ENCRYPTION-BASED CONTROL OF NETWORK TRAFFIC

US 20090319773A1
Filed: 08/29/2007
Published: 12/24/2009
Est. Priority Date: 08/29/2006
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for protecting a computer network, comprising:

receiving at a gateway data transmitted from a source address for delivery to a destination on the computer network;

encrypting the data at the gateway using an encryption key selected from a set of one or more keys that are not available to the source address;

transmitting the encrypted data over the computer network toward the destination; and

receiving the transmitted encrypted data, and decrypting the data for use at the destination by means of one of the keys in the set.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for protecting a computer network (22) includes receiving at a gateway (24) data transmitted from a source address for delivery to a destination on the computer network. The data are encrypted at the gateway using an encryption key selected from a set of one or more keys that are not available to the source address. The encrypted data are transmitted over the computer network toward the destination. The transmitted encrypted data are received and decrypted for use at the destination by means of one of the keys in the set.

154 Citations

View as Search Results

45 Claims

1. A computer-implemented method for protecting a computer network, comprising:
- receiving at a gateway data transmitted from a source address for delivery to a destination on the computer network;
  
  encrypting the data at the gateway using an encryption key selected from a set of one or more keys that are not available to the source address;
  
  transmitting the encrypted data over the computer network toward the destination; and
  
  receiving the transmitted encrypted data, and decrypting the data for use at the destination by means of one of the keys in the set.
- View Dependent Claims (2, 3, 4, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method according to claim 1, wherein encrypting and transmitting the data are performed automatically, without intervention by a human operator.
  - 3. The method according to claim 1, wherein receiving the data comprises receiving the data from a public network, and wherein transmitting the encrypted data comprises conveying the encrypted data over a private network.
  - 4. The method according to claim 1, wherein receiving the data comprises receiving a data packet comprising a header and a payload, and wherein encrypting the data comprises encrypting both the header and the payload, andwherein conveying the encrypted data comprises encapsulating the encrypted header and payload in another packet for transmission over the computer network.
  - 6. The method according to claim 1, and comprising conveying to a receiver a decryption key suitable for decrypting the data for use at the destination.
  - 7. The method according to claim 6, wherein encrypting the data comprises selecting the encryption key using a pseudo-random process.
  - 8. The method according to claim 6, wherein conveying the decryption key comprises transmitting the decryption key to the receiver over the computer network.
  - 9. The method according to claim 8, wherein transmitting the decryption key and the encrypted data comprises conveying the decryption key together with at least a portion of the encrypted data together over the computer network.
  - 10. The method according to claim 9, wherein conveying the decryption key comprises sending the decryption key together with at least the portion of the encrypted data in a single data packet.
  - 11. The method according to claim 8, wherein transmitting the decryption key comprises waiting for a selected delay period between transmitting the encrypted data and transmitting the decryption key to the receiver.
  - 12. The method according to claim 1, and comprising, upon decrypting the data, checking the data for malicious content,wherein decrypting the data comprises separately decrypting each of a sequence of segments of the encrypted data, and wherein checking the data comprises verifying each segment in the sequence to ensure that the segment does not contain the malicious content before proceeding to decrypt succeeding segments in the sequence.

5. (canceled)

13. (canceled)

14. A computer-implemented method for protecting a computer network, comprising:
- receiving a first data packet, comprising a header and a payload, transmitted from a source address for delivery to a destination on the computer network;
  
  encrypting at least the header of the first data packet, thereby generating an encrypted data packet;
  
  encapsulating the encrypted data packet in a second data packet, and transmitting the second data packet over the computer network toward the destination; and
  
  receiving and processing the transmitted second data packet so as to decapsulate and decrypt the first data packet for use at the destination.

15-16. -16. (canceled)

17. A computer-implemented method for protecting against malicious traffic, comprising:
- receiving over a computer network a data packet comprising encrypted data for delivery to a destination on the computer network;
  
  sequentially decrypting each of a sequence of segments of the encrypted data; and
  
  after decrypting each of the segments, verifying each segment to ensure that the segment does not contain malicious content before proceeding to decrypt a succeeding segment in the sequence.

18. Apparatus for protecting a computer network, comprising:
- a gateway, which is configured to receive data transmitted from a source address for delivery to a destination on the computer network, and to encrypt the data using an encryption key selected from a set of one or more keys that are not available to the source address, encrypting the data using the key, and to transmit the encrypted data over the computer network toward the destination; and
  
  a receiver, which is configured to receive the transmitted encrypted data, and to decrypt the data for use at the destination by means of one of the keys in the set.

19-33. -33. (canceled)

34. A computer software product, comprising a computer-readable medium in which program instructions are stored, which instructions, when read by a computer, cause the computer to receive over a computer network a data packet comprising encrypted data for delivery to a destination on the computer network, and to sequentially decrypt each of a sequence of segments of the encrypted data, and after decrypting each of the segments, to verify each segment to ensure that the segment does not contain malicious content before proceeding to decrypt a succeeding segment in the sequence.

35. A computer-implemented method for protecting data, comprising:
- receiving at a gateway data transmitted from a source within a protected computer network for delivery to a destination outside the protected computer network;
  
  encrypting the data at the gateway using an encryption key selected from a set of one or more keys that are not available to the source or to the destination prior to receiving the data at the gateway;
  
  transmitting the encrypted data to the destination;
  
  receiving at the gateway a confirmation of an authorization to transmit the data from the source; and
  
  responsively to the confirmation, conveying a decryption key suitable for decrypting the data to the destination.
- View Dependent Claims (36, 37, 38)
- - 36. The method according to claim 35, wherein receiving the confirmation comprises receiving an electronic signature transmitted from the source.
  - 37. The method according to claim 35, wherein transmitting the encrypted data comprises transmitting the encrypted data over a one-way link from the gateway to destinations outside the protected computer network.
  - 38. The method according to claim 35, wherein encrypting and transmitting the data are performed automatically, without intervention by a human operator.

39-43. -43. (canceled)

44. Apparatus for protecting data, comprising:
- a source computer, which is configured to be deployed in a protected computer network and to generate data for delivery to a destination outside the protected computer network; and
  
  a gateway, which is coupled to receive and encrypt the data from the source computer using an encryption key selected from a set of one or more keys that are not available to the source computer or to the destination prior to receiving the data at the gateway, to transmit the encrypted data to the destination, to receive a confirmation of an authorization to transmit the data from the source, and responsively to the confirmation, to convey a decryption key suitable for decrypting the data at the destination.

45-52. -52. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Waterfall Security Solutions Ltd.
Original Assignee
Waterfall Security Solutions Ltd.
Inventors
Frenkel, Lior, Zilberstein, Amir

Granted Patent

US 8,635,441 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/153
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 21/606   by securing the transmissio...

H04L 63/0428   wherein the data content is...

H04L 63/14   for detecting or protecting...

ENCRYPTION-BASED CONTROL OF NETWORK TRAFFIC

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

154 Citations

45 Claims

Specification

Solutions

Use Cases

Quick Links

ENCRYPTION-BASED CONTROL OF NETWORK TRAFFIC

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

154 Citations

45 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links