Cryptography – Key management – Having particular key generator
Patent
1996-04-02
1999-02-09
Barron, Jr., Gilberto
Cryptography
Key management
Having particular key generator
380 33, H04L 900
Patent
active
058704795
DESCRIPTION:
BRIEF SUMMARY
BACKGROUND OF THE INVENTION
The present invention relates to a device for processing data packets. More in particular, the present invention relates to a device for cryptographically processing data packets, said device comprising identification means for identifying a data packet, processing means for cryptographically processing the data packet, memory means for storing information relating to the processing, and control means for selecting information related to the data packet. A device of this type is disclosed in the Specification of U.S. Pat. No. 5,048,087.
In practice it is known to arrange for data communication, including telephony, to take place by means of data packets. Diverse techniques for data communication with the aid of data packets, such as X.25 and ATM ("asynchronous transfer mode"), are known. The need exists to an increasing extent to secure the data traffic by means of encrypting the messages (data packets). For this purpose, an encrypting device can be incorporated at the transmitting end and a decrypting device at the receiving end in the data connection concerned.
In modern data communication techniques, data packets belonging to a plurality of logical connections are transmitted via a single physical connection. Such logical connections will hereinafter generally be referred to as channels. Thus, for example, in the case of ATM, a plurality of "virtual channels" and "virtual paths" may use the same physical connection. At the same time, there is no fixed correlation between the consecutive data packets, referred to as "cells" in the case of ATM. The channel to which the data packet belongs can be read only from the header of each data packet.
If one or more of said channels is to be secured by encrypting, measures have to be taken to encrypt and decrypt data packets of a particular logical connection in a particular way, for example with a key belonging to the logical connection. For this purpose, the data packets of the different logical connections have to be identified in order to be able to determine the particular channel, and consequently, for example, the associated key, of a particular data packet.
In the device disclosed in U.S. Pat. No. 5,048,087, the identification means are formed by a packet identifier. Stored in a memory is a plurality of keys, one of which is retrieved in each case in order to process a data packet of a particular channel (logical connection) in the cryptographic unit provided therefor. In addition, in the known device, a cryptographic residue is, in each case, retrieved or, respectively, stored in addition to the key. Such a cryptographic residue can represent the status of a cryptographic process by which related data packets are encrypted or decrypted, respectively.
The known device has the disadvantage that it is relatively slow. For each incoming data packet, the matching key and the matching residue have to be loaded on the basis of the identification, after which the cryptographic processing (encrypting or decrypting) takes place. After the processing, the new residue (and possibly the key) has to be stored, in each case, before a subsequent data packet can be processed. It will be clear that the repeated performance, that is to say the performance for each data packet, of said steps takes place at the expense of the processing speed of the known device and, consequently, of the throughput speed of the data packets to be processed.
The storage and retrieval of only a key for each channel, which is disclosed per se, for example, in the publication "Data security in packet switched networks", which is specified in greater detail below, may, in principle, be faster but still requires a relatively large amount of processing time. Such a solution is furthermore unsuitable for cryptographic procedures whose status has to be stored between two processing steps. It is precisely such procedures which are at present much used for encrypting data communication.
International Patent Application WO93/09627 discloses a cryptographic apparatus for use in
REFERENCES:
patent: 5048087 (1991-09-01), Trbovich et al.
patent: 5235644 (1993-08-01), Gupta et al.
patent: 5323389 (1994-06-01), Bitz et al.
patent: 5381481 (1995-01-01), Gammie et al.
W. Diffie et al., "Privacy and Authentication: An Introduction to Cryptography", Proceedings of the IEEE, Mar. 1979, vol. 67, No. 3, pp. 397-427.
J.R. Sherwood, "Data Security In Packet Switched Networks", Second IEEE National Conference on Telecommunications, York, United Kingdom, Apr. 24, 1989, pp. 375-379.
Boly Jean Paul
De Lange Martin Klaas
Feijen Maurice Matthias
Feiken Albertus
Roelofsen Gerrit
Barron Jr. Gilberto
Koninklijke PTT Nederland N.V.
Michaelson Peter L.
Pokotylo John C.
LandOfFree
Device for processing data packets does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Device for processing data packets, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Device for processing data packets will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-1956870