GB2168573A - Packet switched system - Google Patents

Packet switched system Download PDF

Info

Publication number
GB2168573A
GB2168573A GB08431421A GB8431421A GB2168573A GB 2168573 A GB2168573 A GB 2168573A GB 08431421 A GB08431421 A GB 08431421A GB 8431421 A GB8431421 A GB 8431421A GB 2168573 A GB2168573 A GB 2168573A
Authority
GB
United Kingdom
Prior art keywords
packet
encryption
information field
decryption
packets
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB08431421A
Other versions
GB2168573B (en
Inventor
William Arthur George Walsh
Dennis Gordon Froggatt
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
STC PLC
Original Assignee
STC PLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by STC PLC filed Critical STC PLC
Priority to GB08431421A priority Critical patent/GB2168573B/en
Publication of GB2168573A publication Critical patent/GB2168573A/en
Application granted granted Critical
Publication of GB2168573B publication Critical patent/GB2168573B/en
Expired legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/12Transmitting and receiving encryption devices synchronised or initially set up in a particular manner

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

End-to-end encryption of traffic in packet networks presents difficulties due to the discontinuous nature of the data. In the present method these difficulties are overcome by sending an initialisation variable (IV) during the initial call setting and controlling the clocking information such that at each end the clock for the encryption or decryption is started at the beginning of the information field and stopped at the end thereof. Thus when the next packet is sent, both cryptos are correctly set. This avoids the need to send such information with each packet, as called for in some known systems. <IMAGE>

Description

SPECIFICATION Packet switched system This invention relates to data transmission systems in which data is conveyed in packetswitched manner. In such systems the packets which together form a message may well have to be sent from a calling terminal to a called terminal via two or more exchanges or nodes.
Security is essential in some cases of communication of information through networks, particularly for data relating to financial transactions, electronic mail etc. Security involves such aspects as authentication of access to information, authentication of data sent by signatures, and protection of traffic from deliberate interference or intervention while in transit through the network which may be public or private, circuit or packet switched, telephony, data or both.
The arrangement to be described herein relates to the end-to-end encryption of traffic in packet networks in which the prior art has limitations in application and effectiveness.
Information is transmitted in packet networks by arranging the data in a framed format such that data link control and error detection information is in the frame. Frames may be concatenated to form a contiguous data stream or, more likely, sent in groups each frame being separated by a variable length delay. In interactive operation the information content of packets may be small and the separation may be relatively long. To operate the network efficiently, packets for other transmissions are interposed in the intervening spaces.
End-to-end encryption must ensure that only the information content of the packet is encrypted since the control information in the frame is needed at intermediate nodes in the network. To decrypt the information, certain encryption parameters must be transmitted to the receiving end to load the decryption devices, and data-related synchronism must be maintained although the data is separated by different time intervals at transmitter and receiver.
Prior art exists in which an Initialisation Variable, IV is sent with each packet and is used at the receiver to reset the decryption device and thus maintain synchronisation. However, this has limitations including: (a) The standard frame format e.g. X25, requires modification to accommodate the additional IV.
(b) The IV which may be 64 bits long is a significant increase to the framing "overhead".
(c) When contiguous packets are sent the increased overhead may involve an increase in the required transmission rate which may exceed the constraints of the system.
A variation exists in which the IV is sent with an initial packet and with succeeding packets if, and only if, the duration between packets exceeds the duration of the iV. This method can only be applied to link encryption (Level 2) since the variable delay and multiplexing encountered in a node disturbs the synchronisation between packets.
An object of the invention is to provide an improvement on the known arrangements referred to above.
According to the invention there is provided a data transmission system of the packet switched type, in which each message to be transmitted consists of one or more data packets each having a header, an information field which may be encrypted, and a tail, in which an initialisation variable is transmitted from the one end of the connection to the other end thereof only during the initial call setting signalling and is used to set the encryption and decryption operations to the same state, in which at the sending end, the end of the header is detected and controls the commencement of the encryption operation during the information field and the start of the tail is detected to stop the encryption operation, and in which at the receiving end, the end of the header is detected and controls the commencement of the decryption operation and the start of the tail is detected to stop the decryption operation, so that between packets the encryption and decryption operations are stopped in exactly similar states.
Embodiments of the invention will now be described with reference to the accompanying drawings, in which Fig. 1 is a simplified schematic of part of a terminal embodying the invention, while Fig. 2 is an explanatory flow diagram.
The present method enables the packetised traffic to be so encrypted that the control overhead associated with each frame is not extended but nevertheless synchronism between encryption and decryption processes is achieved at all times. Thus the information throughput of a transmission, store and forward, system can be maintained without modification to normal operation.
The present method is based on the premise that packet traffic is asynchronous (although a bit synchronous bearer may be used), and that packets can be of variable length and variably spaced. During the establishment of a connection-virtual or real agreement is reached on the need to apply encryption, the necessary key parameters being exchanged. The initialisation variable is sent with this initial exchange and is used to reset both encryption and decryption devices to the same initial condition.
A bit rate clock is generated such that bit synchronism is assured at each end, and that the commencement of the encrypted data content of the packet causes the crypto devices to be advanced from their initial condi tion. At the end of the encrypted data, the clocks are interrupted, thus stopping both crypto devices at the same position. The successive packets cause the cryptos to restart and stop respectively at the beginning and end of each encrypted sequence of data. Thus since the cryptos always restart from the same position in which they were stopped, synchronism between the encryption and decryption devices is generally maintained.
If an external agency disturbs this synchronism, the loss is detected by normal error detection methods used in the system, and an error message is returned to the sending end to request a new initialisation variable, and repeat of the data.
A variation of the present method involves the use of so called 'fast select' procedures in which the whole of the information is in a single packet together with the required address and control information. In this case, the type of packet is identified by a 'facility' code and the encryption and initialisation parameters are within fields preceding the information field. Thus the decryption device is aware of the special type of packet and having been appropriately set starts the algorithm process at the beginning of the information field.
The present system is described as applied to a system of the internationally standardised X25 type, which allows for multiple logical channels to be associated with a single physical link. This complicates the operation of the encryption unit in that between packets it needs to store the logical channel number in association with the appropriate state of the initialisation variable. Therefore, as each logical channel is transmitted over the physical link it is compared with those in store and the required IV transferred into the working IV memory.
Fig. 1 shows as much of an X25 based encryption/decryption unit as is relevant to the present method, the remainder of such a terminal following conventional practice. Information arriving at the unit possibly for encryption enters at an HDLC (high level data link control) unit, which among other functions extracts any control information for the link control LC and network control NC blocks. The information passes from the HDLC block to a buffer B for temporary storage. From here it passes, under clock control, to a crypto unit CU from which the packets, with their information fields encrypted if needed, pass to another HDLC unit for transmission.
Associated with the crypto unit CU, there are a key unit K from which the crypto key is obtained, both when the unit CU is encrypting and also when it is decrypting. Also we have the initialisation variable (IV) generation unit IVU; when a call is set up under control of the microprocessor MP, the call setting information which is initially sent includes encryption keys and an initialisation variable. This notifies the called end as to whether or not the message to be sent is encrypted, this being determined from part of the message as it arrives via the first HDLC block.
The clock is so set, under microprocessor control, that when the first packet is sent, the crypto unit CU is enabled at the commencement of its information field, and is stopped at the end of that field.
At the called end, which is similar to what is shown, the initialisation variable is passed via the link control LC thereat to the microprocessor and clock thereat, so that the microprocessor sets the called end s crypto for the desired encryption. In addition, when the first packet arrives, the clock is enabled so as to start the crypto unit at the commencement of the information field and to stop at the end thereof. The initial call setting operations will, of course, in accordance with normal practice, have resulted in the clocks at the two ends having been brought into synchronism.
Thus when the information field of the first packet ends, we have both crypto units clocks stopped at the same point. When the next packet is sent, both clocks are started at the start of the information field, and they both start from the same point in time. Thus encryption and decryption take place, with the clocks, and thus the crypto devices starting from the same point. When the information field ends, both clocks again'stop. Hence the system only needs one initialisation variable per multipacket message.
To express the system in a slightly different manner, we have the following summary, which should be studied in conjunction with the flow diagram, Fig. 2. note in Fig. 2 that the two blocks marked with asterisks are not required in a single channel system.
(a) What is Required A packet communication system using packets with defined headers and tails, which system has encryption and decryption at each end, and has clock control at each end.
(b) How the System Operates (1) Set up end-to-end connection.
(2) Transfer IV (keys may also be transferred).
(3) Encryptor and decryptor static and may be headed with IV.
(4) Send packet.
AT EACH END: (5) Detect end of header.
(6) Start clock and encryptor/decryptor at commencement of information field.
(7) Detect start of tail.
(8) Stop clock and encryptor/decryptor at end of information field.
THEN (9) Encryptor/decryptor static and loaded with some variables.
(10) Repeat (5) to (8) for next packet.
Thus the above method permits encryption to be applied to the communication of data through a packet network without the need to significantly alter the traffic flow. It has the following advantages: (a) Encryption key and initialisation para meters can be incorporated into call set-up procedures.
(b) Encryption parameters are not required to be sent with each packet when a call con sists of many packets.
(c) The encrypted packet may be transmitted at the same rate and for the same duration as the corresponding unencrypted packet.
(d) It is not required to amend existing Level 2 (HDLC) frame formats and amendments to higher level procedures are easily accommodated.
(e) The method is particularly applicable to packetised voice communication where real time integrity is of importance and packets are kept short.
(f) The method can be applied to data al ready formatted into standard packets e.g.
X25.
(g) The method is compatible with the re quirements of 'fast select' operation.

Claims (6)

1. A data transmission system of the packet switched type, in which each message to be transmitted consists of one or more data packets each having a header, an infor mation field which may be encrypted, and a tail, in which an initialisation variable is transmitted from the one end of the connec tion to the other end thereof only during the initial call setting signalling and is used to set the encryption and decryption operations to the same state, in which at the sending end, the end of the header is detected and controls the commencement of the encryption oper ation during the information field and the start of the tail is detected to stop the encryption operation, and in which at the receiving end, the end of the header is detected and controls the commencement of the decryption oper ation and the start of the tail is detected to stop the decryption operation, so that between packets the encryption and decryption operations are stopped in exactly similar states.
2. A system according to claim 1, in which the encryption and decryption operations are controlled by starting and stopping their ap propriate clocks.
3. A system according to claim 1 or 2, in which call setting signalling, initialisation vari able and encrypted information are all con tained within a single packet.
4. A system according to claim 1, 2 or 3, in which packets belonging to different virtual connections are multiplexed, in which at the end of a packet in the static state the crypographic variables are transferred to a memory and during the header of the next packet the relevant cryptographic variables are loaded from memory.
5. A data transmission system of the packet switched type, in which each message to be transmitted consists of one or more data packets each having at least a header, an information field and a tail, in which when a message to be conveyed is to be encrypted an initialisation variable is transmitted from the calling end of the connection to the called end thereof during the initial call setting signalling, in which at the sending end the encryption operations start at the beginning of the information field and end at the termination of the information field, in which at the called end the receipt of the initialisation variable sets the decryption means to its initial state appropriate to the decryption of the packets to be received, in which at the calling end the termination of the information field of a packet leaves the clocking means at the calling end in a state appropriate to the commencement of encryption of the information field of the next packet, and in which at the called end the termination of the information field of a packet being received and decrypted leaves the clocking means in a state appropriate to the start of the information field of the next packet, whereby the initialisation variable is only sent once for a multipacket message, and is sent separate from the message packets.
6. A data transmission system of the packet-switched type substantially as described with reference to the accompanying drawings.
GB08431421A 1984-12-13 1984-12-13 Packet switched system Expired GB2168573B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB08431421A GB2168573B (en) 1984-12-13 1984-12-13 Packet switched system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB08431421A GB2168573B (en) 1984-12-13 1984-12-13 Packet switched system

Publications (2)

Publication Number Publication Date
GB2168573A true GB2168573A (en) 1986-06-18
GB2168573B GB2168573B (en) 1988-06-08

Family

ID=10571101

Family Applications (1)

Application Number Title Priority Date Filing Date
GB08431421A Expired GB2168573B (en) 1984-12-13 1984-12-13 Packet switched system

Country Status (1)

Country Link
GB (1) GB2168573B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19515680A1 (en) * 1995-04-28 1996-10-31 Sel Alcatel Ag Encoder and decoder for flow of news in packets
WO1999057848A2 (en) * 1998-05-06 1999-11-11 Siemens Aktiengesellschaft Method for transmitting useful data in telecommunication systems

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19515680A1 (en) * 1995-04-28 1996-10-31 Sel Alcatel Ag Encoder and decoder for flow of news in packets
WO1999057848A2 (en) * 1998-05-06 1999-11-11 Siemens Aktiengesellschaft Method for transmitting useful data in telecommunication systems
WO1999057848A3 (en) * 1998-05-06 2000-01-06 Siemens Ag Method for transmitting useful data in telecommunication systems
US6963751B1 (en) 1998-05-06 2005-11-08 Siemens Aktiengesellschaft Method for transmitting service data in telecommunication systems with wireless telecommunication based on a predefined radio interface protocol between telecommunication devices, especially voice data and/or packet data in dect systems

Also Published As

Publication number Publication date
GB2168573B (en) 1988-06-08

Similar Documents

Publication Publication Date Title
CN102037663B (en) For the method and apparatus of data privacy in passive optical networks
US7369662B2 (en) Maintaining end-to-end synchronization on a telecommunications connection
US5319712A (en) Method and apparatus for providing cryptographic protection of a data stream in a communication system
US4965804A (en) Key management for encrypted packet based networks
RU2341028C2 (en) Effective cryptographic data transmission in real-time security protocol
US5048087A (en) Key management for encrypted packet based networks
US4159468A (en) Communications line authentication device
US4172213A (en) Byte stream selective encryption/decryption device
EP0411538B1 (en) Satellite communications system operating in asynchronous mode for central-to-terminal station transmission
US7076064B2 (en) Maintaining end-to-end synchronization on telecommunications connection
KR100594153B1 (en) Formation of Logical Link and Its Secure Communication Method in Network of Point-to-Manage Topology
JP3774455B2 (en) Data transfer method in Ethernet (registered trademark) passive optical network system
WO2021244489A1 (en) Method and apparatus for transmitting encryption control overhead in optical transport network
ITMI971335A1 (en) PROCEDURE FOR DATA TRANSFER ENCRYPTION IN A DATA COMMUNICATION SYSTEM
JPH08331092A (en) The tdma management method, center station to execute this method, terminal station and network system
JP2002044135A (en) Encryption device and encryption communication system
US5161191A (en) Encryption system for time division multiplexed networks
WO2022161369A1 (en) Security management information processing method and apparatus for optical transport network
JPH02121441A (en) System and method of exchanging bucket
CN109714295A (en) A kind of voice encryption/decryption synchronization processing method and device
GB2168573A (en) Packet switched system
CN112367310B (en) SRIO bus encryption transmission device based on FPGA
JP2004180234A (en) Encrypted packet processing system
PIERSON ScalableATM encryption
JP3313526B2 (en) Multiplex communication system

Legal Events

Date Code Title Description
PCNP Patent ceased through non-payment of renewal fee