Relay apparatus for encrypting and relaying a frame

US 7,979,693 B2
Filed: 01/12/2007
Issued: 07/12/2011
Est. Priority Date: 08/09/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A relay apparatus that relays a frame in a data link layer, the relay apparatus comprising:

a plurality of ports to transmit and receive the frame to and from an outside of the relay apparatus;

a frame relay processing unit to relay the frame between two of the plurality of ports; and

a cryptographic processing unit thatis provided between a determined one of the plurality of ports and the frame relay processing unit;

has a first interface to transmit and receive the frame to and from the determined one of the plurality of ports,has a second interface to transmit and receive the frame to and from the frame relay processing unit,performs an encryption process when receiving the frame from either one of the first interface or the second interface, andperforms a decryption process when receiving the frame, which is encrypted, from the other one of the first interface or the second interface.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A relay apparatus comprises a frame relay processing unit for relaying a frame, a plurality of ports for sending and receiving the frame to and from the outside, and a cryptographic processing module corresponding to each of the ports. Each cryptographic processing module is connected to the corresponding port and to the frame relay processing unit by means of general-purpose interfaces such as MII. The cryptographic processing module performs the encryption process and decryption process so that the frame relay processing unit can concentrate on the relay process and the relay speed is not subject to degradation. Also, the cryptographic processing module can generate a different cryptographic key for each frame without requiring dynamic exchange of key information.

32 Citations

View as Search Results

20 Claims

1. A relay apparatus that relays a frame in a data link layer, the relay apparatus comprising:
- a plurality of ports to transmit and receive the frame to and from an outside of the relay apparatus;
  
  a frame relay processing unit to relay the frame between two of the plurality of ports; and
  
  a cryptographic processing unit thatis provided between a determined one of the plurality of ports and the frame relay processing unit;
  
  has a first interface to transmit and receive the frame to and from the determined one of the plurality of ports,has a second interface to transmit and receive the frame to and from the frame relay processing unit,performs an encryption process when receiving the frame from either one of the first interface or the second interface, andperforms a decryption process when receiving the frame, which is encrypted, from the other one of the first interface or the second interface.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The relay apparatus according to claim 1, whereinwhen the frame contains Virtual Local Area Network identification information to identify a Virtual Local Area Network, the cryptographic processing unit determines whether to perform either the encryption process or the decryption process to the received frame, or whether not to perform either process to the received frame, according to the Virtual Local Area Network identification information.
  - 3. The relay apparatus according to claim 1, whereinin the encryption process, the cryptographic processing unit encrypts a data part of the frame excluding a header, and generates the encrypted frame by disposing a cryptographic header containing information required for a decryption in a position between the header and encrypted data obtained by encrypting the data part.
  - 4. The relay apparatus according to claim 1, whereinthe cryptographic processing unit performs the encryption process when receiving the frame from the determined one of the plurality of ports via the first interface, and transmits the generated encrypted frame to the frame relay processing unit via the second interface, andthe cryptographic processing unit performs the decryption process when receiving the frame from the frame relay processing unit via the second interface, and transmits the decrypted frame to the determined one of the plurality of ports via the first interface.
  - 5. The relay apparatus according to claim 1, whereinthe cryptographic processing unit performs the decryption process when receiving the frame from the determined one of the plurality of ports via the first interface, and transmits the decrypted frame to the frame relay processing unit via the second interface, andthe cryptographic processing unit performs the encryption process when receiving the frame from the frame relay processing unit via the second interface, and transmits the generated encrypted frame to the determined one of the plurality of ports via the first interface.
  - 6. The relay apparatus according to claim 1, whereinthe cryptographic processing unit includes a number storage unit to store a sequence number, andwhen performing the encryption process, the cryptographic processing unit generates a cryptographic key using the sequence number, generates the encrypted frame by encrypting the frame using the cryptographic key, incorporates the sequence number into the encrypted frame, and changes a value of the sequence number stored in the number storage unit, andwhen performing the decryption process, the cryptographic processing unit generates the cryptographic key using the sequence number incorporated into the encrypted frame, and performs the decryption process using the cryptographic key.
  - 7. The relay apparatus according to claim 6, whereinthe cryptographic processing unit generates the cryptographic key further using Media Access Control header information obtained from either a destination Media Access Control address, a source Media Access Control address, or both, contained in the frame.
  - 8. The relay apparatus according to claim 6, whereinthe cryptographic processing unit generates the cryptographic key further using a pre-shared key that is a value preset in each of a plurality of the relay apparatuses combined to be used to transmit and receive the encrypted frame as an identical value from among the plurality of relay apparatuses.
  - 9. The relay apparatus according to claim 8, whereinthe cryptographic processing unit generates a random value by giving, as a seed, a value calculated using a character string defined uniquely by firmware in the relay apparatus and the pre-shared key to a random function that generates an identical value from a same seed, and generates the cryptographic key using the random value.
  - 10. The relay apparatus according to claim 8, whereinthe cryptographic processing unit calculates a hash value by using, as an argument of a hash function, a value calculated using a character string defined uniquely by firmware in the relay apparatus and the pre-shared key and generates the cryptographic key using the hash value.
  - 11. The relay apparatus according to claim 6, whereinthe cryptographic processing unit generates the cryptographic key using a hash function.
  - 12. The relay apparatus according to claim 1, whereinin the encryption process, the cryptographic processing unit further divides the encrypted frame and generates a plurality of fragment frames when a length of the encrypted frame exceeds a predetermined length, andin the decryption process, the cryptographic processing unit further determines whether a received frame is the fragment frame or the undivided encrypted frame, and when determining the received frame as the fragment frame, receives all of the plurality of fragment frames corresponding to the encrypted frame before a division, and reassembles all of the plurality of fragment frames into the encrypted frame before the division.
  - 13. The relay apparatus according to claim 1, whereineach of the first interface and the second interface is a medium independent interface or a gigabit medium independent interface.
  - 14. The relay apparatus according to claim 1, wherein the cryptographic processing unit is provided for each of the plurality of ports.
  - 15. The relay apparatus according to claim 1, whereinthe encryption process generates an encrypted frame by encrypting the received frame andthe decryption process decrypts the received frame, which is encrypted.

16. A relay apparatus that relays a frame in a data link layer, the relay apparatus comprising:
- a plurality of ports to transmit and receive the frame to and from an outside of the relay apparatus;
  
  a frame relay processing unit to relay the frame; and
  
  a cryptographic processing unit thathas a first interface to transmit and receive the frame to and from one of the plurality of ports,has a second interface to transmit and receive the frame to and from the frame relay processing unit,performs an encryption process when receiving the frame from either one of the first interface or the second interface by encrypting the frame and generating an encrypted frame,performs a decryption process when receiving the encrypted frame from the other one of the first interface or the second interface by decrypting the encrypted frame, andhas a number storage unit to store a sequence number, whereinwhen performing the encryption process, the cryptographic processing unit generates a cryptographic key using the sequence number, generates the encrypted frame by encrypting the frame using the cryptographic key, incorporates the sequence number into the encrypted frame, and changes a value of the sequence number stored in the number storage unit,when performing the decryption process, the cryptographic processing unit generates the cryptographic key using the sequence number incorporated into the encrypted frame, and performs the decryption process using the cryptographic key,the cryptographic processing unit generates M number of values, M being 2 or a larger integral number, and stores the M number of values as candidate values , according to a pre-shared key that is a value preset in each of a plurality of the relay apparatuses combined to be used to transmit and receive the encrypted frame as an identical value from among the plurality of relay apparatuses, andthe cryptographic processing unit selects one of the M number of candidate values according to the sequence number, and generates the cryptographic key using the selected candidate value.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The relay apparatus according to claim 16, whereinthe cryptographic processing unit generates, for each of M number of different index values, corresponding one of the M number of candidate valuesby calculating a seed using a character string defined uniquely by firmware in the relay apparatus, the pre-shared key, and the index value, andby calculating a random value by giving the seed to a random function that generates an identical value from a same seed.
  - 18. The relay apparatus according to claim 16, whereinthe cryptographic processing unit generates, for each of M number of different index values, corresponding one of the M number of candidate values by giving, as an argument of a hash function, a value calculated using a character string defined uniquely by firmware in the relay apparatus, the pre-shared key, and the index value.
  - 19. The relay apparatus according to claim 16, whereineach of the first interface and the second interface is a medium independent interface or a gigabit medium independent interface.
  - 20. The relay apparatus according to claim 16, wherein the cryptographic processing unit is provided for each of the plurality of ports.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fujitsu Limited
Original Assignee
Fujitsu Limited
Inventors
Obara, Satoshi, Nakajima, Yukihiro, Sakuma, Takayuki, Iida, Takamitsu, Sakurai, Hideshi
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Wyszynski; Aubrey H

Application Number

US11/622,750
Publication Number

US 20080052533A1
Time in Patent Office

1,642 Days
Field of Search

713/153, 713/189, 713/181, 713/187
US Class Current

713/153
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 12/4645   Details on frame tagging ro...

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/164   at the network layer

H04L 9/0869   involving random numbers or...

Relay apparatus for encrypting and relaying a frame

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

32 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Relay apparatus for encrypting and relaying a frame

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links