitting the first data packet or the modified first data packet from the first bridge computer via the internetwork to the second computer network;
(6) intercepting the first data packet or the modified first data packet at the second bridge computer;
(7) in the second bridge computer, if the encapsulation header has been appended to the first data packet, reading the encapsulation header, and determining therefrom whether the first data packet was encrypted, and if not, proceeding to step 10, and if so, proceeding to step 8 and if it is determined that the first data packet has been encrypted, proceeding to step 8 and otherwise proceeding to step 10;
(8) in the second bridge computer, determining which encryption mechanism was used to encrypt the first data packet;
(9) decrypting the first data packet by the second bridge computer;
(10) transmitting the first data packet from the second bridge computer to the second host computer, ;
and(11) receiving the unencrypted first data packet at the second host computer. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A system for automatically encrypting and decrypting data packets transmitted from a first host computer on a first computer network to a second host computer on a second computer network, including:
-
a first bridge computer coupled to the first computer network for intercepting data packets transmitted from said first computer network, the first bridge computer including a first processor and a first memory storing instructions for executing encryption of data packets according to a predetermined encryption/decryption mechanism;
a second bridge computer coupled to the second computer network for intercepting data packets transmitted to said second computer network, the second bridge computer including a second processor and a second memory storing instructions for executing decryption of the data packets;
said first host computer including a third processor and a third memory including instructions for transmitting a first said data packet from said first to said second host;
a first table stored in said first memory including a correlation of at least one of the first host computer and the first network with one of the second host computer and the second network, respectively;
instructions stored in said first memory for intercepting said first data packet before departure from said first network, determining whether said correlation is present in said first table, and if so, then executing encryption of said first data packet according to said predetermined encryption/decryption mechanism, generating a new address header including a mechanism for identifying said predetermined encryption/decryption mechanism and appending said new address header to said encrypted first data packet, thereby generating a modified first data packet, and transmitting said modified data packet on to the second host computer;
a second table stored in said second memory including a correlation of at least one of the first host computer and the first network with one of the second host computer and the second network, respectively; and instruction stored in said second memory for intercepting said modified first data packet upon arrival at said second network, determining whether said correlation is present in said second table, and if so, then executing decryption of said first data packet according to said predetermined encryption/decryption mechanism, and transmitting the first data packet to the second host computer. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A method for transmitting and receiving packets of data via an internetwork from a first host computer on a first computer network to a second host computer on a second computer network, the first and second computer networks, each of said first and second host computer networks, each of said first and second host computers including a processor and a memory for storing instructions for execution by the processor, each said memory storing at least on a predetermined encryption/decryption mechanism and a source/destination table identifying a predetermined plurality of sources and destinations requiring security for packets transmitted between them, the method being carded carried out by means of the instructions stored in said respective memories and including the steps of:
-
(1) generating, by the first host computer, a first data packet for transmission to the second host computer, a portion of the first data packet including information representing an internetwork address of a source of the first data packet and an internetwork address of a destination of the first data packet;
(2) in the first host computer, determining whether the source and destination of the first data packet are among the predetermined plurality of sources and destinations identified in said source/destination table for which security is required, and if not, proceeding to step 5, and if so, proceeding to step 3;
(3) encrypting the first data packet in the first host computer;
(4) in the first host computer, generating and appending to the encrypted first data packet an encapsulation header, including;
(a) key management information providing a mechanism for identifying the predetermined encryption method, and (b) a new address header identifying the source and destination for the first data packet, hereby generating a modified first data packet; (5) transmitting the first data packet or the modified first data packet from the first host computer via the internetwork to the second computer network;
(6) in the second host computer, if the encapsulation header has been appended to the first data packet, reading the encapsulation header, and determining therefrom whether the first data packet was encrypted, and if not the first data packet was not encrypted, ending the method, and if so the first data packet was encrypted, proceeding to step 7;
(7) in the second host computer, determining which encryption mechanism was used to encrypt the first data packet; and
(8) decrypting the first data packet by the second host computer. - View Dependent Claims (12, 13)
-
-
14. A system for automatically encrypting and decrypting data packets transmitted from a first host computer on a first computer network and having a first host computer on a first computer network and , the first host computer having a first processor and a first memory, via an internetwork to a second host computer on a second computer network and having a second host computer on a second computer network and , the second host computer having a second processor and a second memory, the system including:
-
security data stored in said first and second memories indicating that data packets meeting at least one predetermined criterion are to be encrypted;
a predetermined encryption/decryption mechanism stored in said first and second memories;
a decryption key stored in said second memory;
instructions stored in said first memory for determining whether to encrypt one or more data packets, by determining whether said at least one predetermined criterion is met by said data packet one or more data packets;
instructions stored in said first memory for executing encryption according to said predetermined encryption/decryption mechanism of at least a first said data packet one of said one or more data packets,when said at least one predetermined criterion is met, for generating a new address header for said first data packet and for appending an encapsulation header to said first data packet and transmitting said first data packet to said second host, said new address header identifying broadcast addresses of the first and second computer networks, said encapsulation header including at least said new address header;
andinstructions stored in said second memory for receiving said first data packet, determining whether it has been encrypted by reference to said security data in said second memory, and if so then determining which encryption/decryption mechanism was used for encryption, and decrypting said first data packet by use of said decryption key. - View Dependent Claims (15, 40)
-
-
16. A system for automatically encrypting data packets for transmission from a first host computer on a first computer network to a second host computer on a second computer network, said first host computer including a first processor and a first memory including instructions for transmitting said data packets from said first host to said second host, the system including:
-
a bridge computer coupled to the first computer network for intercepting at least a first said data packet transmitted from said first computer network, said bridge computer including a second processor and a second memory storing instructions for executing encryption of said first data packet according to a predetermined encryption/decryption mechanism;
information stored in said second memory correlating at least one of the first host computer and the first network with one of the second host computer and the second network, respectively;
andinstructions stored in said second memory for intercepting said first data packet before departure from said first network, determining whether said correlation is present, and if so, then executing encryption of said first data packet according to said predetermined encryption/decryption mechanism, generating a new address header including a mechanism for identifying said predetermined encryption/decryption mechanism and appending said new address header to said first data packet, thereby generating a modified first data packet on to the second host computer. - View Dependent Claims (44)
-
-
17. A method for transmitting packets of data via an internetwork from a first host computer on a first computer network to a second host computer on a second computer network, the first computer networks including a first bridge computer, each of said first and second host computers and said bridge computer further including memory storing at least one predetermined encryption/decryption mechanism and information identifying a predetermined plurality of host computers as hosts requiring security for packets transmitted between them, the method being carried out according to the instructions stored in said respective memories and including the steps of:
-
(1) generating, by the first host computer, a first data packet for transmission to the second host computer, a portion of the first data packet including information representing an internetwork address of the first host computer and an internetwork address of the second host computer;
(2) in the first bridge computer, intercepting the first data packet and determining whether the first and second host computers are among the predetermined plurality of host computers for which security is required, and if not, proceeding to step 5, and if so, proceeding to step 3;
(3) encrypting the first data packet in the first bridge computer;
(4) in the first bridge computer, generating and appending to the first data packet an encapsulation header, including;
(a) key management information providing a mechanism for identifying the predetermined encryption method, and (b) a new address header representing the source and destination for the data packet, thereby generating a modified first data packet; and
(5) transmitting the first data packet or the modified first data packet from the first bridge computer via the internetwork to the second computer network.
-
-
18. A system for automatically decrypting data packets transmitted from a first computer to a second computer, the system comprising:
-
a bridge coupled to the second computer for intercepting a data packet from the first computer, the data packet having an address header and a body, the address header including broadcast addresses of the first and second computers, the bridge including a processor and a memory that stores instructions for decrypting data packets;
information stored in the memory of the bridge correlating the first and second computers; and
instructions stored in the memory for intercepting the data packet, determining whether the information stored in the memory of the bridge correlates the first and second computers, and if so, decrypting at least a portion of the data packet to generate a new data packet including a new address header, and transmitting the new data packet onto the second computer. - View Dependent Claims (19, 20, 45)
-
-
21. A system for automatically decrypting data packets transmitted from a first computer to a second computer, the system comprising:
-
a bridge coupled to the second computer for intercepting a data packet from the first computer, the data packet including a header storing key management information providing a mechanism for identifying an encryption method used to encrypt the data packet, the bridge including a processor and a memory that stores instructions for decrypting data packets;
information stored in the memory of the bridge correlating the first and second computers; and
instructions stored in the memory for intercepting the data packet, determining whether the information stored in the memory of the bridge correlates the first and second computers, and if so, decrypting the data packet to generate a new data packet including a new address header, and transmitting the new data packet onto the second computer.
-
-
22. A method for receiving data packets from a first computer to a second computer through a bridge including a processor and a memory that stores instructions for decrypting data packets and information correlating the first and second computers, the method being carried out according to instructions in the memory of the bridge and comprising:
-
intercepting a data packet from the first computer to the second computer, the data packet including an address header and a body, the address header including broadcast addresses of the first and second computers and the body including address information representing an internetwork address of the first computer and an internetwork address of the second computer, wherein the address information is encrypted;
determining whether the information stored in the memory of the bridge correlates the first and second computers, and if so, decrypting the data packet to generate a new data packet including a new address header; and
transmitting the new data packet on to the second computer. - View Dependent Claims (23, 24)
-
-
25. A method for receiving data packets from a first computer to a second computer through a bridge including a processor and a memory that stores instructions for decrypting data packets and information correlating the first and second computers, the method being carried out according to instructions in the memory of the bridge and comprising:
-
intercepting a data packet from the first computer to the second computer, the data packet including information representing an internetwork address of the first computer and an internetwork address of the second computer;
determining whether the information stored in the memory of the bridge correlates the first and second computers, and if so, decrypting the data packet to generate a new data packet including a new address header; and
transmitting the new data packet on to the second computer;
wherein the data packet includes a header storing key management information providing a mechanism for identifying an encryption method used to encrypt the new data packet.
-
-
26. A method of encrypting data packets, comprising:
-
receiving a data packet from a source for a destination, the data packet including a header section and a data section, the header section storing a source identifier and a destination identifier;
determining whether the data packet should be encrypted upon reference to at least one of the source and destination identifiers;
if the data packet should be encrypted, encrypting the data packet to produce an encrypted data packet; and
generating a new address header and appending the new address header to the encrypted data packet, thereby generating a modified data packet;
wherein the new address header includes a mechanism for identifying an encryption method used to generate the encrypted data packet. - View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 46)
-
-
34. A computer program product adapted for encrypting data packets, comprising:
-
computer code that when executed causes the reception of a data packet from a source for a destination, the data packet including a header section and a data section, and the header section storing a source identifier and a destination identifier;
computer code that when executed causes the determination of whether the data packet should be encrypted upon reference to at least one of the source and destination identifiers;
computer code that when executed, if the data packet should be encrypted, causes the encryption of the data packet to produce an encrypted data packet;
computer code that when executed causes the generation of a new address header and appends the new address header to the encrypted data packet, the new address header including a mechanism for identifying an encryption method used to generate the encrypted data packet, thereby generating a modified data packet; and
a computer readable medium that stores the computer codes. - View Dependent Claims (35, 47)
-
-
36. A computer system for encrypting data packets, comprising:
-
a processor;
a computer readable medium coupled to the processor and storing a computer program comprising;
computer code that when executed by the processor causes the processor to receive a data packet from a source for a destination, the data packet including a header section and a data section, and the header section storing a source identifier and a destination identifier;
computer code that when executed by the processor causes the processor to determine whether the data packet should be encrypted upon reference to at least one of the source and destination identifiers;
computer code that when executed by the processor causes the processor to encrypt the data packet to produce an encrypted data packet when it is determined that the data packet should be encrypted; and
computer code that when executed by the processor causes the processor to generate a new address header and append the new address header to the encrypted data packet, thereby generating a modified data packet;
wherein the new address header includes a mechanism for identifying an encryption method used to generate the encrypted data packet. - View Dependent Claims (37, 48)
-
-
38. A system for automatically encrypting and decrypting data packets transmitted from a first host computer on a first computer network, the first host computer having a first processor and a first memory, via an internetwork to a second host computer on a second computer network, the second host computer having a second processor and a second memory, the system including:
-
security data stored in said first and second memories indicating that data packets meeting at least one predetermined criterion are to be encrypted;
instructions stored in said first memory for determining whether to encrypt one or more data packets, by determining whether said at least one predetermined criterion is met by said one or more data packets;
instructions stored in said first memory for executing encryption of at least a first one of said one or more data packets according to a predetermined encryption/decryption mechanism, when said at least one predetermined criterion is met, for generating a new address header for said first data packet and for appending an encapsulation header to said first data packet and transmitting said first data packet to said second host, said encapsulation header including said new address header and a mechanism for identifying said predetermined encryption/decryption mechanism;
instructions stored in said second memory for receiving said first data packet, determining whether it has been encrypted by reference to said security data in said second memory, and if so then determining which encryption/decryption mechanism was used for encryption, and decrypting said first data packet by use of said encryption/decryption mechanism. - View Dependent Claims (39)
-
-
41. A system for automatically encrypting data packets for transmission from a first host computer on a first computer network to a second host computer on a second computer network, said first host computer including a first processor and a first memory including instructions for transmitting said data packets from said first host to said second host, the system including:
-
a bridge computer coupled to the first computer network for intercepting at least a first data packet transmitted from said first computer network, said bridge computer including a second processor and a second memory storing instructions for executing encryption of said first data packet according to a predetermined encryption/decryption mechanism;
information stored in said second memory correlating at least one of the first host computer and the first network with one of the second host computer and the second network, respectively; and
instructions stored in said second memory for intercepting said first data packet before departure from said first network, determining whether said correlation is present, and if so, then executing encryption of said first data packet according to said predetermined encryption/decryption mechanism, generating a new address header including the internetwork broadcast addresses of the first and second computer networks and appending said new address header to said first data packet, thereby generating a modified first data packet on to the second host computer.
-
-
42. A computer program product adapted for encrypting data packets, comprising:
-
computer code that when executed on a computer causes the computer to receive a data packet from a source for a destination, the data packet including a header section and a data section, and the header section storing a source identifier and a destination identifier;
computer code that when executed on a computer causes the computer to determine whether the data packet should be encrypted upon reference to at least one of the source and destination identifiers;
computer code that when executed on a computer causes the computer to, if the data packet should be encrypted, encrypt the data packet to produce an encrypted data packet;
computer code that when executed on a computer causes the computer to generate a new address header storing at least one of a broadcast address associated with the source and a broadcast address associated with the destination, and append the new address header to the encrypted data packet, thereby generating a modified data packet; and
a computer readable medium that stores the computer codes.
-
-
43. A computer system for encrypting data packets, comprising:
-
a processor;
a computer readable medium coupled to the processor storing a computer program comprising;
computer code that when executed by the processor causes the processor to receive a data packet from a source for a destination, the data packet including a header section and a data section, the header section storing a source identifier and a destination identifier;
computer code that when executed by the processor causes the processor to determine whether the data packet should be encrypted upon reference to at least one of the source and destination identifiers;
computer code that when executed by the processor causes the processor to if the data packet should be encrypted, encrypt the data packet to produce an encrypted data packet; and
computer code that when executed by the processor causes the processor to generate a new address header storing at least one of a broadcast address associated the source and a broadcast address associated with the destination, and append the new address header to the encrypted data packet, thereby generating a modified data packet.
-
Specification