Method and system for secret communication between nodes

US 8,966,257 B2
Filed: 06/02/2010
Issued: 02/24/2015
Est. Priority Date: 12/18/2009
Status: Active Grant

First Claim

Patent Images

1. A method for secure communication between nodes in a wired local area network, comprising:

1) creating a shared key between nodes comprising between a terminal and a switching device, between every two switching devices and between two terminals directly connected to the same switching device;

2) seeking a switching route between the nodes to obtain information on the switching route between the nodes;

3) determining the type of data communication between the nodes according to the information on the switching route; and

4) performing secure communication between the nodes by using a different secure communication strategy according to a different type of data communication between the nodes;

wherein the information on the switching route from a transmission source node N_Sourceto a destination node N_Destinationis defined as a four-tuple of identifiers comprising ID_Source, ID_SW-first, ID_SW-lastand ID_Destination;

wherein;

ID_Source;

represents the identifier of the transmission source node N_Source;

ID_SW-first;

represents the identifier of a first switching device SW-first through which the data packet from the transmission source node N_Sourceto the destination node N_Destinationpasses;

ID_SW-last;

represents the identifier of a last switching device SW-last through which the data packet from the transmission source node N_Sourceto the destination node N_Destinationpasses;

ID_Destination;

represents the identifier of the destination node N_Destinationwhich is a terminal or a switching device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention discloses a method and system for secret communication between nodes in a wired Local Area Network (LAN). The method of secret communication between nodes in the wired LAN includes the following steps: 1) a sharing key is established; 2) the route probe is exchanged; 3) the data communication is classified; 4) the secret communication is processed among the nodes. According to the different communication situations among the nodes, the method of secret communication between nodes provided in the present invention can process the classification and select an appropriate secret communication strategy; compared with per-hop encryption, the calculation load of the exchange equipment is reduced, and the transmission delay of data packets is shortened; compared with the method that inter-station keys are established in pairs of nodes in order to protect the communication secret, the key number is reduced, and the key management is simplified.

4 Citations

15 Claims

1. A method for secure communication between nodes in a wired local area network, comprising:
- 1) creating a shared key between nodes comprising between a terminal and a switching device, between every two switching devices and between two terminals directly connected to the same switching device;
  
  2) seeking a switching route between the nodes to obtain information on the switching route between the nodes;
  
  3) determining the type of data communication between the nodes according to the information on the switching route; and
  
  4) performing secure communication between the nodes by using a different secure communication strategy according to a different type of data communication between the nodes;
  
  wherein the information on the switching route from a transmission source node N_Sourceto a destination node N_Destinationis defined as a four-tuple of identifiers comprising ID_Source, ID_SW-first, ID_SW-lastand ID_Destination;
  
  wherein;
  
  ID_Source;
  
  represents the identifier of the transmission source node N_Source;
  
  ID_SW-first;
  
  represents the identifier of a first switching device SW-first through which the data packet from the transmission source node N_Sourceto the destination node N_Destinationpasses;
  
  ID_SW-last;
  
  represents the identifier of a last switching device SW-last through which the data packet from the transmission source node N_Sourceto the destination node N_Destinationpasses;
  
  ID_Destination;
  
  represents the identifier of the destination node N_Destinationwhich is a terminal or a switching device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method for secure communication between nodes in a wired local area network according to claim 1, wherein the step 1) is performed by:
    - 1.1) creating a shared key referred to as a Unicast Session Key, USK, between adjacent nodes;
      
      1.2) creating a shared key referred to as a SWitch key, SWkey, between every two switching devices in the local area network; and
      
      1.3) creating a shared key referred to as a station key, STAkey, between two terminals directly connected to the same switching device according to a selected local strategy.
  - 3. The method for secure communication between nodes in a wired local area network according to claim 1, wherein:
    - a switching device which receives a data packet from the transmission source node N_Sourceto the destination node N_Destinationbut is absent in the four-tuple of identifiers of the information on the switching route is referred to as an intermediate switching device; and
      
      the step
      
      2) is performed by;
      
      2.1) the transmission source node N_Sourcetransmitting a switching route seeking packet to the destination node N_Destination, wherein the packet generally comprises the four-tuple of identifiers;
      
      whereinif the transmission source node N_Sourceis a switching device, then ID_SW-firstis ID_Source; and
      
      if the transmission source node N_Sourceis a terminal, then ID_SW-firstis the identifier of a switching device directly connected to the transmission source node N_Source; and
      
      the ID_SW-lastfield is unknown in the switching route seeking packet;
      
      2.2) the destination node N_Destinationtransmitting a switching route response packet to the transmission source node N_Source; and
      
      2.3) the respective nodes receiving the switching route response packet.
  - 4. The method for secure communication between nodes in a wired local area network according to claim 3, wherein after the destination node N_Destinationreceives the switching route seeking packet transmitted from the transmission source node N_Source, the step 2.2) is performed by:
    - 2.2.1) determining information on the last switching device SW-last through which the data packet transmitted from the transmission source node N_Sourcepasses;
      
      if the destination node N_Destinationis a switching device, then ID_SW-lastis ID_Destination; and
      
      if the destination node N_Destinationis a terminal, then ID_SW-lastis the identifier of a switching device directly connected to the terminal;
      
      2.2.2) recording the four-tuple of identifiers, wherein ID_Source, ID_SW-firstand ID_Destinationare of the same values of respective fields in the received switching route seeking packet, and at this time the values of all the fields of the four-tuple have been definite, wherein the four-tuple of identifiers comprises ID_Source, ID_SW-first, ID_SW-lastand ID_Destination; and
      
      2.2.3) constructing and transmitting a switching route response packet to the transmission source node N_Source, wherein the packet comprises the four-tuple of identifiers with the definite values of all the fields, wherein the four-tuple of identifiers comprises ID_Source, ID_SW-first, ID_SW-lastand ID_Destination.
  - 5. The method for secure communication between nodes in a wired local area network according to claim 4, wherein after the respective nodes receive the switching route response packet transmitted from the destination node N_Destination, the step 2.3) is performed by:
    - 2.3.1) the switching device receiving the switching route response packet, and recording the four-tuple of identifiers and then forwarding the packet if its own identifier is present in the four-tuple of identifiers in the packet or directly forwarding the packet if its own identifier is absent in the four-tuple of identifiers in the packet, wherein the four-tuple of identifiers comprises ID_Source, ID_SW-first, ID_SW-lastand ID_Destination; and
      
      2.3.2) the transmission source node N_Sourcerecording the four-tuple of identifiers upon reception of the switching route response packet to thereby finish the current switching route seeking process, wherein the four-tuple of identifiers comprises ID_Source, ID_SW-first, ID_SW-lastand ID_Destination.
  - 6. The method for secure communication between nodes in a wired local area network according to claim 5, wherein the step 3) is performed by:
    - determining the type of data communication from the transmission source node N_Sourceto the destination node N_Destinationaccording to the obtained information on the four-tuple, comprising ID_Source, ID_SW-first, ID_SW-lastand ID_Destination, of the switching route, by;
      
      3.1) determining whether ID_SW-first=ID_Sourceholds, and if so, then the transmission source node N_Sourcebeing a switching device, and performing the step 3.2);
      
      otherwise, then the transmission source node N_Sourcebeing a terminal, and performing the step 3.4);
      
      3.2) determining whether ID_SW-last=ID_Destinationholds, and if so, then the destination node N_Destinationbeing a switching device, and data communication from the transmission source node N_Sourceto the destination node N_Destinationbeing communication from a switching device to a switching device and belonging to the type of communication from a switching device to a switching device;
      
      otherwise, the destination node N_Destinationbeing a terminal, and performing the step 3.3);
      
      3.3) determining whether ID_SW-last=ID_SW-firstholds, and if so, then data from the transmission source node N_Sourceto the destination node N_Destinationpassing through only one switching device, and data communication from the transmission source node N_Sourceto the destination node N_Destinationbeing communication from a switching device to a terminal directly connected to the switching device and belonging to the type of communication from a switching device to a terminal directly connected to the switching device;
      
      otherwise, data from the transmission source node N_Sourceto the destination node N_Destinationpassing through more than two switching devices, and data communication from the transmission source node N_Sourceto the destination node N_Destinationbeing communication from a switching device to a terminal indirectly connected to the switching device and belonging to the type of communication from a switching device to a terminal indirectly connected to the switching device;
      
      3.4) determining whether ID_SW-last=ID_Destinationholds, and if so, then the destination node N_Destinationbeing a switching device, and performing the step 3.5);
      
      otherwise, the destination node N_Destinationbeing a terminal, and performing the step 3.6);
      
      3.5) determining whether ID_SW-last=ID_SW-firstholds, and if so, then data from the transmission source node N_Sourceto the destination node N_Destinationpassing through only one switching device, and data communication from the transmission source node N_Sourceto the destination node N_Destinationbeing communication from a terminal to a switching device directly connected to the terminal and belonging to the type of communication from a terminal to a switching device directly connected to the terminal;
      
      otherwise, data from the transmission source node N_Sourceto the destination node N_Destinationpassing through more than two switching devices, and data communication from the transmission source node N_Sourceto the destination node N_Destinationbeing communication from a terminal to a switching device indirectly connected to the terminal and belonging to the type of communication from a terminal to a switching device indirectly connected to the terminal; and
      
      3.6) determining whether ID_SW-last=ID_SW-firstholds, and if so, then data from the transmission source node N_Sourceto the destination node N_Destinationpassing through only one switching device, and data communication from the transmission source node N_Sourceto the destination node N_Destinationbeing communication from a terminal to another terminal directly connected to the same switching device and belonging to the type of communication from a terminal to another terminal directly connected to the same switching device;
      
      otherwise, data from the transmission source node N_Sourceto the destination node N_Destinationpassing through more than two switching devices, and data communication from the transmission source node N_Sourceto the destination node N_Destinationbeing communication from a terminal to another terminal directly connected to a different switching device and belonging to the type of communication from a terminal to another terminal directly connected to a different switching device.
  - 7. The method for secure communication between nodes in a wired local area network according to claim 6, wherein when the type of data communication is the type of communication from a switching device to a switching device, its strategy of secure communication between nodes is performed by:
    - 4.1.1) the transmitting source node N_Sourceencrypting the data packet using the switch key shared between the transmitting source node N_Sourceand the destination node N_Destination, wherein the transmitting source node N_Sourceis a switching device or the first switching device SW-first, and the destination node N_Destinationis a switching device or the last switching device SW-last;
      
      4.1.2) if there is intermediate switching device, then the intermediate switching device receiving and directly forwarding the communication data packet of the type of communication from a switching device to a switching device; and
      
      4.1.3) the destination node N_Destinationdecrypting the data packet using the switch key shared between the transmitting source node N_Sourceand the destination node N_Destination.
  - 8. The method for secure communication between nodes in a wired local area network according to claim 6, wherein when the type of data communication is the type of communication from a switching device to a terminal directly connected to the terminal, its strategy of secure communication between nodes is performed by:
    - 4.2.1) the transmitting source node N_Sourceencrypting the data packet using the unicast session key shared between the transmitting source node N_Sourceand the destination node N_Destination, wherein the transmitting source node N_Sourceis a switching device, the first switching device SW-first or the last switching device SW-last, and the destination node N_Destinationis a terminal; and
      
      4.2.2) the destination node N_Destinationdecrypting the data packet using the unicast session key shared between the transmitting source node N_Sourceand the destination node N_Destination.
  - 9. The method for secure communication between nodes in a wired local area network according to claim 6, wherein when the type of data communication is the type of communication from a switching device to a terminal indirectly connected to the switching device, its strategy of secure communication between nodes is performed by:
    - 4.3.1) the transmitting source node N_Sourceencrypting the data packet using the switch key shared between the transmitting source node N_Sourceand the last switching device SW-last, wherein here the transmitting source node N_Sourceis a switching device or the first switching device SW-first;
      
      4.3.2) if there is intermediate switching device, then the intermediate switching device directly forwarding the data packet of the type of communication from a switching device to a terminal indirectly connected to the switching device;
      
      4.3.3) the last switching device SW-last decrypting the data packet using the switch key shared between the transmission source node N_Sourceand the last switching device SW-last, then encrypting the data packet using the unicast session key shared between the last switching device SW-last and the destination node N_Destinationand then forwarding the data packet, wherein the destination node N_Destinationis a terminal; and
      
      4.3.4) the destination node N_Destinationdecrypting the data packet using the unicast session key shared between the last switching device SW-last and the destination node N_Destination.
  - 10. The method for secure communication between nodes in a wired local area network according to claim 6, wherein when the type of data communication is the type of communication from a terminal to a switching device directly connected to the terminal, its strategy of secure communication between nodes is performed by:
    - 4.4.1) the transmission source node N_Sourceencrypting the data packet using the unicast session key shared between the transmission source node N_Sourceand the destination node N_Destination, wherein the transmission source node N_Sourceis a terminal, and the destination node N_Destinationis a switching device, the first switching device SW-first or the last switching device SW-last; and
      
      4.4.2) the destination node N_Destinationdecrypting the data packet using the unicast session key shared between the transmission source node N_Sourceand the destination node N_Destination.
  - 11. The method for secure communication between nodes in a wired local area network according to claim 6, wherein when the type of data communication is the type of communication from a terminal to a switching device indirectly connected to the terminal, its strategy of secure communication between nodes is performed by:
    - 4.5.1) the transmitting source node N_Sourceencrypting the data packet using the unicast session key shared between the transmitting source node N_Sourceand the first switching device SW-first, wherein the transmitting source node N_Sourceis a terminal;
      
      4.5.2) the first switching device SW-first decrypting the data packet using the unicast session key shared between the transmission source node N_Sourceand the first switching device SW-first, then encrypting the data packet using the switch key shared between the first switching device SW-first and the destination node N_Destinationand then forwarding the data packet, wherein the destination node N_Destinationis a switching device or the last switching device SW-last;
      
      4.5.3) if there is intermediate switching device, then the intermediate switching device directly forwards the data packet of the type of communication from a terminal to a switching device indirectly connected to the terminal; and
      
      4.5.4) the destination node N_Destinationdecrypting the data packet using the switch key shared between the destination node N_Destinationand the first switching device SW-first.
  - 12. The method for secure communication between nodes in a wired local area network according to claim 6, wherein when the type of data communication is the type of communication from a terminal to another terminal directly connected to the same switching device, its strategy of secure communication between nodes is performed by:
    - 4.6.1) adopting a secure communication strategy as follows for the type of communication from a terminal to another terminal directly connected to the same switching device with a created station key;
      
      4.6.1.1) the transmission source node N_Sourceencrypts the data packet using the station key shared between the transmission source node N_Sourceand the destination node N_Destination, wherein the destination node N_Destinationis a terminal;
      
      4.6.1.2) the first switching device SW-first directly forwards the data packet of the type of communication from a terminal to another terminal directly connected to the same switching device, wherein the first switching device SW-first is also the last switching device SW-last; and
      
      4.6.1.3) the destination node N_Destinationdecrypts the data packet using the station key shared between the transmission source node N_Sourceand the destination node N_Destination; and
      
      4.6.2) adopting a secure communication strategy as follows for the type of communication from a terminal to another terminal directly connected to the same switching device without any created station key;
      
      4.6.2.1) the transmission source node N_Sourceencrypts the data packet using the unicast session key shared between the transmission source node N_Sourceand a switching device directly connected to the transmission source node N_Source;
      
      4.6.2.2) the first switching device SW-first decrypts the data packet using the unicast session key shared between the transmission source node N_Sourceand the first switching device SW-first, then encrypts the data packet using the unicast session key shared between the first switching device SW-first and the destination node N_Destinationand then forwards the data packet, wherein the first switching device SW-first is also the last switching device SW-last; and
      
      4.6.2.3) the destination node N_Destinationdecrypts the data packet using the unicast session key shared between the destination node N_Destinationand the switching device directly connected to the destination node N_Destination.
  - 13. The method for secure communication between nodes in a wired local area network according to claim 6, wherein when the type of data communication is the type of communication from a terminal to another terminal directly to a different switching device, its strategy of secure communication between nodes is performed by:
    - 4.7.1) the transmission source node N_Sourceencrypting the data packet using the unicast session key shared between the transmission source node N_Sourceand the first switching device SW-first, wherein the transmission source node N_Sourceis a terminal;
      
      4.7.2) the first switching device SW-first decrypting the data packet using the unicast session key shared between the transmission source node N_Sourceand the first switching device SW-first, then encrypting the data packet using the switch key shared between the first switching device SW-first and the last switching device SW-last and then forwarding the data packet;
      
      4.7.3) if there is intermediate switching device, then the intermediate switching device directly forwarding the data packet of the type of communication from a terminal to another terminal directly connected to a different switching device;
      
      4.7.4) the last switching device SW-last decrypting the data packet using the switch key shared between the first switching device SW-first and the last switching device SW-last, then encrypting the data packet using the unicast session key shared between the last switching device SW-last and the destination node N_Destinationand then forwarding the data packet, wherein the destination node N_Destinationa terminal; and
      
      4.7.5) the destination node N_Destinationdecrypting the data packet using the unicast session key shared between the last switching device SW-last and the destination node N_Destination.

14. A system for secure communication between nodes in a wired local area network comprising a transmission source node N_Source, a first switching device SW-first, a second switching device SW-last and a destination node N_Destination, wherein a shared key is created between nodes comprising between a terminal and a switching device, between every two switching devices and between two terminals directly connected to the same switching device, and wherein:
- the transmission source node N_Sourceis configured to transmit a switching route seeking packet and an encrypted data packet to the destination node N_Destination, to receive a switching route response packet transmitted from the destination node N_Destination, to record information on a switching route from the transmission source node N_Sourceto the destination node N_Destination, to determine the type of data communication from the transmission source node N_Sourceto the destination node N_Destination, and to perform secure communication between the nodes by using a corresponding secure communication strategy according to the type of data communication;
  
  the first switching device SW-first is configured to forward the data packet from the transmission source node N_Sourceto the destination node N_Destination, to record the information on the switching route from the transmission source node N_Sourceto the destination node N_Destination, to determine the type of data communication from the transmission source node N_Sourceto the destination node N_Destination, and to perform secure communication between the nodes by using a corresponding secure communication strategy according to the type of data communication;
  
  the second switching device SW-last is configured to forward the data packet from the transmission source node N_Sourceto the destination node N_Destination, to record the information on the switching route from the transmission source node N_Sourceto the destination node N_Destination, to determine the type of data communication from the transmission source node N_Sourceto the destination node N_Destination, and to perform secure communication between the nodes by using a corresponding secure communication strategy according to the type of data communication,the destination node N_Destinationis configured to receive the switching route seeking packet and the encrypted data packet transmitted from the transmission source node N_Source, to transmit the switching route response packet to the transmission source node N_Source, to record the information on the switching route from the transmission source node N_Sourceto the destination node N_Destination, to determine the type of data communication from the transmission source node N_Sourceto the destination node N_Destination, and to perform secure communication between the nodes by using a corresponding secure communication strategy according to the type of data communication;
  
  wherein the information on the switching route from the transmission source node N_Sourceto the destination node N_Destinationcomprises ID_Source, ID_SW-first, ID_SW-lastand ID_Destination;
  
  wherein;
  
  ID_Source;
  
  represents the identifier of the transmission source node N_Source;
  
  ID_SW-first;
  
  represents the identifier of a first switching device SW-first through which the data packet from the transmission source node N_Sourceto the destination node N_Destinationpasses;
  
  ID_SW-last;
  
  represents the identifier of a last switching device SW-last through which the data packet from the transmission source node N_Sourceto the destination node N_Destinationpasses;
  
  ID_Destination;
  
  represents the identifier of the destination node N_Destinationwhich is a terminal or a switching device.
- View Dependent Claims (15)
- - 15. The system for secure communication between nodes in a wired local area network according to claim 14, further comprising:
    - an intermediate switching device configured to transmit transparently all data packets from the transmission source node N_Sourceto the destination node N_Destination.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
China Iwncomm Co., Ltd
Original Assignee
China Iwncomm Co., Ltd
Inventors
Tie, Manxia, Cao, Jun, Li, Oin, Ge, Li, Huang, Zhenhai
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
KAPLAN, BENJAMIN A

Application Number

US13/516,967
Publication Number

US 20120278623A1
Time in Patent Office

1,728 Days
Field of Search

713/150, 713/168
US Class Current

713/168
CPC Class Codes

H04L 45/26   Route discovery packet

H04L 63/0435   wherein the sending and rec...

H04L 63/0464   using hop-by-hop encryption...

H04L 63/0471   applying encryption by an i...

H04L 63/062   for key distribution, e.g. ...

H04L 63/162   at the data link layer

H04L 9/0827   involving distinctive inter...

Method and system for secret communication between nodes

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

4 Citations

15 Claims

Specification

Use Cases

Quick Links

Others

Method and system for secret communication between nodes

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

4 Citations

15 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others