Method and apparatus for key-management scheme for use with internet protocols at site firewalls
First Claim
1. In a network including a first data processing device node I coupled to a first firewall server FWA and a second data processing device node J coupled to a second firewall server FWB, said first and second firewall servers disposed between said respective nodes I and J and said network, an improved method for sending data from said node I to said node J, comprising the steps of:
- providing an element for performing the step of said node I sending a data packet, including data and a destination address for node J, to said FWA;
providing an element for performing the step of providing a secret value a, and a public value ∝
a mod p to said FWA;
providing an element for performing the step of providing a secret value b, and a public value ∝
b mod p to said FWB;
said FWA performing the steps of;
adapting FWA for obtaining a Diffie-Hellman DH certificate for FWB and determining said public value ∝
b mod p from said DH certificate;
said firewall FWA computing the value of ∝
ab mod p, said FWA further deriving a key Kab from said value ∝
ab mod p;
said firewall FWA utilizing said key Kab to encrypt a randomly generated transient key Kp, and encrypting said data packet to be transmitted to FWB using said key Kp, said encrypted data packet being encapsulated in a transmission packet including an unencrypted destination address for FWB;
said FWA sending said transmission packet to said FWB.
1 Assignment
0 Petitions
Accused Products
Abstract
The present invention includes a first data processing device (node I) coupled to a first private network and to a firewall server (FWA). Firewall server FWA is in turn coupled to a public network, such as the Internet. A second data processing device (node J) is coupled to a second private network which is coupled to the Internet through a firewall server (FWB). Node I provides a data packet including IP data and a destination address for the intended receiving node J to firewall FWA. Firewall FWA is provided with a secret value a, and a public value ∝a mod p. Similarly, firewall FWB is provided with a secret value b and a public value ∝b mod p. The firewall FWA obtains a Diffie-Hellman (DH) certificate for firewall FWB and determines the public value ∝b mod p from the DH certificate. Firewall FWA then computes the value of ∝ab mod p, and derives a key Kab from the value ∝ab mod p. A transient key Kp is randomly generated and is used to encrypt the data packet to be transmitted by firewall FWA to firewall FWB. The encrypted data packet is then encapsulated in a transmission packet by the firewall FWA. The transmission packet includes an unencrypted destination address for the firewall FWB. Firewall FWA then sends the transmission packet to firewall FWB over the Internet. Upon receipt of the transmission packet from firewall FWA, firewall FWB obtains a DH certificate for firewall FWA, and determines the public value of ∝a mod p from the DH certificate. Firewall FWB computes the value of ∝ab mod p, and derives the key Kab. Firewall B utilizes the key Kab to decrypt the transient key Kp, and using the decrypted transient key Kp, firewall FWB decrypts the encrypted data packet received from FWA, thereby resulting in the recovery of the original data sent by node I in unencrypted form to the firewall FWA. The firewall FWB then transmits the decrypted data packet to the receiving node J over the second private network.
720 Citations
30 Claims
-
1. In a network including a first data processing device node I coupled to a first firewall server FWA and a second data processing device node J coupled to a second firewall server FWB, said first and second firewall servers disposed between said respective nodes I and J and said network, an improved method for sending data from said node I to said node J, comprising the steps of:
-
providing an element for performing the step of said node I sending a data packet, including data and a destination address for node J, to said FWA; providing an element for performing the step of providing a secret value a, and a public value ∝
a mod p to said FWA;providing an element for performing the step of providing a secret value b, and a public value ∝
b mod p to said FWB;said FWA performing the steps of; adapting FWA for obtaining a Diffie-Hellman DH certificate for FWB and determining said public value ∝
b mod p from said DH certificate;said firewall FWA computing the value of ∝
ab mod p, said FWA further deriving a key Kab from said value ∝
ab mod p;said firewall FWA utilizing said key Kab to encrypt a randomly generated transient key Kp, and encrypting said data packet to be transmitted to FWB using said key Kp, said encrypted data packet being encapsulated in a transmission packet including an unencrypted destination address for FWB; said FWA sending said transmission packet to said FWB. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A network including a first data processing device node I coupled to a first firewall server FWA and a second data processing device node J coupled to a second firewall server FWB, said first and second firewall servers disposed between said respective nodes I and J and said network, comprising:
-
node I including a transmission device for sending a data packet, having data and a destination address for node J, to said FWA; FWA including a first storage device for storing a secret value a, and a public value ∝
a mod p;FWB including a second storage device for storing a secret value b, and a public value ∝
b mod p;FWA including an encrypting device for encrypting said data packet to be transmitted to FWB, said dam packet being encrypted by using a first Diffie-Hellman DH certificate for FWB to determine said public value ∝
b mod p, andsaid encrypting device further computing the value of ∝
ab mod p and deriving a key Kab from said value ∝
ab mod p;said encrypting device encrypting a randomly generated transient key Kp from Kab, and encrypting said data packet using said transient key Kp ; said encrypted data packet being encapsulated in a transmission packet, said transmission packet including an unencrypted destination address for FWB; FWA further including an interface circuit for transmitting said transmission packet to said FWB over said network. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. In a network including a mobile data processing device M having a long term address M and a temporary address IPd, said device M coupled to a first firewall server FWX, and a second data processing device R coupled to a second firewall server FWY, said first and second firewall servers disposed between said respective devices M and R, an improved method for sending data from said device M to said device R, comprising the steps of:
-
said device M sending a data packet, including data, a destination address for device R, and said long term address M to said firewall FWX; providing a secret value x, and a public value ∝
x mod p to said FWX;providing a secret value y, and a public value ∝
y mod p to said FWY;
said FWX performing the steps of;obtaining a Diffie-Hellman DH certificate for FWY and determining said public value ∝
y mod p from said DH certificate;computing the value of ∝
xy mod p, said FWX further deriving a key Kxy from said value ∝
xy mod p;utilizing said key Kxy to encrypt a randomly generated transient key Kp, and encrypting said data packet to be transmitted to FWY using said key Kp, said encrypted data packet being encapsulated in a transmission packet including an unencrypted destination address for FWY and said temporary address IPd as a source address; said FWX sending said transmission packet to said FWY. - View Dependent Claims (21, 22, 23, 24, 25)
-
-
26. A network including a mobile data processing device M having a long term address M and a temporary address on said network IPd, said device M coupled to a first firewall server FWX and a second data processing device R coupled to a second firewall server FWY, said first and second firewall servers disposed between said respective devices M and R, comprising:
-
device M including a transmission device for sending a data packet, including data, and a destination address for device R, and said long term address M to said firewall FWX; FWX including a first storage device for storing a secret value x, and a public value ∝
x mod p;FWY including a second storage device for storing a secret value y, and a public value ∝
y mod p;FWX including an encrypting device for encrypting said data packet to be transmitted to FWY, said data packet being encrypted by using a first Diffie-Hellman DH certificate for FWY to determine said public value ∝
y mod p, andsaid encrypting device further computing the value of ∝
xy mod p and deriving a key Kxy from said value ∝
xy mod p;said encrypting device encrypting a randomly generated transient key Kp and encrypting said data packet using said transient key Kp ; said encrypted data packet being encapsulated in a transmission packet, including an unencrypted destination address for FWY and said temporary address IPd as a source address; FWX further including an interface circuit for transmitting said transmission packet to said FWY over said network. - View Dependent Claims (27, 28, 29, 30)
-
Specification