Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1997-12-31
2001-05-29
Peeso, Thomas R. (Department: 2767)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S160000, C713S161000
Reexamination Certificate
active
06240513
ABSTRACT:
FIELD OF THE INVENTION
The present invention is directed to improvements in a network security device that is connected between a protected computer(“the client”) and a network and/or a protected local area network (LAN) and a wide area network (WAN) as well as a method for using the network security device.
BACKGROUND OF THE INVENTION
A. Network Architecture
An Internet communications network
100
is depicted in
FIG. 1
including five transmit or backbone networks A,B,C,D, and E and three stub networks R, Y, and Z. A “backbone” network is an intermediary network which conveys communicated data from one network to another network. A “stub” network is a terminal or endpoint network from which communicated data may only initially originate or ultimately be received. Each network, such as the stub network R, includes one or more interconnected subnetworks I, J, L, and M. As used herein, the term “subnetwork” refers to a collection of one or more nodes, e.g., (c,w), (d), (a), (b,x,y), (q,v), (r,z), (s,u), (e,f,g),(h,i),(j,k,l),(m,n), and (o,p), interconnected by wires and switches for local internodal communication. Each subnetwork may be a local area network (or “LAN”). Each subnetwork has one or more interconnected nodes which may be host computers (“hosts”) u,v,w,x,y,z (indicated by triangles) or routers a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s (indicated by squares). A host is an endpoint node from which communicated data may initially originate or ultimately be received. A router is a node which serves solely as an intermediary node between two other nodes; the router receives communicated data from one node and retransmits the data to another node. Collectively, backbone networks, stub networks, subnetworks, and nodes are referred to herein as “Internet systems”.
FIG. 2
shows a block diagram of a host or router node
10
. As shown, the node may include a CPU
11
, a memory
12
and one or more I/O ports (or network interfaces)
13
-
1
,
13
-
2
, . . . ,
13
-N connected to a bus
14
. Illustratively, each I/
0
port
13
-
1
,
13
-
2
, . . . ,
13
-N is connected by wires, optical fibers, and/or switches to the I/O port of another node. The I/O ports
13
-
1
,
13
-
2
, . . . ,
13
-N are for transmitting communicated data in the form of a bitstream organized into one or more packets to another node and for receiving a packet from another node. If the host
10
is a host computer attached to a subnetwork which is an Ethernet, then the host will have an I/O port which is an Ethernet interface.
A host which initially generates a packet for transmission to another node is called the source node and a host which ultimately receives the packet is called a destination node. Communication is achieved by transferring packets via a sequence of nodes including the source node, zero or more intermediary nodes, and the destination node, in a bucket brigade fashion. For example a packet may be communicated from the node w to the node c, to the node d, to the node b, and to the node x.
An exemplary packet
40
is shown in
FIG. 3A
having a payload
41
which contains communicated data (i.e., user data) and a header
42
which contains control and/or address information. Typically, the header information is arranged in layers including an IP layer and a physical layer.
The IP layer typically includes an IP source address, an IP destination address, a checksum, and a hop count which indicates a number of hops in a multihop network. A physical layer header includes a MAC (Media Access Control)address (hardware address) of the source and a MAC address of the destination.
The user data may include a TCP (Transfer Control Protocol) packet including TCP headers or a UDP (User Data Protocol) packet including UDP headers. These protocols control among other things, the packetizing of information to be transmitted, the reassembly of received packets into the originally transmitted information, and the scheduling of transmission and reception of packets (see e.g., D. Commer, “Internetworking With TCP/IP”, Vol. 1 (1991); D. Commer and D. Stevens, “Internetworking With TCP/IP”, Vol. 2 (1991)).
As seen in
FIG. 3B
, in an exemplary Internet protocol (IP), each node of the Internet
100
is assigned an Internet address (IP address) which is unique over the entire Internet
100
such as the Internet address
30
for the node y shown in FIG.
3
B. See, Information Sciences Institute, RFC 791 “Internet Protocol”, September, 1981. The IP addresses are assigned in an hierarchical fashion; the Internet (IP) address
30
of each node contains an address portion
31
indicating the network of the node, an address portion
32
indicating a particular subnetwork of the node, and a host portion
33
which identifies a particular host or router and discriminates between the individual nodes within a particular subnetwork.
In an Internet system
100
which uses the IP protocol, the IP addresses of the source and destination nodes are placed in the packet header
42
(see
FIG. 3A
) by the source node. A node which receives a packet can identify the source and destination nodes by examining these addresses.
In an Internet system, it is the IP address of a destination that is known, and the physical address (i.e., MAC address) to be placed in the MAC frame header is to be determined. If the destination host is on the same local area subnetwork (and this is easily determined by observing that the network part in both the source and destination IP addresses is the same), then the destination address that is to go into the MAC header destination address field is simply the physical address of the destination host. The MAC destination address may be found by means of the ARP (Address Resolution Protocol) which comprises having the source lost broadcast an ARP request packet with the IP address of the destination host and having the destination host respond with its hardware (MAC) address. This MAC address may be placed in the MAC frame (physical layer) headers.
B. Encryption Techniques
Eavesdropping in a network, such as the Internet system
100
of
FIG. 1
, can be thwarted through the use of a message encryption technique. A message encryption technique employs an encipherment function which utilizes a number referred to as a session key to encipher data (i.e., message content). Only the pair of hosts in communication with each other have knowledge of the session key, so that only the proper hosts, as paired on a particular conversation, can encrypt and decrypt digital signals. Three examples of encipherment functions are (1) the National Bureau of Standards Data Encryption Standard (DES) (see e.g., National Bureau of Standards, “Data Encryption Standard”, FIPS-PUB-45, 1977), (2) Fast Encipherment Algorithm (FEAL) (see e.g., Shimizu and S. Miyaguchi, “FEAL-Fast Data Encipherment Algorithm,” Systems and Computers in Japan, Vol. 19, No. 7, 1988 and S. Miyaguchi, “The FEAL Cipher Family”, Proceedings of CRYPTO '90, Santa Barbara, Calif., August, 1990); and (3) International Data Encryption Algorithm (“IDEA”) (see e.g., X. Lai, “On the Design and Security of Block Ciphers,” ETH Series in Information Processing, v.1, Konstanz: Hartung-Gorre Verlag 1992). One way to use an encipherment function is the electronic codebook technique. In this technique a plain text message m is encrypted to produce the cipher text message c using the encipherment function f by the formula c=f(m,sk) where sk is a session key. The message c can only be decrypted with the knowledge of the session key sk to obtain the plain text message m=f(c,sk).
Session key agreement between two communicating hosts may be achieved using public key cryptography. (See e.g., U.S. Pat. Nos. 5,222,140 and 5,299,263).
Before discussing public key cryptographic techniques, it is useful to provide some background information. Most practical modern cryptography is based on two notorious mathematical problems believed (but not proven) to be hard (i.e., not solvable in polynomial time, on the average). The two problems are known as Factorization and Dis
Bozoki Eva
Friedman Aharon
Fortress Technologies, Inc.
Peeso Thomas R.
Proskauer Rose LLP
LandOfFree
Network security device does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Network security device, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Network security device will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2560177