GB2168573A - Packet switched system - Google Patents
Packet switched system Download PDFInfo
- Publication number
- GB2168573A GB2168573A GB08431421A GB8431421A GB2168573A GB 2168573 A GB2168573 A GB 2168573A GB 08431421 A GB08431421 A GB 08431421A GB 8431421 A GB8431421 A GB 8431421A GB 2168573 A GB2168573 A GB 2168573A
- Authority
- GB
- United Kingdom
- Prior art keywords
- packet
- encryption
- information field
- decryption
- packets
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/12—Transmitting and receiving encryption devices synchronised or initially set up in a particular manner
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
End-to-end encryption of traffic in packet networks presents difficulties due to the discontinuous nature of the data. In the present method these difficulties are overcome by sending an initialisation variable (IV) during the initial call setting and controlling the clocking information such that at each end the clock for the encryption or decryption is started at the beginning of the information field and stopped at the end thereof. Thus when the next packet is sent, both cryptos are correctly set. This avoids the need to send such information with each packet, as called for in some known systems. <IMAGE>
Description
SPECIFICATION
Packet switched system
This invention relates to data transmission systems in which data is conveyed in packetswitched manner. In such systems the packets which together form a message may well have to be sent from a calling terminal to a called terminal via two or more exchanges or nodes.
Security is essential in some cases of communication of information through networks, particularly for data relating to financial transactions, electronic mail etc. Security involves such aspects as authentication of access to information, authentication of data sent by signatures, and protection of traffic from deliberate interference or intervention while in transit through the network which may be public or private, circuit or packet switched, telephony, data or both.
The arrangement to be described herein relates to the end-to-end encryption of traffic in packet networks in which the prior art has limitations in application and effectiveness.
Information is transmitted in packet networks by arranging the data in a framed format such that data link control and error detection information is in the frame. Frames may be concatenated to form a contiguous data stream or, more likely, sent in groups each frame being separated by a variable length delay. In interactive operation the information content of packets may be small and the separation may be relatively long. To operate the network efficiently, packets for other transmissions are interposed in the intervening spaces.
End-to-end encryption must ensure that only the information content of the packet is encrypted since the control information in the frame is needed at intermediate nodes in the network. To decrypt the information, certain encryption parameters must be transmitted to the receiving end to load the decryption devices, and data-related synchronism must be maintained although the data is separated by different time intervals at transmitter and receiver.
Prior art exists in which an Initialisation Variable, IV is sent with each packet and is used at the receiver to reset the decryption device and thus maintain synchronisation. However, this has limitations including:
(a) The standard frame format e.g. X25, requires modification to accommodate the additional IV.
(b) The IV which may be 64 bits long is a significant increase to the framing "overhead".
(c) When contiguous packets are sent the increased overhead may involve an increase in the required transmission rate which may exceed the constraints of the system.
A variation exists in which the IV is sent with an initial packet and with succeeding packets if, and only if, the duration between packets exceeds the duration of the iV. This method can only be applied to link encryption (Level 2) since the variable delay and multiplexing encountered in a node disturbs the synchronisation between packets.
An object of the invention is to provide an improvement on the known arrangements referred to above.
According to the invention there is provided a data transmission system of the packet switched type, in which each message to be transmitted consists of one or more data packets each having a header, an information field which may be encrypted, and a tail, in which an initialisation variable is transmitted from the one end of the connection to the other end thereof only during the initial call setting signalling and is used to set the encryption and decryption operations to the same state, in which at the sending end, the end of the header is detected and controls the commencement of the encryption operation during the information field and the start of the tail is detected to stop the encryption operation, and in which at the receiving end, the end of the header is detected and controls the commencement of the decryption operation and the start of the tail is detected to stop the decryption operation, so that between packets the encryption and decryption operations are stopped in exactly similar states.
Embodiments of the invention will now be described with reference to the accompanying drawings, in which Fig. 1 is a simplified schematic of part of a terminal embodying the invention, while Fig. 2 is an explanatory flow diagram.
The present method enables the packetised traffic to be so encrypted that the control overhead associated with each frame is not extended but nevertheless synchronism between encryption and decryption processes is achieved at all times. Thus the information throughput of a transmission, store and forward, system can be maintained without modification to normal operation.
The present method is based on the premise that packet traffic is asynchronous (although a bit synchronous bearer may be used), and that packets can be of variable length and variably spaced. During the establishment of a connection-virtual or real agreement is reached on the need to apply encryption, the necessary key parameters being exchanged. The initialisation variable is sent with this initial exchange and is used to reset both encryption and decryption devices to the same initial condition.
A bit rate clock is generated such that bit synchronism is assured at each end, and that the commencement of the encrypted data content of the packet causes the crypto devices to be advanced from their initial condi tion. At the end of the encrypted data, the clocks are interrupted, thus stopping both crypto devices at the same position. The successive packets cause the cryptos to restart and stop respectively at the beginning and end of each encrypted sequence of data. Thus since the cryptos always restart from the same position in which they were stopped, synchronism between the encryption and decryption devices is generally maintained.
If an external agency disturbs this synchronism, the loss is detected by normal error detection methods used in the system, and an error message is returned to the sending end to request a new initialisation variable, and repeat of the data.
A variation of the present method involves the use of so called 'fast select' procedures in which the whole of the information is in a single packet together with the required address and control information. In this case, the type of packet is identified by a 'facility' code and the encryption and initialisation parameters are within fields preceding the information field. Thus the decryption device is aware of the special type of packet and having been appropriately set starts the algorithm process at the beginning of the information field.
The present system is described as applied to a system of the internationally standardised
X25 type, which allows for multiple logical channels to be associated with a single physical link. This complicates the operation of the encryption unit in that between packets it needs to store the logical channel number in association with the appropriate state of the initialisation variable. Therefore, as each logical channel is transmitted over the physical link it is compared with those in store and the required IV transferred into the working IV memory.
Fig. 1 shows as much of an X25 based encryption/decryption unit as is relevant to the present method, the remainder of such a terminal following conventional practice. Information arriving at the unit possibly for encryption enters at an HDLC (high level data link control) unit, which among other functions extracts any control information for the link control LC and network control NC blocks. The information passes from the HDLC block to a buffer B for temporary storage. From here it passes, under clock control, to a crypto unit CU from which the packets, with their information fields encrypted if needed, pass to another HDLC unit for transmission.
Associated with the crypto unit CU, there are a key unit K from which the crypto key is obtained, both when the unit CU is encrypting and also when it is decrypting. Also we have the initialisation variable (IV) generation unit
IVU; when a call is set up under control of the microprocessor MP, the call setting information which is initially sent includes encryption keys and an initialisation variable. This notifies the called end as to whether or not the message to be sent is encrypted, this being determined from part of the message as it arrives via the first HDLC block.
The clock is so set, under microprocessor control, that when the first packet is sent, the crypto unit CU is enabled at the commencement of its information field, and is stopped at the end of that field.
At the called end, which is similar to what is shown, the initialisation variable is passed via the link control LC thereat to the microprocessor and clock thereat, so that the microprocessor sets the called end s crypto for the desired encryption. In addition, when the first packet arrives, the clock is enabled so as to start the crypto unit at the commencement of the information field and to stop at the end thereof. The initial call setting operations will, of course, in accordance with normal practice, have resulted in the clocks at the two ends having been brought into synchronism.
Thus when the information field of the first packet ends, we have both crypto units clocks stopped at the same point. When the next packet is sent, both clocks are started at the start of the information field, and they both start from the same point in time. Thus encryption and decryption take place, with the clocks, and thus the crypto devices starting from the same point. When the information field ends, both clocks again'stop. Hence the system only needs one initialisation variable per multipacket message.
To express the system in a slightly different manner, we have the following summary, which should be studied in conjunction with the flow diagram, Fig. 2. note in Fig. 2 that the two blocks marked with asterisks are not required in a single channel system.
(a) What is Required
A packet communication system using packets with defined headers and tails, which system has encryption and decryption at each end, and has clock control at each end.
(b) How the System Operates (1) Set up end-to-end connection.
(2) Transfer IV (keys may also be transferred).
(3) Encryptor and decryptor static and may be headed with IV.
(4) Send packet.
AT EACH END: (5) Detect end of header.
(6) Start clock and encryptor/decryptor at commencement of information field.
(7) Detect start of tail.
(8) Stop clock and encryptor/decryptor at end of information field.
THEN (9) Encryptor/decryptor static and loaded with some variables.
(10) Repeat (5) to (8) for next packet.
Thus the above method permits encryption to be applied to the communication of data through a packet network without the need to significantly alter the traffic flow. It has the following advantages:
(a) Encryption key and initialisation para
meters can be incorporated into call set-up
procedures.
(b) Encryption parameters are not required to be sent with each packet when a call con
sists of many packets.
(c) The encrypted packet may be transmitted at the same rate and for the same duration as the corresponding unencrypted
packet.
(d) It is not required to amend existing Level 2 (HDLC) frame formats and amendments to
higher level procedures are easily accommodated.
(e) The method is particularly applicable to
packetised voice communication where real time integrity is of importance and packets are
kept short.
(f) The method can be applied to data al
ready formatted into standard packets e.g.
X25.
(g) The method is compatible with the re
quirements of 'fast select' operation.
Claims (6)
1. A data transmission system of the
packet switched type, in which each message
to be transmitted consists of one or more
data packets each having a header, an infor
mation field which may be encrypted, and a tail, in which an initialisation variable is transmitted from the one end of the connec
tion to the other end thereof only during the
initial call setting signalling and is used to set
the encryption and decryption operations to the same state, in which at the sending end,
the end of the header is detected and controls
the commencement of the encryption oper
ation during the information field and the start
of the tail is detected to stop the encryption
operation, and in which at the receiving end,
the end of the header is detected and controls the commencement of the decryption oper
ation and the start of the tail is detected to
stop the decryption operation, so that between packets the encryption and decryption
operations are stopped in exactly similar
states.
2. A system according to claim 1, in which
the encryption and decryption operations are
controlled by starting and stopping their ap
propriate clocks.
3. A system according to claim 1 or 2, in
which call setting signalling, initialisation vari
able and encrypted information are all con
tained within a single packet.
4. A system according to claim 1, 2 or 3,
in which packets belonging to different virtual
connections are multiplexed, in which at the end of a packet in the static state the crypographic variables are transferred to a memory and during the header of the next packet the relevant cryptographic variables are loaded from memory.
5. A data transmission system of the packet switched type, in which each message to be transmitted consists of one or more data packets each having at least a header, an information field and a tail, in which when a message to be conveyed is to be encrypted an initialisation variable is transmitted from the calling end of the connection to the called end thereof during the initial call setting signalling, in which at the sending end the encryption operations start at the beginning of the information field and end at the termination of the information field, in which at the called end the receipt of the initialisation variable sets the decryption means to its initial state appropriate to the decryption of the packets to be received, in which at the calling end the termination of the information field of a packet leaves the clocking means at the calling end in a state appropriate to the commencement of encryption of the information field of the next packet, and in which at the called end the termination of the information field of a packet being received and decrypted leaves the clocking means in a state appropriate to the start of the information field of the next packet, whereby the initialisation variable is only sent once for a multipacket message, and is sent separate from the message packets.
6. A data transmission system of the packet-switched type substantially as described with reference to the accompanying drawings.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GB08431421A GB2168573B (en) | 1984-12-13 | 1984-12-13 | Packet switched system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GB08431421A GB2168573B (en) | 1984-12-13 | 1984-12-13 | Packet switched system |
Publications (2)
Publication Number | Publication Date |
---|---|
GB2168573A true GB2168573A (en) | 1986-06-18 |
GB2168573B GB2168573B (en) | 1988-06-08 |
Family
ID=10571101
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
GB08431421A Expired GB2168573B (en) | 1984-12-13 | 1984-12-13 | Packet switched system |
Country Status (1)
Country | Link |
---|---|
GB (1) | GB2168573B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE19515680A1 (en) * | 1995-04-28 | 1996-10-31 | Sel Alcatel Ag | Encoder and decoder for flow of news in packets |
WO1999057848A2 (en) * | 1998-05-06 | 1999-11-11 | Siemens Aktiengesellschaft | Method for transmitting useful data in telecommunication systems |
-
1984
- 1984-12-13 GB GB08431421A patent/GB2168573B/en not_active Expired
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE19515680A1 (en) * | 1995-04-28 | 1996-10-31 | Sel Alcatel Ag | Encoder and decoder for flow of news in packets |
WO1999057848A2 (en) * | 1998-05-06 | 1999-11-11 | Siemens Aktiengesellschaft | Method for transmitting useful data in telecommunication systems |
WO1999057848A3 (en) * | 1998-05-06 | 2000-01-06 | Siemens Ag | Method for transmitting useful data in telecommunication systems |
US6963751B1 (en) | 1998-05-06 | 2005-11-08 | Siemens Aktiengesellschaft | Method for transmitting service data in telecommunication systems with wireless telecommunication based on a predefined radio interface protocol between telecommunication devices, especially voice data and/or packet data in dect systems |
Also Published As
Publication number | Publication date |
---|---|
GB2168573B (en) | 1988-06-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN102037663B (en) | For the method and apparatus of data privacy in passive optical networks | |
US7369662B2 (en) | Maintaining end-to-end synchronization on a telecommunications connection | |
US5319712A (en) | Method and apparatus for providing cryptographic protection of a data stream in a communication system | |
US4965804A (en) | Key management for encrypted packet based networks | |
RU2341028C2 (en) | Effective cryptographic data transmission in real-time security protocol | |
US5048087A (en) | Key management for encrypted packet based networks | |
US4159468A (en) | Communications line authentication device | |
US4172213A (en) | Byte stream selective encryption/decryption device | |
EP0411538B1 (en) | Satellite communications system operating in asynchronous mode for central-to-terminal station transmission | |
US7076064B2 (en) | Maintaining end-to-end synchronization on telecommunications connection | |
KR100594153B1 (en) | Formation of Logical Link and Its Secure Communication Method in Network of Point-to-Manage Topology | |
JP3774455B2 (en) | Data transfer method in Ethernet (registered trademark) passive optical network system | |
WO2021244489A1 (en) | Method and apparatus for transmitting encryption control overhead in optical transport network | |
ITMI971335A1 (en) | PROCEDURE FOR DATA TRANSFER ENCRYPTION IN A DATA COMMUNICATION SYSTEM | |
JPH08331092A (en) | The tdma management method, center station to execute this method, terminal station and network system | |
JP2002044135A (en) | Encryption device and encryption communication system | |
US5161191A (en) | Encryption system for time division multiplexed networks | |
WO2022161369A1 (en) | Security management information processing method and apparatus for optical transport network | |
JPH02121441A (en) | System and method of exchanging bucket | |
CN109714295A (en) | A kind of voice encryption/decryption synchronization processing method and device | |
GB2168573A (en) | Packet switched system | |
CN112367310B (en) | SRIO bus encryption transmission device based on FPGA | |
JP2004180234A (en) | Encrypted packet processing system | |
PIERSON | ScalableATM encryption | |
JP3313526B2 (en) | Multiplex communication system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PCNP | Patent ceased through non-payment of renewal fee |