Packet authentication and packet encryption/decryption scheme for security gateway

US 6,092,191 A
Filed: 11/29/1996
Issued: 07/18/2000
Est. Priority Date: 11/30/1995
Status: Expired due to Fees

First Claim

Patent Images

1. A method for transferring a packet from a source computer to a destination computer in a network system formed by a plurality of computer networks in which a packet processing device is provided it a boundary between each computer network and an external of said each computer network, the method comprising the steps of:

(a) transferring the packet transmitted by the source computer from a source side packet processing device managing the source computer to an adjacent packet processing device in a packet transfer route, after attaching to the packet an end-to-end authentication data for inspection by a destination side packet processing device managing the destination computer and not by any intermediate packet processing device in the packet transfer route and a link-by-link authentication data for inspection by at least one intermediate packet processing device in the packet transfer route;

(b) inspecting the link-by-link authentication data attached to the packet at said at least one intermediate packet processing device without inspecting the end-to-end authentication data, and transferring the packet from said at least one intermediate packet processing device to a next packet processing device in the packet transfer route when the packet is authenticated by an inspection of the link-by-link authentication data; and

(c) inspecting the end-to-end authentication data attached to the packet at the destination side packet processing device, and transferring the packet from the destination side packet processing device to the destination computer when the packet is authenticated by an inspection of the end-to-end authentication data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A packet authentication and packet encryption/decryption scheme for a security gateway suitable for a hierarchically organized network system and a mobile computing environment. For the packet authentication, in addition to the end-to-end authentication at the destination side packet processing device, the link-by-link authentication at each intermediate packet processing device in the packet transfer route is used. The link-to-link authentication data being inspected by intermediate nodes and end-to-end data (different from link-to-link data) being inspected by destination node but not being inspected by intermediate nodes. For the packet encryption/decryption, each packet processing device determines whether or not to encrypt/decrypt the packet according to: an information on the computers which are directly managed by this packet processing device; or the encryption information and the signature information provided in the packet; or the encryption information, the signature information, and the encryption/decryption level information provided in the packer.

274 Citations

35 Claims

1. A method for transferring a packet from a source computer to a destination computer in a network system formed by a plurality of computer networks in which a packet processing device is provided it a boundary between each computer network and an external of said each computer network, the method comprising the steps of:
- (a) transferring the packet transmitted by the source computer from a source side packet processing device managing the source computer to an adjacent packet processing device in a packet transfer route, after attaching to the packet an end-to-end authentication data for inspection by a destination side packet processing device managing the destination computer and not by any intermediate packet processing device in the packet transfer route and a link-by-link authentication data for inspection by at least one intermediate packet processing device in the packet transfer route;
  
  (b) inspecting the link-by-link authentication data attached to the packet at said at least one intermediate packet processing device without inspecting the end-to-end authentication data, and transferring the packet from said at least one intermediate packet processing device to a next packet processing device in the packet transfer route when the packet is authenticated by an inspection of the link-by-link authentication data; and
  
  (c) inspecting the end-to-end authentication data attached to the packet at the destination side packet processing device, and transferring the packet from the destination side packet processing device to the destination computer when the packet is authenticated by an inspection of the end-to-end authentication data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein at the step (a) the source side packet processing device attaches the link-by-link authentication data for inspection by said at least one intermediate packet processing device which is said adjacent packet processing device in the packet transfer route;
    - andat the step (b) a corresponding link-by-link authentication data attached to the packet is inspected at each intermediate packet processing device in the packet transfer route including said adjacent packet processing device, and the packet is transferred from said each intermediate packet processing device to a next packet processing device in the packet transfer route when the packet is authenticated by an inspection of the corresponding link-by-link authentication data.
  - 3. The method of claim 2, wherein the source side packet processing device generates the end-to-end authentication data at the step (a) by using an authentication key corresponding to the destination side packet processing device which is determined from an address information in the packet, and the destination side packet processing device inspects the end-to-end authentication data at the step (c) by using an authentication key corresponding to the source side packet processing device which is determined from the address information in the packet.
  - 4. The method of claim 2, wherein the source side packet processing device generates the link-by-link authentication data at the step (a) by using an authentication key corresponding to said adjacent packet processing device which is determined from an address information in the packet.
  - 5. The method of claim 2, wherein said each intermediate packet processing device inspects the corresponding link-by-link authentication data at the step (b) by using an authentication key determined from the address information in the packet.
  - 6. The method of claim 2, wherein sa-d each intermediate packet processing device transfers the packet as received when the packet is authenticated at the step (b).
  - 7. The method of claim 2, wherein said each intermediate packet processing device transfers the packet after removing the corresponding link-by-link authentication data from the packet when the packet is authenticated at the step (b).
  - 8. The method of claim 2, wherein said each intermediate packet processing device generates a new link-by-link authentication data for inspection by the next packet processing device, and transfers the packet after attaching the new link-by-link authentication data to the packet at the step (b).
  - 9. The method of claim 8, wherein said each intermediate packet processing device generates the new link-by-link authentication data at the step (b) by using an authentication key corresponding to the next packet processing device which is determined from an address information in the packet.
  - 10. The method of claim 2, wherein the source side packet processing device generates each corresponding link-by-link authentication data to be inspected by said each intermediate packet processing device, and transfers the packet after attaching all the corresponding link-by-link authentication data for all intermediate packet processing devices in the packet transfer route to the packet at the step (a).
  - 11. The method of claim 10, wherein the source side packet processing device generates said each corresponding link-by-link authentication data at the step (a) by using an authentication key corresponding to said each intermediate packet processing device which is determined from an address information in the packet.
  - 12. The method of claim 2, wherein the source side packet processing device generates a common link-by-link authentication data to be inspected by every intermediate packet processing device in the packet transfer route at the step (a), and said each intermediate packet processing device inspects said common link-by-link authentication data as the corresponding link-by-link authentication data at the step (b).
  - 13. The method of claim 12, wherein the source side packet processing device generates said common link-by-link authentication data at the step (a) by using an authentication key common to all intermediate packet processing devices in the packet transfer route which is determined from an address information in the packet.
  - 14. The method of claim 2, wherein the source computer is a mobile computer capable of carrying out communications by moving among the computer networks in the network system, and the source side packet processing device is implemented in the mobile computer, so that the packet is transferred by the source side packet processing device in the mobile computer at the step (a).
  - 15. The method of claim 2, wherein he destination computer is a mobile computer capable of carrying out communications by moving among the computer networks in the network system, and the destination side packet processing device is implemented in the mobile computer, so that the packet is inspected by the destination side packet processing device in the mobile computer at the step (c).
  - 16. The method of claim 2, wherein at the step (a), the source side packet processing device generates the end-to-end authentication data depending on all bits of the packet transmitted by the source computer, and the link-by-link authentication data depending on selective bits corresponding to a part of data formed by the packet transmitted by the source computer and the end-to-end authentication data which contains the end-to-end authentication data.
  - 17. The method of claim 2, wherein at the step (a), the source side packet processing device generates the end-to-end authentication data and the link-by-link authentication data depending on all bits of the packet transmitted by the source computer.

18. A packet processing device for transferring a packet transmitted from a source computer to a destination computer in a network system formed by a plurality of computer networks, the device being provided at a boundary between one computer network and an external of said one computer network, and the device comprising:
- authentication data generation means for generating an end-to-end authentication data for inspection by a destination side packet processing device managing the destination computer and not by any intermediate packet processing device in a packet transfer route and a link-by-link authentication data for inspection by at least one intermediate packet processing device in the packet transfer route;
  
  packet formatting means for attaching the end-to-end authentication data and the link-by-link authentication data generated by the authentication data generation means to the packet transmitted by the source computer; and
  
  transfer means for transferring the packet with the end-to-end authentication data and the link-by-link authentication data attached thereto by the packet formatting means, to an adjacent packet processing device in the packet transfer route.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 19. The device of claim 18, wherein the authentication data generation means generates the link-by-link authentication data for inspection by said at least one intermediate packet processing device which is said adjacent packet processing device in the packet transfer route.
  - 20. The device of claim 19, wherein the authentication data generation means generates the end-to-end authentication data by using an authentication key corresponding to the destination side packet processing device which is determined from an address information in the packet.
  - 21. The device of claim 19, wherein the authentication data generation means generates the link-by-link authentication data by using an authentication key corresponding to said adjacent packet processing device which is determined from an address information in the packet.
  - 22. The device of claim 19, further comprising:
    - an authentication key memory for storing a first authentication key corresponding to the destination side packet processing device and a second authentication key corresponding to said adjacent packet processing device, in correspondence to an address information in the packet;
      
      wherein the authentication data generation means generates the end-to-end authentication data by using the first authentication key stored in the authentication key memory, and the link-by-link authentication data by using the second authentication key stored in the authentication key memory.
  - 23. The device of claim 19, wherein tie authentication data generation means generates each corresponding link-by-link authentication data to be inspected by each intermediate packet processing device in the packet transfer route, and the packet formatting means attaches all the corresponding link-by-link authentication data for all intermediate packet processing devices in the packet transfer route to the packet.
  - 24. The device of claim 23, wherein the authentication data generation means generates said each corresponding link-by-link authentication data by using an authentication key corresponding to said each intermediate packet processing device which is determined from an address information in the packet.
  - 25. The device of claim 23, Further comprising:
    - an authentication key memory for storing authentication keys corresponding to the destination side packet processing device and all the intermediate packet processing devices in the packet transfer route, in correspondence to an address information in the packet;
      
      wherein the authentication data generation means generates the end-to-end authentication data and said each corresponding link-by-link authentication data by using the authentication keys stored in the authentication key memory.
  - 26. The device of claim 19, wherein the authentication data generation means generates a common link-by-link authentication data to be inspected by every intermediate packet processing device in the packet transfer route.
  - 27. The device of claim 26, wherein the authentication data generation means generates said common link-by-link authentication data by using an authentication key common to all intermediate packet processing devices in the packet transfer route which is determined from an address information in the packet.
  - 28. The device of claim 26, further comprising:
    - an authentication key memory for storing a first authentication key corresponding to the destination side packet processing device and a second authentication key corresponding to all the intermediate packet processing devices in the packet transfer route, in correspondence to an address information in the packet;
      
      wherein the authentication data generation means generates the end-to-end authentication data by using the first authentication key stored in the authentication key memory, and said common link-by-link authentication data by using the second authentication key stared in the authentication key memory.

29. A packet processing device for relaying a packet transmitted from a source computer to a destination computer in a network system formed by a plurality of computer networks, the device being provided at a boundary between one computer network and an external of said one computer network, and the device comprising;
- inspection means for inspecting a corresponding link-by-link authentication data attached to the packet received from an adjacent packet processing device in the packet transfer route, without inspecting an end-to-end authentication data for inspection by a destination side packet processing device managing the destination computer and not by any intermediate packet processing device in the packet transfer route which is also attached to the packet; and
  
  transfer means for transferring the packet to a next packet processing device in the packet transfer route when the packet is authenticated by an inspection of the corresponding link-by-link authentication data by the inspection means.
- View Dependent Claims (30, 31, 32, 33)
- - 30. The device of claim 29, wherein the inspection means inspects the corresponding link-by-link authentication data by using an authentication key determined from the address information in the packet.
  - 31. The device of claim 29, wherein the transfer means transfers the packet as received when the packet is authenticated by the inspection means.
  - 32. The device of claim 29, farther comprising:
    - packet formatting means for removing the corresponding link-by-link authentication data from the packet when the packet is authenticated by the inspection means;
      
      wherein the transfer means transfers the packet after the corresponding link-by-Link authentication data is removed from the packet by the packet formatting means.
  - 33. The device of claim 29, further comprising:
    - authentication data generation means for generating a new link-by-link authentication data which is to be inspected by the next packet processing device; and
      
      packet formatting means for attaching the new link-by-link authentication data generated by the authentication key generation means to the packet received from the adjacent packet processing device;
      
      wherein the transfer means transfers the packet after the new link-by-link authentication data is attached to the packet by the packet formatting means.

34. An article of manufacture, comprising;
- a computer usable medium having computer readable program code means embodied therein for causing a computer to function as a packet processing device for transferring a packet transmitted from a source computer to a destination computer in a network system formed by a plurality of computer networks, the packet processing device being provided at a boundary between one computer network and an external of said one computer network, the computer readable program code means including;
  
  first computer readable program code means for causing said computer to generate an end-to-end authentication data for inspection by a destination side packet processing device managing the destination computer and not by any intermediate packet processing device in a packet transfer route and a link-by-link authentication data for inspection by at least one intermediate packet processing device in the packet transfer route;
  
  second computer readable program code means for causing said computer to attach the end-to-end authentication data and the link-by-link authentication data generated by the first computer readable program code means to the packet transmitted by the source computer; and
  
  third computer readable program code means for causing said computer to transfer the packet with the end-to-end authentication data and the link-by-link authentication data attached thereto by the second computer readable program code means, to an adjacent packet processing device in the packet transfer route.

35. An article of manufacture, comprising:
- a computer usable medium having computer readable program code means embodied therein for causing a computer to function as a packet processing device for relaying a packet transmitted from a source computer to a destination computer in a network system formed by a plurality of computer networks, the packet processing device being provided at a boundary between one computer network and an external of said one computer network, the compute readable program code means including;
  
  first computer readable program code means for causing said computer to inspect a corresponding link-by-link authentication data attached to the packet received from an adjacent packet processing device in the packet transfer route, without inspecting an end-to-end authentication data for inspection by a destination side packet processing device managing the destination computer and not by any intermediate packet processing device in the packet transfer route which is also attached to the packet; and
  
  second computer readable program code means for causing said computer to transfer the packet to a next packet processing device in the packet transfer route when the packet is authenticated by an inspection of the corresponding link-by-link authentication data by the first computer readable program code means.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kabushiki Kaisha Toshiba (Toshiba Corporation)
Original Assignee
Kabushiki Kaisha Toshiba (Toshiba Corporation)
Inventors
Ishiyama, Masahiro, Shimbo, Atsushi, Inoue, Atsushi, Okamoto, Toshio
Primary Examiner(s)
Hayes, Gail O.
Assistant Examiner(s)
SAYADIAN, HRAYR

Application Number

US08/758,479
Time in Patent Office

1,327 Days
Field of Search

380/23, 380/25, 380/49, 380/50, 380/258, 395/200.58, 395/200.59, 395/200.68, 395/200.75, 709/228, 709/229, 709/238, 709/245, 709/240, 709/242, 709/243, 709/244, 713/162, 713/153, 713/168, 713/181
US Class Current

713/153
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/12   Applying verification of th...

H04L 63/164   at the network layer

Packet authentication and packet encryption/decryption scheme for security gateway

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

274 Citations

35 Claims

Specification

Use Cases

Quick Links

Others

Packet authentication and packet encryption/decryption scheme for security gateway

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

274 Citations

35 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others