ENCRYPTION-BASED CONTROL OF NETWORK TRAFFIC
First Claim
Patent Images
1. A computer-implemented method for protecting a computer network, comprising:
- receiving at a gateway data transmitted from a source address for delivery to a destination on the computer network;
encrypting the data at the gateway using an encryption key selected from a set of one or more keys that are not available to the source address;
transmitting the encrypted data over the computer network toward the destination; and
receiving the transmitted encrypted data, and decrypting the data for use at the destination by means of one of the keys in the set.
1 Assignment
0 Petitions
Accused Products
Abstract
A computer-implemented method for protecting a computer network (22) includes receiving at a gateway (24) data transmitted from a source address for delivery to a destination on the computer network. The data are encrypted at the gateway using an encryption key selected from a set of one or more keys that are not available to the source address. The encrypted data are transmitted over the computer network toward the destination. The transmitted encrypted data are received and decrypted for use at the destination by means of one of the keys in the set.
154 Citations
45 Claims
-
1. A computer-implemented method for protecting a computer network, comprising:
-
receiving at a gateway data transmitted from a source address for delivery to a destination on the computer network; encrypting the data at the gateway using an encryption key selected from a set of one or more keys that are not available to the source address; transmitting the encrypted data over the computer network toward the destination; and receiving the transmitted encrypted data, and decrypting the data for use at the destination by means of one of the keys in the set. - View Dependent Claims (2, 3, 4, 6, 7, 8, 9, 10, 11, 12)
-
-
5. (canceled)
-
13. (canceled)
-
14. A computer-implemented method for protecting a computer network, comprising:
-
receiving a first data packet, comprising a header and a payload, transmitted from a source address for delivery to a destination on the computer network; encrypting at least the header of the first data packet, thereby generating an encrypted data packet; encapsulating the encrypted data packet in a second data packet, and transmitting the second data packet over the computer network toward the destination; and receiving and processing the transmitted second data packet so as to decapsulate and decrypt the first data packet for use at the destination.
-
-
15-16. -16. (canceled)
-
17. A computer-implemented method for protecting against malicious traffic, comprising:
-
receiving over a computer network a data packet comprising encrypted data for delivery to a destination on the computer network; sequentially decrypting each of a sequence of segments of the encrypted data; and after decrypting each of the segments, verifying each segment to ensure that the segment does not contain malicious content before proceeding to decrypt a succeeding segment in the sequence.
-
-
18. Apparatus for protecting a computer network, comprising:
-
a gateway, which is configured to receive data transmitted from a source address for delivery to a destination on the computer network, and to encrypt the data using an encryption key selected from a set of one or more keys that are not available to the source address, encrypting the data using the key, and to transmit the encrypted data over the computer network toward the destination; and a receiver, which is configured to receive the transmitted encrypted data, and to decrypt the data for use at the destination by means of one of the keys in the set.
-
-
19-33. -33. (canceled)
-
34. A computer software product, comprising a computer-readable medium in which program instructions are stored, which instructions, when read by a computer, cause the computer to receive over a computer network a data packet comprising encrypted data for delivery to a destination on the computer network, and to sequentially decrypt each of a sequence of segments of the encrypted data, and after decrypting each of the segments, to verify each segment to ensure that the segment does not contain malicious content before proceeding to decrypt a succeeding segment in the sequence.
-
35. A computer-implemented method for protecting data, comprising:
-
receiving at a gateway data transmitted from a source within a protected computer network for delivery to a destination outside the protected computer network; encrypting the data at the gateway using an encryption key selected from a set of one or more keys that are not available to the source or to the destination prior to receiving the data at the gateway; transmitting the encrypted data to the destination; receiving at the gateway a confirmation of an authorization to transmit the data from the source; and responsively to the confirmation, conveying a decryption key suitable for decrypting the data to the destination. - View Dependent Claims (36, 37, 38)
-
-
39-43. -43. (canceled)
-
44. Apparatus for protecting data, comprising:
-
a source computer, which is configured to be deployed in a protected computer network and to generate data for delivery to a destination outside the protected computer network; and a gateway, which is coupled to receive and encrypt the data from the source computer using an encryption key selected from a set of one or more keys that are not available to the source computer or to the destination prior to receiving the data at the gateway, to transmit the encrypted data to the destination, to receive a confirmation of an authorization to transmit the data from the source, and responsively to the confirmation, to convey a decryption key suitable for decrypting the data at the destination.
-
-
45-52. -52. (canceled)
Specification