WO2011028265A2 - Dynamically switchable, encryption-adaptable and monitored, high speed, high capacity networks, methods, modules and systems, utilizing multiple and variable path transmission and breach detection capabilities - Google Patents

Dynamically switchable, encryption-adaptable and monitored, high speed, high capacity networks, methods, modules and systems, utilizing multiple and variable path transmission and breach detection capabilities Download PDF

Info

Publication number
WO2011028265A2
WO2011028265A2 PCT/US2010/002371 US2010002371W WO2011028265A2 WO 2011028265 A2 WO2011028265 A2 WO 2011028265A2 US 2010002371 W US2010002371 W US 2010002371W WO 2011028265 A2 WO2011028265 A2 WO 2011028265A2
Authority
WO
WIPO (PCT)
Prior art keywords
network
paths
virtual
data
key exchange
Prior art date
Application number
PCT/US2010/002371
Other languages
French (fr)
Other versions
WO2011028265A3 (en
Inventor
Edna Ganon
Zeev Draer
Chen Gennosar
Guy Avidan
Original Assignee
Mrv Communications, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mrv Communications, Inc. filed Critical Mrv Communications, Inc.
Publication of WO2011028265A2 publication Critical patent/WO2011028265A2/en
Publication of WO2011028265A3 publication Critical patent/WO2011028265A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks

Definitions

  • the present invention relates to methods, apparatus, software, firmware, hardware, devices, systems, business methods, security methods, and combinations thereof, for providing the asymmetric encryption of data suitable for high speed and high capacity transmission over many types of digital communication systems.
  • the invention is particularly effective and useful in systems and other communications networks comprising one or more physical links, and especially those which utilize one or more optical fibers.
  • Encryption systems for use in communications between and among computers in various types of networks generally belong in one of two categories.
  • the first category pertains to those which utilize Symmetric Key Encryption (SKE).
  • Symmetric Key Encryption schemes such as Blowfish, AES and DES, work with a single, prearranged key that is shared between the Sender and the Receiver. This same key both encrypts and decrypts text that is communicated over a system, such as a network.
  • the second category pertains to Public Key Encryption (PKE) systems, which are asymmetric systems.
  • PKE Public Key Encryption
  • AKE Asymmetric Encryption Schemes, such as those of the RSA or Diffie-Hellman systems and protocols
  • the encryption algorithm comprises a "key pair ⁇ _forJhe_users._The.key_pair. includes Jioth a_public_key and ..a.priyate_key._.The_priyate_ key is known only to the Sender (S), while the public key is given by the sender to any Receiver (R), that is, any computer that wants to communicate securely with the Sender.
  • the cipher-text can be decrypted only by a system that holds both the private key of that key pair as well as the public key.
  • Asymmetric encryption is considered to be more secure than symmetric key encryption, primarily because the decryption key can be kept private, and thus relatively secure.
  • An asymmetric public-key encryption scheme is considered to be more secure than a symmetric system, it is still exposed to potential hostile attacks directed toward breaking the cipher-text.
  • Some known types of attacks include, as examples: A) the Client Role Sham, where a hostile client attempts to participate in a protected session with a legitimate server by pretending to be a legitimate client; and B) one or more replay attacks targeted at the server.
  • Data modification is a further way of attacking encrypted data transfers.
  • Data modification uses one or more means to modify the cipher-text messages of the protected session, while an adversary attempts to modify the meaning of these messages.
  • Networks There are many different types of networks and network systems for sharing digital files and resources or for otherwise enabling communication between two or more computers.
  • Networks may be categorized based on various features and functions, such as message capacity, range over which the nodes are distributed, node or computer types, node relationships, topology or logical and/or physical layout, architecture based on cable type and data packet format, access possibilities, and the like.
  • standard digital diagnostics means any methods, devices, systems, software or other means, system or method for detecting a breach, possible breach or interruption of connectivity at any point or portion of a network, or in connection with respect to data or key exchange activities.
  • route means the transmission connectivity from the sender (source S) coordinate to the destination (receiver R) coordinate through a series of coordinates, or from the destination (receiver R) to the sender (source S) through a series of coordinates.
  • a route according to the invention may comprise one or more physical segments as well as one or more wireless segments.
  • a route is the sequential totality of all of the segments between S and R, and includes any devices through which the route passes.
  • a Route of the invention may comprise many possible virtual paths.
  • a route of the invention may comprise S and R as the termination points of the path(s).
  • segment means any portion of a route between two coordinates that are in communication with one another.
  • a segment can be any transmission medium or media, or any device or apparatus, or combinations thereof.
  • a segment may comprise one or more optical fibers, one or more fiber optic cables, one or more coaxial cables, one or more conventional wires, one or more switching devices such as routers, converters and repeaters, and one or more wireless connections.
  • each segment has two ends, and each of the two ends can be identified by a coordinate.
  • _in the case _of a segment comprising a device- or apparatus, one coordinate may be sufficient.
  • the term “sender route” means the transmission connectivity from the sender (source) to the destination (receiver R) through a series of coordinates.
  • the term “receiver route” means the transmission connectivity from the destination (receiver R) to the sender (source) through a series of coordinates. The receiver route need not have the same coordinates as the sender route.
  • the term "physical route" means the physical connectivity from source to destination through a series of coordinates wherein each of the segments of the route is a physical segment.
  • a Segment may comprise one optical fiber, or one wire.
  • a physical route means any portion or portions of the route which comprise one or more physical transmission media.
  • Physical transmission media include, for example, one or more optical fibers, one or more fiber optic cables (a cable comprises 2 or more optical fibers), one or more coaxial cables, one or more conventional or other wires, one or more switching devices (such as routers, converters and repeaters) and one or more wireless connections, such as Wi-Fi nodes.
  • a physical route can include wireless communication segments. In other aspects of some preferred embodiments of the invention, a physical route can include only physical segments.
  • VP virtual path
  • S sender
  • R receiver
  • R sender
  • a virtual path travels through each of the segments of the specific route, from coordinate to coordinate, in a sequence as mapped or directed by a system, method or device of the invention as embodied, for example, in software in a server or on any type of chip. Because many segments have a plurality of possible paths through each segment, numerous unique virtual paths are possible through any specific Route. For instance, a single optical fiber Segment may comprise dozens of possible Virtual Paths through it, even though it comprises only one physical Segment.
  • path hopping means the step, action or activity of switching the path or paths taken by the message, key or datastream from a sender (S) to a receiver (R) or from a receiver R to a sender S, to other paths. Path hopping can thus switch both the Route and the paths taken by the data or by the key exchange.
  • a virtual path travels through each of the segments of the specific route, from coordinate to coordinate, in a sequence as mapped or directed by a system, method or device of the invention as embodied, for example, in software in a server or on any type of chip. Because many segments have a plurality of possible paths through each segment, numerous unique virtual paths are possible through any specific Route. Thus, path hopping provides numerous possible alternate routes and paths from a Sender S to a Receiver R, and vice-versa.
  • the term “dynamically changes” means the action, act or event whereby the transmission of a key, message or datastream is switched from one route or virtual path to at least one alternate operational route or virtual path, or from one or more virtual paths to one or more alternate virtual paths. This virtual path switching called “path hopping” is the result of the dynamic changes effected in a network, method or system of the invention.
  • the term “clear-text input port' means a port through which the unencrypted data enters a device or apparatus that is adapted and arranged to implement a method or system of the invention.
  • the term “cipher-text output port” means a port through which the encrypted data exits a device implementing a method or system of the invention.
  • triggering event means the one or more events that can trigger one or more dynamic changes in one or more of the available routes, virtual paths, or both, with respect to transmitting a message, datastream or key from S to R, or from R to S.
  • route/virtual path changes can be made in accordance with triggering events such as a "switching menu" comprising one or more time schedules, one or more message-type schedules, frameworks, one or more randomizing generators, or they can be made in response to a specific triggering event.
  • triggering_e_vents include a timer time-out, a data ⁇ stream size limit and the detection of an attempted system hack, or any other possible or detected security breach, or any other system problem.
  • switching schedule means a pre-determined schedule of times at which the routes, virtual paths and path hopping patterns are put into effect.
  • a switching schedule of the invention can be determined by any method or means that produces the desired effects of maximizing its unpredictability, as well as its efficiencies.
  • the inventions include also randomizing systems and software which are adapted and arranged to trigger path and route hopping in accordance with one or more mathematical, timing or other functions.
  • mapping means the activities or actions of determining the possible routes or virtual paths between S and R (or R and S) over which messages, keys or datastreams, or their combinations, can be sent.
  • the term “mapping” can also mean the activity or action of prioritizing or classifying the possible routes or virtual paths with respect to parameters determined or selected by an operator of a system, device, method or apparatus of the inventions.
  • the term “mapping” means the activities or actions of determining the best fiber-optic route or routes to connect two or more points as well as to manage the usage of the chosen route or routes with respect to both encryption and communications efficiencies and security.
  • software of the invention is adapted and arranged, and adaptable and arrangable, to hone in on the exact location of faults, outages, affected nodes, and customer sites, as well as to shed light on the entire fiber-optic network with respect to efficacy, security and dependability.
  • criteria specified by the user such as the lowest attenuation, the shortest length, the greatest security conformations or the minimum number of connections, the software saves a significant amount of work for both sales and provisioning personnel by eliminating countless hours finding spare fibers in each cable and virtually splicing the fibers.
  • Another object of the present invention is to provide methods and systems for providing reliable encryption/decryption protocols in the context of the transmission, over one or more optical fibers, or over one or more wired or wireless systems, that can be managed remotely and immediately to fulfill the commercial goals of the users of such systems and networks.
  • Yet another object of the invention is to provide ways of utilizing methods, networks, apparatus, software, firmware, hardware, devices, systems, business methods and combinatiohs thereof to provide secure data transfer within one or more networks, and to dynamically respond to breaches, possible breaches or suspected breaches.
  • the present method comprises the steps of: A, mapping a plurality of unique virtual paths over the possible routes between the sender and the receiver to create a formulated virtual path set, then B, choosing from the formulated virtual path set a first key exchange path over which a key exchange session can be performed, then C, performing a first key exchange session over the first key exchange path, then D, choosing from the formulated virtual path set a first data virtual path over which the encrypted data is to be transmitted, wherein the first data virtual exchange path is different from the first key exchange path, and then E, transmitting the encrypted data over the first data virtual path.
  • Step B can be repeated to provide one or more alternate virtual key exchange paths for performing the key exchange session.
  • >tep_D can be repeated _to provide ojie or more alternate data virtual paths for transmitting the encrypted data.
  • the method comprises Step F, which is preferably performed after Step E, and comprises the act or action of choosing from the formulated virtual path set one or more alternative data virtual paths for transmission of the encrypted data.
  • some preferred embodiments of a method of the invention comprise the further Step of G, the act or action of monitoring the chosen virtual paths to effect detection of possible problems, wherein the possible problems include one or more breaches of security.
  • Preferred methods of the invention may further comprise Step H, which is performed after Step G, and in response to the detection of a problem, of choosing from the formulated virtual path set one or more alternative key exchange paths over which a key exchange session can be performed.
  • a further step is that of Step I, choosing from the formulated virtual path set a second data virtual path over which the encrypted data can be transmitted.
  • the virtual paths of the formulated set are paths comprising at least one physical segment.
  • each possible route comprises numerous virtual paths, or at least a plurality of virtual paths.
  • some preferred embodiments of the network preferably comprise optical transport segments and the different routes comprise physical links in the network.
  • a network according to the invention comprises optical transport segments, and the different routes and paths comprise distinctive wavelengths
  • each distinctive wavelength is mapped to a different physical port in the network.
  • the network comprises one or more selected from the group comprising SONET and SONET/SDH networks, and the routes and paths are one or more selected from the group comprising APS, BLSR and UPSR.
  • the network may comprise one or more selected from the -group whilecomprising_SONET_and_SONET/SDH_networks-and-the-routes_are-one_or--more- selected from the group comprising APS, BLSR and UPSR.
  • a system of the invention may comprise a network, such as an MPLS network, and the different routes may comprise one or more physical links.
  • Systems, networks and methods of the invention may also include wherein the network comprises a Switched Ethernet network and the different routes comprise physical links.
  • the detection of the security breach in Step G is effected early with respect to one or more optical fibers or cables, and the detection can be facilitated by means of standard digital diagnostics as are known in the industry, or by any means or method that is adapted and arranged to detect any type of security breach
  • the standard digital diagnostics are contained within one or more pluggable optical devices provided in a system, device, apparatus or network adapted and arranged to practice the invention.
  • changes in the virtual data routes and paths and the encryption key routes and paths are preferably effected immediately upon detection of at least one breach.
  • the operative connections between the various segments of routes and paths are facilitated by one or more of software means, hardware means, firmware means, and combinations thereof.
  • the invention includes devices, apparatus, networks and systems for effecting the methods of the invention.
  • a preferred apparatus, device or system of the invention for increasing the security of encrypted data transmitted over one or more routes between a sender and a receiver over a network via one or more public-key exchange encryption systems includes the key components for effecting one or more preferred embodiments of the methods of the invention.
  • These key components include i) means for mapping a plurality of unique virtual paths over the possible routes between the sender and the receiver to create a formulated virtual path set, ii) means for choosing from the formulated virtual path set a first key exchange path over which a key exchange session can be performed, iii) means for performing a first key exchange session over the first key exchange path, iv) means for choosing from the formulated virtual path set a first data virtual path over- which the -encrypted data -is to be -transmitted, and— v) means-for transmitting the encrypted data over the first data virtual path.
  • a preferred method, network, apparatus, device or system of the invention may further include means for repeating Step B of the method to provide one or more alternate virtual key exchange paths for performing the key exchange session.
  • a preferred apparatus, device or system of the invention may further include means for repeating Step D to provide one or more alternate data virtual paths for transmitting and/or receiving the encrypted data.
  • networks, devices, networks, methods and systems for increasing the security of encrypted digital data transmitted over one or more routes or paths between a sender and a receiver over the network via one or more public-key exchange encryption systems are provided.
  • a network of the invention comprises the elements, components, devices, or apparatus including at least one means A, wherein means A is adapted and arranged for mapping a plurality of unique virtual paths over the possible routes between the sender and the receiver to create a formulated virtual path set, at least one means B, wherein means B is adapted and arranged for selecting, from the formulated virtual path set, a first key exchange path over which a key exchange session can be performed, at least one means C, wherein means C is adapted and arranged for performing a first key exchange session over the first key exchange path, at least one means D, wherein means D is adapted and arranged for selecting, from the formulated virtual path set, a first data virtual path over which the encrypted data is to be transmitted, at least one means E, wherein means E is adapted and arranged for encrypting the data to be sent, and at least one means F, wherein means F is adapted and arranged for transmitting the encrypted data over the first data virtual path.
  • one or more of the means recited in elements A, B, C, D, E and F of the network are software means or software-facilitated means.
  • any of the means recited herein may include any of the devices as disclosed herein, or as known in the relevant art.
  • means B and means C of the network is adapted and arranged to be used repeatedly to provide one or more alternate virtual key exchange paths for performing the key exchange_session Similarly,__the network is adapted and arranged such that means D can be utilized repeatedly to provide one or more alternate data virtual paths and/or routes for transmitting the encrypted data.
  • the network further comprises means G, means for selecting, from the formulated virtual path set, one or more alternative data virtual paths and/or routes for the transmission of the encrypted data.
  • the network may further comprise means H, means for monitoring the chosen virtual paths to effect detection of possible problems, wherein the possible problems include one or more breaches of security, as well as means I, means for responding to the detection of a problem, by selecting from the formulated virtual path set one or more alternative key exchange paths over which a key exchange session can be performed.
  • the network may further comprise means J, means for selecting from the formulated virtual path set a second data virtual path and/or route over which the encrypted data can be transmitted.
  • a network of the invention can be adapted and arranged such that each of the virtual paths of the formulated virtual path set comprises at least one physical segment, and wherein each possible route comprises a plurality of virtual paths.
  • the means elements of the network can comprise one or more of means A, means B, means C, means D, means E, means F, means G, means H, means I and means J, and one or more of these means can comprise software, or software-facilitated devices or means.
  • Other aspects of the present network include those as described herein with respect to other embodiments of the methods and networks of the invention.
  • a network wherein the network adapted and arranged for increasing the security of encrypted data transmitted over one or more paths and/or routes between a sender and a receiver over the network via one or more public-key exchange encryption systems.
  • the network comprises A. at least one means A, wherein means A is adapted and arranged for mapping a plurality of unique virtual paths over the possible routes between the sender and the receiver to create a formulated virtual path set, B.
  • At least one means B wherein means B js_adapted_and ⁇ arranged_for_selecting, ⁇ from_the lormulated virtual path set, a first key exchange path over which a key exchange, session can be performed, C. at least one means C, wherein means C is adapted and arranged for performing a first key exchange session over the first key exchange path, D. at least one means D, wherein means D is adapted and arranged for selecting, from the formulated virtual path set, a first data virtual path over which the encrypted data is to be transmitted,
  • At least one means E wherein means E is adapted and arranged for encrypting the data to be sent
  • one or more of the means recited in elements A, B, C, D, E and F of the network are software means or software-facilitated means.
  • means B of the network is adapted and arranged to be used repeatedly " to provide one or more alternate virtual key exchange paths for performing the key exchange session.
  • the network is adapted and arranged such that means D can be utilized repeatedly to provide one or more alternate data virtual paths and/or routes for transmitting the encrypted data.
  • the network further comprises means G, means for selecting, from the formulated virtual path set, one or more alternative data virtual paths and/or routes for the transmission of the encrypted data.
  • the network may further comprise means H, means for monitoring the chosen virtual paths to effect detection of possible problems, wherein the possible problems include one or more breaches of security, as well as means I, means for responding to the detection of a problem, by selecting from the formulated virtual path set one or more alternative key exchange paths over which a key exchange session can be performed.
  • the network may further comprise means J, means for selecting from the formulated virtual path set a second data virtual path and/or route over which the encrypted data can be transmitted.
  • a network of the invention can be adapted and arranged such that each of the virtual paths of the formulated virtual path set comprises at least one physical segment, and wherein each possible route comprises a plurality of virtual paths.
  • some preferred embodiments of the invention include
  • each distinct wavelength for example in embodiments using one or more optical fibers, is mapped to a different physical port in the network.
  • the network can comprise one or more selected from the group comprising SONET and SONET/SDH networks and the routes and paths are one or more selected from the group comprising APS, BLSR and UPSR, and those with desirable or amenable characteristics.
  • a network of the invention may include also one or more MPLS networks, and the different routes may comprise physical links.
  • a network of the invention may include those where the network is switched Ethernet and the different routes comprise physical links.
  • a network of the invention can be adapted and arranged such that the detection of a security breach or possible security breach is by means H, and is effected early with respect to one or more wires, optical fibers or cables, and the detection is facilitated by means of standard digital diagnostics.
  • the standard digital diagnostics can be contained within one or more pluggable optical devices provided in the network.
  • a network of the invention can be adapted and arranged such that changes in the virtual data routes and paths, and the encryption key routes and paths, are effected immediately by the network upon detection of at least one breach.
  • path and route switching can be accomplished on an immediate basis to foil hack attempts or other breaches.
  • a network of the invention can be adapted and arranged such that operative connections and changes in network configurations between the various segments of routes and paths are facilitated by one or more of software means, hardware means, firmware means, and combinations thereof.
  • software or ⁇ software facilitated means an bemused to_effect one ⁇ or ⁇ more_oLthe,necessary.functions,_and_ to coordinate the function with one another.
  • one or more of 'the means A, B, C, D, E, F, G, H, I and J can be software means or software facilitated means, for example, contained in a digital media storage device.
  • Storage devices, switches, and other devices are also significant elements of a network of the invention.
  • preferred embodiments of the invention include those wherein the network comprises one or more devices from the group comprising switches, routers, pluggable optical devices, multi-interface servers or workstations, add- drop multiplexers (ADM's), and optical add-drop multiplexer (OADM's), and any other devices which have desirable or advantageous functions or characteristics.
  • a method for the early detection and counteraction of breaches of digital communications between at least one sender and at least one receiver in a digital communications network, the network utilizing at least one form of key exchange encryption comprises the steps of: A. mapping a plurality of unique virtual paths over the possible routes between the at least one sender and the at least one receiver to create a formulated virtual path set, B. choosing from the formulated virtual path set a first key exchange path over which a key exchange session can be performed, C. performing a first key exchange session over the first key exchange path, D.
  • a method of the invention further comprises the Step of H, when a breach or possible breach is detected, choosing from the formulated virtual path set one or more alternative routes or data virtual paths over which the data can be transmitted, and can also comprise the Step of I, transmitting the data over one or more of the chosen ⁇ Cod.e_routes_or_virtual_paths.__ This ⁇ similarly_pertains _to_the_switching propelof_ routes and paths for one or more key exchange sessions.
  • the method can include wherein the data is encrypted before being transmitted.
  • some preferred embodiments of the methods of the invention can include wherein Steps F and G are performed during one or more of Step C, Step E, or both.
  • a method of the invention may also further comprise the Step of J, wherein, in response to the detection of a problem, choosing from the formulated virtual path set one or more alternative key exchange paths over which a key exchange session can be performed.
  • the key exchange routes and paths, and the data routes and paths can be switched either in response to a detected problem, such as a breach, or according to a schedule or other switching functions of the network.
  • the present methods may include wherein each of the virtual paths of the formulated virtual path set comprises at least one physical segment, and wherein each possible route comprises numerous or a plurality of virtual paths.
  • the methods can include wherein the network comprises optical transport segments and the different routes comprise physical links in the network, as well as wherein the network comprises optical transport segments and the different routes and paths comprise distinct wavelengths.
  • the permutations of the routes and paths which are possible within the scope of the present methods are enormous, especially in those systems comprising one or more of multiple optical fibers, wires, routers and other switches, and other devices described herein, or which would be comprehended by one of skill in the art.
  • the present methods can include wherein each distinct wavelength is mapped to a different physical port in the network, and embodiments wherein the network comprises one or more selected from the group comprising SONET and SONET/SDH networks and the routes and paths are one or more selected from the group comprising APS, BLSR and UPSR.
  • the network can comprise one or more selected from the group comprising SONET and SONET/SDH networks _and Jhe ; routes and decisions are one or more selected from the group- comprising APS, BLSR and UPSR, and those with desirable or amenable characteristics.
  • the present methods are also adapted to function in a network which includes also one or more MPLS networks, and the different routes may comprise physical links.
  • the present methods may include a network where the network is switched Ethernet and the different routes comprise physical links.
  • the present methods include wherein the detection of the security breach in Step G is effected early with respect to one or more optical fibers or cables, and the detection is facilitated by means of standard digital diagnostics, and wherein the standard digital diagnostics are contained within one or more pluggable optical devices provided in the network.
  • some preferred embodiments of the methods are adapted and arranged such that changes in the virtual data routes and paths, and the encryption key routes and paths, are effected immediately by the network upon detection of at least one breach.
  • path and route switching can be accomplished on an immediate basis to foil hack attempts, other breaches and other problems.
  • a network of the invention can be adapted and arranged such that operative connections and changes in network configurations between the various segments of routes and paths are facilitated by one or more of software means, hardware means, firmware means, and combinations thereof.
  • software or software facilitated means can be used to effect one or more of the necessary functions, and to coordinate the function with one another.
  • one or more of the means A, B, C, D, E, F, G, H, I and J can be software means or software facilitated means, for example, contained in a digital media storage device.
  • Storage devices, switches, and other devices are also significant elements of a network of the invention.
  • preferred embodiments of the invention include those wherein the network comprises one or more devices from the group comprising switches, routers, pluggable optical devices, multi-interface servers or workstations, add- drop multiplexers (ADM's), and optical add-drop multiplexer fOADM'sj, and any other devices which have desirable or advantageous functions or characteristics.
  • the present methods comprehend wherein one or more of the devices stores or otherwise keeps track of the paths and routes of the formulated virtual path set for one or more of the key exchange and the data transmission.
  • the methods and networks of the inventions can be incorporated into one or more devices, or one or more chips.
  • the dynamic virtual path or route switching is adapted and arranged to occur with respect to automated settings that are facilitated via software or firmware.
  • the software or firmware can be located in various devices, locations and modules, depending on system requirements and functions.
  • the dynamic virtual path or route switching occurs with respect to device-based parameters, such as system load or operator intervention, such that, even if a hacker was aware of the underlying systems, he would be guessing at yet another set of parameters.
  • a Route may comprise a plurality of Segments, and each Segment may comprise a plurality of Virtual Paths. Some of the Segments can be physical in nature, while others may be wireless, infrared, or otherwise non-physical.
  • One primary aspect relates to the methods, processes and systems of transmitting one or more cryptography keys over one or more digital transmission media wherein at least one of the digital transmission media is a physical medium, such as an optical fiber or optical fiber cable, and to the networks, nodes, devices, apparatus and systems that include or embody the invention in any way.
  • the one or more encryption keys are transmitted over a first set of one or more virtual paths or routes.
  • the public encryption key is transmitted separately from the private key. Encrypted messages, data sets or datastreams are transmitted j3yer_routes strongly different romJh ⁇
  • third set of virtual paths may comprise a plurality or a very large number of paths.
  • a second primary aspect relates to the methods, processes and systems of transmitting one or more messages, data sets or datastreams over one or more digital transmission media, such as those of networks, nodes, devices, apparatus and systems that include or embody the invention in any way, wherein at least one of the digital transmission media is a physical medium, such as an optical fiber or optical fiber cable.
  • the one or more messages, data sets or datastreams are transmitted over a second set of one or more virtual paths.
  • the second set of virtual paths may comprise a plurality or a very large number of paths.
  • the encryption keys are sent via a first Virtual Path
  • the one or more messages, data sets or datastreams are sent via a second, third or fourth Virtual Path, different from the first Virtual Path.
  • a third primary aspect relates to the methods, processes and systems of changing the individual virtual paths over which the keys, messages, data sets or datastreams are transmitted.
  • This "Virtual Path Hopping" or “Route Hopping” can be effected by any means, software, scheme, triggers, events or schedules appropriate to the environments, circumstances and nature of the keys, messages, data sets or datastreams that are being transmitted.
  • FIGS diagrammatic Figures
  • Each of the Figures shows a system of the invention compris-ing 1, 4 or 8 communication segments wherein each of the segments is operatively and sequentially connected to transmit keys, messages, data sets or datastreams between a Sender S and a Receiver R, or between a Receiver R and a Sender S of a system of the invention.
  • a Route between S and R consists of only one Segment, and the Segment consists only of one optical fiber.
  • This type of segment which consists only of a single optical fiber, is one type of "optical transport segment.”
  • the single optical fiber is accommodated in such a simple embodiment where the single optical fiber is accommodated in the single optical fiber.
  • Virtual Path describing one unique virtual line of connectivity between Sender (S) and Receiver (R), in a Route having only one Segment, and wherein the Segment has one optical fiber only
  • the number of possible Virtual Paths is limited by the number of unique optical (wavelength) paths through the one fiber.
  • the number of unique Virtual Paths through a fiber would still approximate 80 in a single conventional fiber.
  • the Segment is one optical fiber, and the one optical fiber offers 80 unique Virtual Paths which can be dynamically utilized in the context of the invention.
  • the Route in this example consists of only one Segment, only one fiber, yet includes 80, or more, possible Virtual Paths.
  • a single route can have several, or numerous, possible virtual paths through it.
  • Figure 305 shows a system of the invention comprising 1 communication Segment, SEG 1.
  • a message M, encryption key K, or Datastream DS can be transmitted sequentially from S to R, or from R to S, through Segment S I.
  • SEG S I comprises single optical fiber F19.
  • an encryption key K, message M or Datastream DS can be transmitted through many different possible Virtual Paths.
  • the term "Virtual Path" is used to describe each unique virtual line of connectivity between S and R. There can be a few, or many, possible Virtual Paths through a particular Route, depending upon the characteristics of that Route.
  • the Route has one Segment, the Segment is limited to one optical fiber, and the one optical fiber offers approximately 80 unique Virtual Paths which can be dynamic-ally utilized in the context of the invention.
  • the Route consists of only one Segment, and only one fiber, yet includes 80 possible Virtual Paths. In more advanced fiber types, or with other adaptations, more than 80 Virtual Paths are possible through a single fiber.
  • Figure 301 shows a system of the invention comprising 4 communication segments (SEG's).
  • SEG's communication segments
  • a message M, encryption key K, or Datastream DS can be transmitted sequentially from S to R or from R to S through the operatively connected Segments S I, S2, S3 and S4.
  • Segment 1 (SEG 1) has a Sender end S I and a Receiver end Rl. Disposed between S I and Rl are optical fibers Fl, F2, F3 and F4. Segment 2 (SEG 2) has a Sender end S2 and a Receiver end R2. Disposed between S2 and R2 are digitally conductive wires Wl, W2, W3 and W4. Segment 3 (SEG 3) has a Sender end S3 and a Receiver end R3. Disposed between S3 and R3 are coaxial conductors CI, C2, C3 and C4. Segment 4 (SEG 4) has a . Sender end S4 and a Receiver end R4.
  • a Message M, an encryption key K, Datastream DS or Data D sent from S can travel a number of different routes through SEG 1, a number of different routes through SEG 2, a pluality of different routes through SEG 3, and a plurality of different routes through SEG 4 to arrive at R.
  • FIG. 303 shows a system or network of the invention adapted and arranged for practicing the present methods.
  • the overall Route of FIG. 303 is S - SEG 1 - SEG 2 - SEG3 - SEG4-R.
  • the network or system of FIG. 303 shows a specific Route between Sender S and Receiver R highlighted in the color red.
  • a Red Route (shown in red) is shown beginning at R, and travelingjhr ugh_SE L(Segment). 1 via S I through Fl and Rl, where it leaves SEG 1 to travel through Device Ul, and then through S2 of Segment 2.
  • the Red Route then continues from S2 through W2 and R2 of SEG 2, and then through Device U2 and then to S3 of SEG 3.
  • the Red Route continues through S3 and through C3 to pass through R3 and then out of SEG 3 to travel through Device U3 and into SEG 4 via S4.
  • the Red Route continues through F8 to R4 and then out of SEG 4 to Receiver R.
  • the Red Route thus extends from Sender S via S I, Fl, Rl of SEG 1, then through
  • the Red Route of FIG. 303 can also be expressed in a more shorthand way by the terminology: Sender - SI, Fl, Rl ; Ul, S2, W2, R2, U2, S3, C3, R3, U3, S4, F8, R4 - Receiver R.
  • FIGS. 302 and 304 each of which shows an embodiment of the invention having 2 sets of Segments (SEGS) disposed between Sender S and Receiver R.
  • SEGS Segments
  • a message M or Datastream DS can be transmitted sequentially from S to R or from R to S through the operatively connected Segments S I, S2, S3 and S4, or through Segments S5, S6, S7 and S8.
  • SEGS S I, S2, S3 and S4 are identical to the corresponding SEGS in FIG. 301, and the general description herein of FIG. applies accordingly.
  • the embodiment shown in FIG 302 shows also parallel Segments S5, S6, S7 and S8 operatively connected between S and R.
  • Segment 5 (SEG 5) has a Sender end S5 and a Receiver end R5. Disposed between S5 and R5 in SEG 5 are optical fibers F9, F10, Fl l and F12. Also in FIG 302, SEG 5 has a Sender end S5 and a Receiver end R5. Segment 6 (SEG 6) has a Sender end S6 and a Receiver end R6. Disposed between S6 and R6 are digitally conductive wires W5, W6, W7 and W8. SEG 7 as shown in FIG 302 has a Sender end S7 and a Receiver end R7. Disposed between S7 and R7 are coaxial conductors C5, C6, C7 and C8.
  • Segment 8 (SEG 8) has a Sender end S8 and a Receiver end R8. Disposed between S8 and R8 are optical fibers F13, F14, F15 and F16. There are thus numerous possible Virtual Paths between Sender S and Receiver R through SEGS S5. S6,_S7 and..S.8, as _well_as_ through SEG 1, SEG 2, SEG 3 and SEG 4. This is further illustrated in FIG. 304.
  • SEG 7 as shown in FIG 304 has a Sender end S7 and a Receiver end R7. Disposed betw-een S7 and R7 are coaxial conductors C5, C6, C7 and C8. Segment 8 (SEG 8) has a Sender end S8 and a Receiver end R8. Disposed between S8 and R8 are optical fibers F13, F14, F15 and F16.
  • FIG. 304 also shows the system of FIG. 302, but also having a specific Green Route between S and R highlighted in the color green, as well as the Red Route identical to that shown in FIG. 303. With reference to FIG.
  • Green Route (shown in green) is shown beginning at S, and then extending through SEG 5 via S5, then through Fl 1 and then via R5 out of SEG 5, and then through Device U4, and then through S6 into SEG 6.
  • the Green Route then continues from S6 through W6 and R6, and then out of SEG 6 and through Device U5, then into SEG 7 via S7 where it extends through C8 and through R7 out of SEG 7 through Device U6 to SEG 8 via S8, extending through SEG 8 via S8, F13, and then through R8 to Receiver R.
  • the Green Route of FIG. 304 can also be expressed in a more shorthand way by the terminology: Sender - S5, Fl l, R5; U4, S6, W6, R6, U5, S7, C8, R7, U6, S8, F13, R8 - Receiver R.
  • key exchange can be conducted over the Red Route while transmission of the encrypted data can be effected over the Green Route.
  • Routes and Virtual Paths there are numerous combinations of Routes and Virtual Paths in any system of the invention.
  • a network or system of the invention might select the Red Route for transmission of a datastream or key exchange, there are numerous possible Virtual Paths through the Red Route.
  • the broad applicability of the inventions, as well as their advantageous characteristics as components of networks or othexjdigital systems are, exemplified with reference_to the. devices with which they can be uses, or incorporated into.
  • the invention can advantageously be embodied in many devices, systems and networks. These devices include switches, routers, multi-interface servers or workstations, add-drop multiplexers (ADM's), and optical add-drop multiplexer (OADM'sj.
  • ADM's add-drop multiplexers
  • OADM'sj optical add-drop multiplexer
  • the invention can also be used with, or in association with any application with more than one physical connectivity to a network and the ability to dynamically switch between these interfaces.
  • the networks, systems and methods of the invention include also where a divided key exchange session can be effected, wherein the key exchange session is conducted over.2 or more virtual paths, with different portions of the key being transmitted over different Virtual Paths.
  • the networks, systems, devices and methods of the invention include also wherein a divided datastream or message can be conducted over 2 or more Virtual Paths, thus increasing the level of security even further.
  • Additional positive characteristics pertain to the software aspects and modules of the invention. Examples of this include wherein the software means for performing the required activities to effect the functions of the present invention is adapted and arranged, or can be adaptable and arrangable, to provide any capabilities necessary in order to perform the desired functions.
  • some software modules of the invention include those which are adapted and arranged to effect measurements of the performance parameters of any system in which they are utilized. In some preferred embodiments, the invention can thereby take the form of one that both monitors the system in which it is being used, and tracks the parameters of the system while it is in use. Similarly, the setting of alarms or path- switching, and of correlating or correlated actions can be defined based on system needs or requirements.
  • the invention may further comprise software means for configuring and reconfiguring, and for dynamically switching, one or a plurality of Routes and Virtual Paths such that security is continually maintained.
  • the present invention includes also methods for using and configuring the various elements, apparatus, devices and networks of the invention.
  • the invention includes a method for increasing the speedchuand management characteristics of a fiber-optic communications network while increasing its security against hacking and other breaches.
  • the present methods and systems of the invention are thus directed toward increasing the speed, applicability and dependability of the transfer of encrypted digital data in one or more networks, or between one or more senders and one or more receivers of the encrypted data.
  • the present methods, networks, apparatus, software, hardware, devices, systems, and combinations thereof are also fully integratable into conventional networks and systems, in accordance with standard and known procedures and equipment in the field, with the assistance of the present disclosure.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

Methods, networks, devices, apparatus, software, firmware, hardware, systems, business methods and combinations thereof for providing the high speed, high capacity encryption and transmission of digital data over many types of communications networks and systems are provided. A significant increase is realized in the security of encrypted data transfer from a sender to a receiver over a network which uses a public key algorithm for the encryption/decryption process. In a key aspect, a sender transfers the public key to the receiver over a network on a different route or virtual path than the route or virtual path that is used to send the encrypted data itself. When a plurality or numerous routes or virtual paths are available, the invention is adapted and arranged to dynamically change the available routes and virtual paths over which it sends the encrypted key and the encrypted data, thereby improving the level of security even more significantly. The invention is particularly effective and useful as a part of networks and other communications systems comprising one or more physical links, and especially those which utilize one or more optical fibers, such as Ethernet and other communications networks.

Description

IN THE UNITED STATES PATENT AND TRADEMARK OFFICE
UNDER THE PATENT COOPERATION TREATY
PATENT APPLICATION FOR:
DYNAMICALLY SWITCHABLE, ENCRYPTION-ADAPTABLE AND MONITORED, HIGH SPEED, HIGH CAPACITY NETWORKS, METHODS, MODULES AND SYSTEMS, UTILIZING MULTIPLE AND VARIABLE PATH
TRANSMISSION AND BREACH DETECTION CAPABILITIES
CLAIM OF PRIORITY
[0001] Applicants hereby claim priority to U.S. Provisional Patent Application Serial No.
61/272,273, filed September 4, 2009, and to A U.S. Provisional Patent Application having a Serial No. To-Be-Determined (Filed under Attorney Reference No. 91321-459003 on August 26, 2010), and entitled: Networks, Methods, Apparatus, Software, Hardware, Devices, Systems And Combinations Thereof For Enhancing The Security Of Digital Data Transfer Systems Using Asymmetric Public Key Encryption Transmission Over A Network, and do hereby incorporate these two applications in their entireties.
FIELD OF THE INVENTION
[0002] The present invention relates to methods, apparatus, software, firmware, hardware, devices, systems, business methods, security methods, and combinations thereof, for providing the asymmetric encryption of data suitable for high speed and high capacity transmission over many types of digital communication systems. The invention is particularly effective and useful in systems and other communications networks comprising one or more physical links, and especially those which utilize one or more optical fibers. BACKGROUND OF THE INVENTION
[0003] Encryption systems for use in communications between and among computers in various types of networks generally belong in one of two categories. The first category pertains to those which utilize Symmetric Key Encryption (SKE). Symmetric Key Encryption schemes such as Blowfish, AES and DES, work with a single, prearranged key that is shared between the Sender and the Receiver. This same key both encrypts and decrypts text that is communicated over a system, such as a network.
[0004] The second category pertains to Public Key Encryption (PKE) systems, which are asymmetric systems. In Asymmetric (AKE) Encryption Schemes, such as those of the RSA or Diffie-Hellman systems and protocols, the encryption algorithm comprises a "key pair^_forJhe_users._The.key_pair. includes Jioth a_public_key and ..a.priyate_key._.The_priyate_ key is known only to the Sender (S), while the public key is given by the sender to any Receiver (R), that is, any computer that wants to communicate securely with the Sender. Once encrypted, the cipher-text can be decrypted only by a system that holds both the private key of that key pair as well as the public key. Asymmetric encryption is considered to be more secure than symmetric key encryption, primarily because the decryption key can be kept private, and thus relatively secure.
[0005] Nonetheless, even though an asymmetric public-key encryption scheme is considered to be more secure than a symmetric system, it is still exposed to potential hostile attacks directed toward breaking the cipher-text. Some known types of attacks include, as examples: A) the Client Role Sham, where a hostile client attempts to participate in a protected session with a legitimate server by pretending to be a legitimate client; and B) one or more replay attacks targeted at the server.
[0006] In a replay attack, an adversary records a protected session, or a portion of it, and attempts to re-use it by directing it back toward the server to thereby deceive the server into communicating with the replay attacker. Another way of attempting to breach an encrypted system is by C) cheating on the server public key. In this hacking method, an adversary induces a client to use (as the public key in a given session establishment) a key which is different from the legitimate server's public key. [0007] In yet another hacking strategy, commonly known as "passive eavesdropping," an adversary overhears the protected session and records it for later analysis. In a significant aspect, the passive eavesdropping threat refers to data protection offered by secret key encryption after completion of the session key-establishment phase.
[0008] Data modification is a further way of attacking encrypted data transfers. Data modification uses one or more means to modify the cipher-text messages of the protected session, while an adversary attempts to modify the meaning of these messages.
[0009] All of these methods pose an ongoing threat to cyber communications. The methods, networks, apparatus, software, firmware, hardware, devices, systems, business methods and combinations thereof the present invention offer strategic advantages with respect to decreasing the likelihood of successful attacks by presently known methods.
[0010] There are many different types of networks and network systems for sharing digital files and resources or for otherwise enabling communication between two or more computers. Networks may be categorized based on various features and functions, such as message capacity, range over which the nodes are distributed, node or computer types, node relationships, topology or logical and/or physical layout, architecture based on cable type and data packet format, access possibilities, and the like.
SOME DEFINITIONS
[001 1] To assist in comprehending the invention, some definitions are provided herein. As one of skill in the art will comprehend, these definitions are to be taken in the context of the invention and are to be interpreted consonant with the rest of the specification and claims.
[0012] In the context of the invention, the terminology "standard digital diagnostics" means any methods, devices, systems, software or other means, system or method for detecting a breach, possible breach or interruption of connectivity at any point or portion of a network, or in connection with respect to data or key exchange activities.
[0013] In the context of the invention, the term "route" means the transmission connectivity from the sender (source S) coordinate to the destination (receiver R) coordinate through a series of coordinates, or from the destination (receiver R) to the sender (source S) through a series of coordinates. A route according to the invention may comprise one or more physical segments as well as one or more wireless segments. A route is the sequential totality of all of the segments between S and R, and includes any devices through which the route passes. A Route of the invention may comprise many possible virtual paths. A route of the invention may comprise S and R as the termination points of the path(s).
[0014] In the context of the invention, the term "segment" means any portion of a route between two coordinates that are in communication with one another. A segment can be any transmission medium or media, or any device or apparatus, or combinations thereof. As examples, a segment may comprise one or more optical fibers, one or more fiber optic cables, one or more coaxial cables, one or more conventional wires, one or more switching devices such as routers, converters and repeaters, and one or more wireless connections. Typically, each segment has two ends, and each of the two ends can be identified by a coordinate. In some embodiments, _in the case _of a segment comprising a device- or apparatus, one coordinate may be sufficient.
[0015] In the context of the invention, when it is necessary to refer to the directionality of a route, the term "sender route" means the transmission connectivity from the sender (source) to the destination (receiver R) through a series of coordinates. In a similar context of the invention, the term "receiver route" means the transmission connectivity from the destination (receiver R) to the sender (source) through a series of coordinates. The receiver route need not have the same coordinates as the sender route.
[0016] In the context of the invention, the term "physical route" means the physical connectivity from source to destination through a series of coordinates wherein each of the segments of the route is a physical segment. In a simple embodiment of the invention, a Segment may comprise one optical fiber, or one wire.
[0017] In the context of the invention, the term "physical portion" or "physical segment" means any portion or portions of the route which comprise one or more physical transmission media. Physical transmission media include, for example, one or more optical fibers, one or more fiber optic cables (a cable comprises 2 or more optical fibers), one or more coaxial cables, one or more conventional or other wires, one or more switching devices (such as routers, converters and repeaters) and one or more wireless connections, such as Wi-Fi nodes. Thus, in one aspect of some preferred embodiments of the invention, a physical route can include wireless communication segments. In other aspects of some preferred embodiments of the invention, a physical route can include only physical segments.
[0018] In the context of the invention, the term "virtual path ("VP")" means the path taken by the message, key or datastream from a sender (S) to a receiver (R) or from a receiver R to a sender S. A virtual path travels through each of the segments of the specific route, from coordinate to coordinate, in a sequence as mapped or directed by a system, method or device of the invention as embodied, for example, in software in a server or on any type of chip. Because many segments have a plurality of possible paths through each segment, numerous unique virtual paths are possible through any specific Route. For instance, a single optical fiber Segment may comprise dozens of possible Virtual Paths through it, even though it comprises only one physical Segment.
[0019] In the context of the invention, the term "virtual path hopping ("path hopping")" means the step, action or activity of switching the path or paths taken by the message, key or datastream from a sender (S) to a receiver (R) or from a receiver R to a sender S, to other paths. Path hopping can thus switch both the Route and the paths taken by the data or by the key exchange.
[0020] A virtual path travels through each of the segments of the specific route, from coordinate to coordinate, in a sequence as mapped or directed by a system, method or device of the invention as embodied, for example, in software in a server or on any type of chip. Because many segments have a plurality of possible paths through each segment, numerous unique virtual paths are possible through any specific Route. Thus, path hopping provides numerous possible alternate routes and paths from a Sender S to a Receiver R, and vice-versa.
[0021] In the context of the invention, the term "dynamically changes" means the action, act or event whereby the transmission of a key, message or datastream is switched from one route or virtual path to at least one alternate operational route or virtual path, or from one or more virtual paths to one or more alternate virtual paths. This virtual path switching called "path hopping" is the result of the dynamic changes effected in a network, method or system of the invention. [0022] In the context of the invention, the term "clear-text input port' means a port through which the unencrypted data enters a device or apparatus that is adapted and arranged to implement a method or system of the invention. In the context of the invention, the term "cipher-text output port" means a port through which the encrypted data exits a device implementing a method or system of the invention.
[0023] In the context of the invention, the term "triggering event" means the one or more events that can trigger one or more dynamic changes in one or more of the available routes, virtual paths, or both, with respect to transmitting a message, datastream or key from S to R, or from R to S. Such route/virtual path changes can be made in accordance with triggering events such as a "switching menu" comprising one or more time schedules, one or more message-type schedules, frameworks, one or more randomizing generators, or they can be made in response to a specific triggering event. Examples of such_triggering_e_vents include a timer time-out, a data^stream size limit and the detection of an attempted system hack, or any other possible or detected security breach, or any other system problem.
[0024] In the context of the invention, the term "switching schedule" means a pre-determined schedule of times at which the routes, virtual paths and path hopping patterns are put into effect. A switching schedule of the invention can be determined by any method or means that produces the desired effects of maximizing its unpredictability, as well as its efficiencies. The inventions include also randomizing systems and software which are adapted and arranged to trigger path and route hopping in accordance with one or more mathematical, timing or other functions.
[0025] In the context of the invention, the term "mapping" means the activities or actions of determining the possible routes or virtual paths between S and R (or R and S) over which messages, keys or datastreams, or their combinations, can be sent. In some contexts of the inventions, the term "mapping" can also mean the activity or action of prioritizing or classifying the possible routes or virtual paths with respect to parameters determined or selected by an operator of a system, device, method or apparatus of the inventions. Thus, in the context of the invention, the term "mapping" means the activities or actions of determining the best fiber-optic route or routes to connect two or more points as well as to manage the usage of the chosen route or routes with respect to both encryption and communications efficiencies and security.
[0026] In another significant aspect, software of the invention is adapted and arranged, and adaptable and arrangable, to hone in on the exact location of faults, outages, affected nodes, and customer sites, as well as to shed light on the entire fiber-optic network with respect to efficacy, security and dependability. By identifying the best fiber-optic route according to criteria specified by the user, such as the lowest attenuation, the shortest length, the greatest security conformations or the minimum number of connections, the software saves a significant amount of work for both sales and provisioning personnel by eliminating countless hours finding spare fibers in each cable and virtually splicing the fibers.
SUMMARY OF THE INVENTION
[0027] Accordingly, it is an object of the present invention to remedy the drawbacks of conventional encryption systems by providing methods, apparatus, software, firmware, hardware, devices, systems, business methods and combinations thereof which are adapted and arranged for minimizing or eliminating these disadvantages.
[0028] Another object of the present invention is to provide methods and systems for providing reliable encryption/decryption protocols in the context of the transmission, over one or more optical fibers, or over one or more wired or wireless systems, that can be managed remotely and immediately to fulfill the commercial goals of the users of such systems and networks.
[0029] Yet another object of the invention is to provide ways of utilizing methods, networks, apparatus, software, firmware, hardware, devices, systems, business methods and combinatiohs thereof to provide secure data transfer within one or more networks, and to dynamically respond to breaches, possible breaches or suspected breaches.
[0030] In accordance with this and other objects of the invention methods, networks, devices, and systems for increasing the security of encrypted digital data transmitted over one or more routes between a sender and a receiver over at least one network via one or more systems utilizing at least one form of key exchange encryption, are provided. [0031] In one preferred embodiment, the present method comprises the steps of: A, mapping a plurality of unique virtual paths over the possible routes between the sender and the receiver to create a formulated virtual path set, then B, choosing from the formulated virtual path set a first key exchange path over which a key exchange session can be performed, then C, performing a first key exchange session over the first key exchange path, then D, choosing from the formulated virtual path set a first data virtual path over which the encrypted data is to be transmitted, wherein the first data virtual exchange path is different from the first key exchange path, and then E, transmitting the encrypted data over the first data virtual path.
[0032] In this and other preferred embodiments, Step B can be repeated to provide one or more alternate virtual key exchange paths for performing the key exchange session. In another significant aspect, >tep_D can be repeated _to provide ojie or more alternate data virtual paths for transmitting the encrypted data. As yet another advantage of some preferred embodiments of the invention, the method comprises Step F, which is preferably performed after Step E, and comprises the act or action of choosing from the formulated virtual path set one or more alternative data virtual paths for transmission of the encrypted data. Furthermore, some preferred embodiments of a method of the invention comprise the further Step of G, the act or action of monitoring the chosen virtual paths to effect detection of possible problems, wherein the possible problems include one or more breaches of security.
[0033] Preferred methods of the invention may further comprise Step H, which is performed after Step G, and in response to the detection of a problem, of choosing from the formulated virtual path set one or more alternative key exchange paths over which a key exchange session can be performed. A further step is that of Step I, choosing from the formulated virtual path set a second data virtual path over which the encrypted data can be transmitted.
[0034] In some preferred embodiments of the methods of the invention, the virtual paths of the formulated set are paths comprising at least one physical segment. Preferably, each possible route comprises numerous virtual paths, or at least a plurality of virtual paths. In accordance with other objects and advantages of methods of the invention, some preferred embodiments of the network preferably comprise optical transport segments and the different routes comprise physical links in the network. In a similar advantageous aspect, a network according to the invention comprises optical transport segments, and the different routes and paths comprise distinctive wavelengths
[0035] In some preferred embodiments of methods and systems of the invention, each distinctive wavelength is mapped to a different physical port in the network. In accordance with additional objects and advantages of preferred methods and systems of the invention, the network comprises one or more selected from the group comprising SONET and SONET/SDH networks, and the routes and paths are one or more selected from the group comprising APS, BLSR and UPSR.
[0036] In another key advantage, the network may comprise one or more selected from the -group„comprising_SONET_and_SONET/SDH_networks-and-the-routes_are-one_or--more- selected from the group comprising APS, BLSR and UPSR. Similarly, a system of the invention may comprise a network, such as an MPLS network, and the different routes may comprise one or more physical links. Systems, networks and methods of the invention may also include wherein the network comprises a Switched Ethernet network and the different routes comprise physical links.
[0037] In other key aspects of preferred methods and systems of the invention, the detection of the security breach in Step G is effected early with respect to one or more optical fibers or cables, and the detection can be facilitated by means of standard digital diagnostics as are known in the industry, or by any means or method that is adapted and arranged to detect any type of security breach
[0038] In yet other key aspects of preferred methods and systems of the invention the standard digital diagnostics are contained within one or more pluggable optical devices provided in a system, device, apparatus or network adapted and arranged to practice the invention. As an additional key aspect, changes in the virtual data routes and paths and the encryption key routes and paths are preferably effected immediately upon detection of at least one breach. In yet another keys aspect of methods and systems of the invention, the operative connections between the various segments of routes and paths are facilitated by one or more of software means, hardware means, firmware means, and combinations thereof. [0039] Advantageously, the invention includes devices, apparatus, networks and systems for effecting the methods of the invention. For example, a preferred apparatus, device or system of the invention for increasing the security of encrypted data transmitted over one or more routes between a sender and a receiver over a network via one or more public-key exchange encryption systems, includes the key components for effecting one or more preferred embodiments of the methods of the invention. These key components include i) means for mapping a plurality of unique virtual paths over the possible routes between the sender and the receiver to create a formulated virtual path set, ii) means for choosing from the formulated virtual path set a first key exchange path over which a key exchange session can be performed, iii) means for performing a first key exchange session over the first key exchange path, iv) means for choosing from the formulated virtual path set a first data virtual path over- which the -encrypted data -is to be -transmitted, and— v) means-for transmitting the encrypted data over the first data virtual path.
[0040] A preferred method, network, apparatus, device or system of the invention may further include means for repeating Step B of the method to provide one or more alternate virtual key exchange paths for performing the key exchange session. As yet another advantage, a preferred apparatus, device or system of the invention may further include means for repeating Step D to provide one or more alternate data virtual paths for transmitting and/or receiving the encrypted data.
[0041] In accordance with yet other objects of the invention, networks, devices, networks, methods and systems for increasing the security of encrypted digital data transmitted over one or more routes or paths between a sender and a receiver over the network via one or more public-key exchange encryption systems are provided. In some preferred embodiments, a network of the invention comprises the elements, components, devices, or apparatus including at least one means A, wherein means A is adapted and arranged for mapping a plurality of unique virtual paths over the possible routes between the sender and the receiver to create a formulated virtual path set, at least one means B, wherein means B is adapted and arranged for selecting, from the formulated virtual path set, a first key exchange path over which a key exchange session can be performed, at least one means C, wherein means C is adapted and arranged for performing a first key exchange session over the first key exchange path, at least one means D, wherein means D is adapted and arranged for selecting, from the formulated virtual path set, a first data virtual path over which the encrypted data is to be transmitted, at least one means E, wherein means E is adapted and arranged for encrypting the data to be sent, and at least one means F, wherein means F is adapted and arranged for transmitting the encrypted data over the first data virtual path.
[0042] In a key aspect, one or more of the means recited in elements A, B, C, D, E and F of the network are software means or software-facilitated means. In another key aspect, any of the means recited herein may include any of the devices as disclosed herein, or as known in the relevant art. As a further advantageous characteristic, means B and means C of the network is adapted and arranged to be used repeatedly to provide one or more alternate virtual key exchange paths for performing the key exchange_session Similarly,__the network is adapted and arranged such that means D can be utilized repeatedly to provide one or more alternate data virtual paths and/or routes for transmitting the encrypted data.
[0043] In accordance with another preferred aspect of some embodiments of the invention, the network further comprises means G, means for selecting, from the formulated virtual path set, one or more alternative data virtual paths and/or routes for the transmission of the encrypted data. In addition, the network may further comprise means H, means for monitoring the chosen virtual paths to effect detection of possible problems, wherein the possible problems include one or more breaches of security, as well as means I, means for responding to the detection of a problem, by selecting from the formulated virtual path set one or more alternative key exchange paths over which a key exchange session can be performed. In yet another positive aspect, the network may further comprise means J, means for selecting from the formulated virtual path set a second data virtual path and/or route over which the encrypted data can be transmitted.
[0044] As another advantage, a network of the invention can be adapted and arranged such that each of the virtual paths of the formulated virtual path set comprises at least one physical segment, and wherein each possible route comprises a plurality of virtual paths. Thus, in accordance with the objects and advantages of a network of the invention, the means elements of the network can comprise one or more of means A, means B, means C, means D, means E, means F, means G, means H, means I and means J, and one or more of these means can comprise software, or software-facilitated devices or means. Other aspects of the present network include those as described herein with respect to other embodiments of the methods and networks of the invention.
[0045] In accordance with still other objects and advantageous aspects of the invention, a network is provided wherein the network adapted and arranged for increasing the security of encrypted data transmitted over one or more paths and/or routes between a sender and a receiver over the network via one or more public-key exchange encryption systems. In some preferred embodiments, the network comprises A. at least one means A, wherein means A is adapted and arranged for mapping a plurality of unique virtual paths over the possible routes between the sender and the receiver to create a formulated virtual path set, B. at least one means B, wherein means B js_adapted_and^arranged_for_selecting,^from_the lormulated virtual path set, a first key exchange path over which a key exchange, session can be performed, C. at least one means C, wherein means C is adapted and arranged for performing a first key exchange session over the first key exchange path, D. at least one means D, wherein means D is adapted and arranged for selecting, from the formulated virtual path set, a first data virtual path over which the encrypted data is to be transmitted,
E. at least one means E, wherein means E is adapted and arranged for encrypting the data to be sent, and F. at least one means F, wherein means F is adapted and arranged for transmitting the encrypted data over the first data virtual path.
[0046] In a key aspect, one or more of the means recited in elements A, B, C, D, E and F of the network are software means or software-facilitated means. As a further advantageous characteristic, means B of the network is adapted and arranged to be used repeatedly "to provide one or more alternate virtual key exchange paths for performing the key exchange session. Similarly, the network is adapted and arranged such that means D can be utilized repeatedly to provide one or more alternate data virtual paths and/or routes for transmitting the encrypted data.
[0047] In accordance with another preferred aspect of some embodiments of the invention, the network further comprises means G, means for selecting, from the formulated virtual path set, one or more alternative data virtual paths and/or routes for the transmission of the encrypted data. In addition, the network may further comprise means H, means for monitoring the chosen virtual paths to effect detection of possible problems, wherein the possible problems include one or more breaches of security, as well as means I, means for responding to the detection of a problem, by selecting from the formulated virtual path set one or more alternative key exchange paths over which a key exchange session can be performed. In yet another positive aspect, the network may further comprise means J, means for selecting from the formulated virtual path set a second data virtual path and/or route over which the encrypted data can be transmitted.
[0048] As another advantage, a network of the invention can be adapted and arranged such that each of the virtual paths of the formulated virtual path set comprises at least one physical segment, and wherein each possible route comprises a plurality of virtual paths. In yet another aspect, some preferred embodiments of the invention include
Figure imgf000014_0001
network comprises optical transport segments and the different routes comprise physical links in the network, as well as where the network comprises optical transport segments and the different routes and paths comprise distinct wavelengths. Moreover, in accordance with other aspects, in some preferred embodiments, each distinct wavelength, for example in embodiments using one or more optical fibers, is mapped to a different physical port in the network.
[0049] As yet an additional advantage of the networks, devices, systems and methods of the invention, in some embodiments, the network can comprise one or more selected from the group comprising SONET and SONET/SDH networks and the routes and paths are one or more selected from the group comprising APS, BLSR and UPSR, and those with desirable or amenable characteristics. A network of the invention may include also one or more MPLS networks, and the different routes may comprise physical links. For example, a network of the invention may include those where the network is switched Ethernet and the different routes comprise physical links.
[0050] In another significant aspect, a network of the invention can be adapted and arranged such that the detection of a security breach or possible security breach is by means H, and is effected early with respect to one or more wires, optical fibers or cables, and the detection is facilitated by means of standard digital diagnostics. Moreover, the standard digital diagnostics can be contained within one or more pluggable optical devices provided in the network.
[0051] As another positive aspect of the invention, some preferred embodiments of a network are adapted and arranged such that changes in the virtual data routes and paths, and the encryption key routes and paths, are effected immediately by the network upon detection of at least one breach. Thus, path and route switching can be accomplished on an immediate basis to foil hack attempts or other breaches. Moreover, in some embodiments, a network of the invention can be adapted and arranged such that operative connections and changes in network configurations between the various segments of routes and paths are facilitated by one or more of software means, hardware means, firmware means, and combinations thereof. In many preferred embodiments of a network of the invention software or ^software facilitated means an bemused to_effect one^or^more_oLthe,necessary.functions,_and_ to coordinate the function with one another.
[0052] For example, one or more of 'the means A, B, C, D, E, F, G, H, I and J, can be software means or software facilitated means, for example, contained in a digital media storage device. Storage devices, switches, and other devices are also significant elements of a network of the invention. As examples, preferred embodiments of the invention include those wherein the network comprises one or more devices from the group comprising switches, routers, pluggable optical devices, multi-interface servers or workstations, add- drop multiplexers (ADM's), and optical add-drop multiplexer (OADM's), and any other devices which have desirable or advantageous functions or characteristics.
[0053] In accordance with still other objects and positive aspects of the invention, a method for the early detection and counteraction of breaches of digital communications between at least one sender and at least one receiver in a digital communications network, the network utilizing at least one form of key exchange encryption, is provided. In one preferred embodiment, a method of the invention comprises the steps of: A. mapping a plurality of unique virtual paths over the possible routes between the at least one sender and the at least one receiver to create a formulated virtual path set, B. choosing from the formulated virtual path set a first key exchange path over which a key exchange session can be performed, C. performing a first key exchange session over the first key exchange path, D. choosing from the formulated virtual path set a first data virtual path over which the encrypted data is to be transmitted, wherein the first data virtual exchange path is different from the first key exchange path, E. transmitting the encrypted data over the first data virtual path, F. monitoring the chosen virtual paths to effect detection of breaches or possible breaches, and G. when detection of a breach or possible breach is effected, choosing from the formulated virtual path set, one or more alternative key exchange paths over which a key exchange session can be performed.
[0054] In other preferred embodiments, a method of the invention, further comprises the Step of H, when a breach or possible breach is detected, choosing from the formulated virtual path set one or more alternative routes or data virtual paths over which the data can be transmitted, and can also comprise the Step of I, transmitting the data over one or more of the chosen^alternativ.e_routes_or_virtual_paths.__ This^similarly_pertains _to_the_switching„of_ routes and paths for one or more key exchange sessions. Preferably, the method can include wherein the data is encrypted before being transmitted.
[0055] As another advantage, some preferred embodiments of the methods of the invention can include wherein Steps F and G are performed during one or more of Step C, Step E, or both. A method of the invention may also further comprise the Step of J, wherein, in response to the detection of a problem, choosing from the formulated virtual path set one or more alternative key exchange paths over which a key exchange session can be performed. Thus, one or both of the key exchange routes and paths, and the data routes and paths can be switched either in response to a detected problem, such as a breach, or according to a schedule or other switching functions of the network. In accordance with yet additional objects and advantages of the invention, the present methods may include wherein each of the virtual paths of the formulated virtual path set comprises at least one physical segment, and wherein each possible route comprises numerous or a plurality of virtual paths.
[0056] Exemplary of the broad applicability of the present methods, and the many permutations of their embodiments, the methods can include wherein the network comprises optical transport segments and the different routes comprise physical links in the network, as well as wherein the network comprises optical transport segments and the different routes and paths comprise distinct wavelengths. Thus, the permutations of the routes and paths which are possible within the scope of the present methods are enormous, especially in those systems comprising one or more of multiple optical fibers, wires, routers and other switches, and other devices described herein, or which would be comprehended by one of skill in the art.
[0057] In accordance with yet other aspects of the invention, the present methods can include wherein each distinct wavelength is mapped to a different physical port in the network, and embodiments wherein the network comprises one or more selected from the group comprising SONET and SONET/SDH networks and the routes and paths are one or more selected from the group comprising APS, BLSR and UPSR.
[0058] As yet an additional advantage of the present methods, in some embodiments, the network can comprise one or more selected from the group comprising SONET and SONET/SDH networks _and Jhe ; routes and„paths are one or more selected from the group- comprising APS, BLSR and UPSR, and those with desirable or amenable characteristics. The present methods are also adapted to function in a network which includes also one or more MPLS networks, and the different routes may comprise physical links. For example, the present methods may include a network where the network is switched Ethernet and the different routes comprise physical links.
[0059] In yet another significant aspect, the present methods include wherein the detection of the security breach in Step G is effected early with respect to one or more optical fibers or cables, and the detection is facilitated by means of standard digital diagnostics, and wherein the standard digital diagnostics are contained within one or more pluggable optical devices provided in the network.
[0060] As another positive aspect of the invention, some preferred embodiments of the methods are adapted and arranged such that changes in the virtual data routes and paths, and the encryption key routes and paths, are effected immediately by the network upon detection of at least one breach. Thus, path and route switching can be accomplished on an immediate basis to foil hack attempts, other breaches and other problems. Moreover, in some embodiments of the present methods, a network of the invention can be adapted and arranged such that operative connections and changes in network configurations between the various segments of routes and paths are facilitated by one or more of software means, hardware means, firmware means, and combinations thereof. In many preferred embodiments of a network of the invention software or software facilitated means can be used to effect one or more of the necessary functions, and to coordinate the function with one another.
[0061] For example, one or more of the means A, B, C, D, E, F, G, H, I and J, can be software means or software facilitated means, for example, contained in a digital media storage device. Storage devices, switches, and other devices are also significant elements of a network of the invention. As examples, preferred embodiments of the invention include those wherein the network comprises one or more devices from the group comprising switches, routers, pluggable optical devices, multi-interface servers or workstations, add- drop multiplexers (ADM's), and optical add-drop multiplexer fOADM'sj, and any other devices which have desirable or advantageous functions or characteristics.
[0062] As yet another advantage, the present methods comprehend wherein one or more of the devices stores or otherwise keeps track of the paths and routes of the formulated virtual path set for one or more of the key exchange and the data transmission. Moreover, the methods and networks of the inventions can be incorporated into one or more devices, or one or more chips.
[0063] In some key embodiments of the networks, devices and methods of the invention, the dynamic virtual path or route switching is adapted and arranged to occur with respect to automated settings that are facilitated via software or firmware. The software or firmware can be located in various devices, locations and modules, depending on system requirements and functions. In other key embodiments, the dynamic virtual path or route switching occurs with respect to device-based parameters, such as system load or operator intervention, such that, even if a hacker was aware of the underlying systems, he would be guessing at yet another set of parameters. Thus, a Route may comprise a plurality of Segments, and each Segment may comprise a plurality of Virtual Paths. Some of the Segments can be physical in nature, while others may be wireless, infrared, or otherwise non-physical. DETAILED DESCRIPTION OF THE INVENTION
[0064] There are several primary and many secondary aspects of the present group of inventions that can be understood with respect to examples. One primary aspect relates to the methods, processes and systems of transmitting one or more cryptography keys over one or more digital transmission media wherein at least one of the digital transmission media is a physical medium, such as an optical fiber or optical fiber cable, and to the networks, nodes, devices, apparatus and systems that include or embody the invention in any way. The one or more encryption keys are transmitted over a first set of one or more virtual paths or routes. In one significant aspect, the public encryption key is transmitted separately from the private key. Encrypted messages, data sets or datastreams are transmitted j3yer_routes„different romJh^
Figure imgf000019_0001
or third set of virtual paths may comprise a plurality or a very large number of paths.
[0065] A second primary aspect relates to the methods, processes and systems of transmitting one or more messages, data sets or datastreams over one or more digital transmission media, such as those of networks, nodes, devices, apparatus and systems that include or embody the invention in any way, wherein at least one of the digital transmission media is a physical medium, such as an optical fiber or optical fiber cable. The one or more messages, data sets or datastreams are transmitted over a second set of one or more virtual paths. The second set of virtual paths may comprise a plurality or a very large number of paths. Thus, while the encryption keys are sent via a first Virtual Path, the one or more messages, data sets or datastreams are sent via a second, third or fourth Virtual Path, different from the first Virtual Path.
[0066] A third primary aspect relates to the methods, processes and systems of changing the individual virtual paths over which the keys, messages, data sets or datastreams are transmitted. This "Virtual Path Hopping" or "Route Hopping" can be effected by any means, software, scheme, triggers, events or schedules appropriate to the environments, circumstances and nature of the keys, messages, data sets or datastreams that are being transmitted. [0067] The many embodiments within the scope of the invention can be understood with reference to the attached diagrammatic Figures (FIGS), which are presented as examples only, and not as limitations upon the many preferred embodiments of the invention. These Figures are presented diagrammatically to show some of the key features and aspects of the inventions. Each of the Figures shows a system of the invention compris-ing 1, 4 or 8 communication segments wherein each of the segments is operatively and sequentially connected to transmit keys, messages, data sets or datastreams between a Sender S and a Receiver R, or between a Receiver R and a Sender S of a system of the invention.
[0068] As one example of a simple embodiment of the invention, a Route between S and R consists of only one Segment, and the Segment consists only of one optical fiber. This type of segment, which consists only of a single optical fiber, is one type of "optical transport segment." In such a simple embodiment where the single optical fiber is„typic'al_of_those currently used in data transfer technologies, the number of possible Virtual Paths is limited by the number of unique optical (wavelength) paths through the one fiber. In this example of a preferred embodiment of a basic form of the invention, with the term "Virtual Path" describing one unique virtual line of connectivity between Sender (S) and Receiver (R), in a Route having only one Segment, and wherein the Segment has one optical fiber only, the number of possible Virtual Paths is limited by the number of unique optical (wavelength) paths through the one fiber. *
[0069] Thus, where the virtual paths are limited or determined by wavelength (Lambda), the number of unique Virtual Paths through a fiber would still approximate 80 in a single conventional fiber. In this example, where the Route has one Segment, the Segment is one optical fiber, and the one optical fiber offers 80 unique Virtual Paths which can be dynamically utilized in the context of the invention. Thus the Route in this example consists of only one Segment, only one fiber, yet includes 80, or more, possible Virtual Paths. Thus a single route can have several, or numerous, possible virtual paths through it.
[0070] In embodiments where there are multiple Segments, such as optical fibers connected by one or more devices, or where one or more of the Segments comprises several or many optical fibers, there are numerous unique Virtual Paths that can be utilized. The combinations/permutations of these Segments and the unique wavelengths/ Virtual Paths they include, yield an enormous number of possible unique Virtual Paths from S to R, or from R to S. ·
[0071] As an example of a basic embodiment of the present invention, Figure 305 shows a system of the invention comprising 1 communication Segment, SEG 1. With reference to Figure 305, a message M, encryption key K, or Datastream DS can be transmitted sequentially from S to R, or from R to S, through Segment S I. SEG S I comprises single optical fiber F19. Thus, there is only one Route between S and R through fiber F19 of SEG 1. Nonetheless, because fiber F19 has many possible Virtual Paths within it, an encryption key K, message M or Datastream DS can be transmitted through many different possible Virtual Paths. In the context of the invention, the term "Virtual Path" is used to describe each unique virtual line of connectivity between S and R. There can be a few, or many, possible Virtual Paths through a particular Route, depending upon the characteristics of that Route.
[0072] Where the number and characteristics of the Virtual Paths are thus determined by the wavelength(s) (Lambda) of the transmitted light, the number of unique Virtual Paths through such a single fiber would typically approximate 80 in a conventional fiber. In this example, the Route has one Segment, the Segment is limited to one optical fiber, and the one optical fiber offers approximately 80 unique Virtual Paths which can be dynamic-ally utilized in the context of the invention. Alternatively stated, in a simplified Route in this example of some embodiments of the invention, the Route consists of only one Segment, and only one fiber, yet includes 80 possible Virtual Paths. In more advanced fiber types, or with other adaptations, more than 80 Virtual Paths are possible through a single fiber. These general characteristics apply to more complex systems of the networks and methods of the invention. For example, Figure 301 shows a system of the invention comprising 4 communication segments (SEG's). With reference to Figure 301, a message M, encryption key K, or Datastream DS can be transmitted sequentially from S to R or from R to S through the operatively connected Segments S I, S2, S3 and S4.
[0073] With reference to Figure 301, Segment 1 (SEG 1) has a Sender end S I and a Receiver end Rl. Disposed between S I and Rl are optical fibers Fl, F2, F3 and F4. Segment 2 (SEG 2) has a Sender end S2 and a Receiver end R2. Disposed between S2 and R2 are digitally conductive wires Wl, W2, W3 and W4. Segment 3 (SEG 3) has a Sender end S3 and a Receiver end R3. Disposed between S3 and R3 are coaxial conductors CI, C2, C3 and C4. Segment 4 (SEG 4) has a . Sender end S4 and a Receiver end R4. Disposed between S4 and R4 are optical fibers F5, F6, F7 and F8. Thus a Message M, an encryption key K, Datastream DS or Data D sent from S can travel a number of different routes through SEG 1, a number of different routes through SEG 2, a pluality of different routes through SEG 3, and a plurality of different routes through SEG 4 to arrive at R.
[0074] As another example, FIG. 303 shows a system or network of the invention adapted and arranged for practicing the present methods. The overall Route of FIG. 303 is S - SEG 1 - SEG 2 - SEG3 - SEG4-R. The network or system of FIG. 303 shows a specific Route between Sender S and Receiver R highlighted in the color red. With reference to FIG. 303, a Red Route (shown in red) is shown beginning at R, and travelingjhr ugh_SE L(Segment). 1 via S I through Fl and Rl, where it leaves SEG 1 to travel through Device Ul, and then through S2 of Segment 2. The Red Route then continues from S2 through W2 and R2 of SEG 2, and then through Device U2 and then to S3 of SEG 3. In SEG 3, the Red Route continues through S3 and through C3 to pass through R3 and then out of SEG 3 to travel through Device U3 and into SEG 4 via S4. From S4 in SEG 4, the Red Route continues through F8 to R4 and then out of SEG 4 to Receiver R.
[0075] The Red Route thus extends from Sender S via S I, Fl, Rl of SEG 1, then through
Device Ul, then through SEG 2 via S2, W2 and R2, then through Device U2, then through SEG 3 via S3, C3 and R3 to pass through Device U3, and through SEG 4 via S4, F8 and R4 to enter Receiver R. The Red Route of FIG. 303 can also be expressed in a more shorthand way by the terminology: Sender - SI, Fl, Rl ; Ul, S2, W2, R2, U2, S3, C3, R3, U3, S4, F8, R4 - Receiver R.
[0076] Significant aspects of another set of embodiments of the invention are shown with refer-ence to FIGS. 302 and 304, each of which shows an embodiment of the invention having 2 sets of Segments (SEGS) disposed between Sender S and Receiver R. With reference to Figure 302, a message M or Datastream DS can be transmitted sequentially from S to R or from R to S through the operatively connected Segments S I, S2, S3 and S4, or through Segments S5, S6, S7 and S8. SEGS S I, S2, S3 and S4 are identical to the corresponding SEGS in FIG. 301, and the general description herein of FIG. applies accordingly. The embodiment shown in FIG 302 shows also parallel Segments S5, S6, S7 and S8 operatively connected between S and R.
[0077] In FIG. 302, Segment 5 (SEG 5) has a Sender end S5 and a Receiver end R5. Disposed between S5 and R5 in SEG 5 are optical fibers F9, F10, Fl l and F12. Also in FIG 302, SEG 5 has a Sender end S5 and a Receiver end R5. Segment 6 (SEG 6) has a Sender end S6 and a Receiver end R6. Disposed between S6 and R6 are digitally conductive wires W5, W6, W7 and W8. SEG 7 as shown in FIG 302 has a Sender end S7 and a Receiver end R7. Disposed between S7 and R7 are coaxial conductors C5, C6, C7 and C8. Segment 8 (SEG 8) has a Sender end S8 and a Receiver end R8. Disposed between S8 and R8 are optical fibers F13, F14, F15 and F16. There are thus numerous possible Virtual Paths between Sender S and Receiver R through SEGS S5. S6,_S7 and..S.8, as _well_as_ through SEG 1, SEG 2, SEG 3 and SEG 4. This is further illustrated in FIG. 304.
[0078] SEG 7 as shown in FIG 304 has a Sender end S7 and a Receiver end R7. Disposed betw-een S7 and R7 are coaxial conductors C5, C6, C7 and C8. Segment 8 (SEG 8) has a Sender end S8 and a Receiver end R8. Disposed between S8 and R8 are optical fibers F13, F14, F15 and F16. FIG. 304 also shows the system of FIG. 302, but also having a specific Green Route between S and R highlighted in the color green, as well as the Red Route identical to that shown in FIG. 303. With reference to FIG. 304, a Green Route (shown in green) is shown beginning at S, and then extending through SEG 5 via S5, then through Fl 1 and then via R5 out of SEG 5, and then through Device U4, and then through S6 into SEG 6. The Green Route then continues from S6 through W6 and R6, and then out of SEG 6 and through Device U5, then into SEG 7 via S7 where it extends through C8 and through R7 out of SEG 7 through Device U6 to SEG 8 via S8, extending through SEG 8 via S8, F13, and then through R8 to Receiver R. The Green Route of FIG. 304 can also be expressed in a more shorthand way by the terminology: Sender - S5, Fl l, R5; U4, S6, W6, R6, U5, S7, C8, R7, U6, S8, F13, R8 - Receiver R.
[0079] As an example of the operation of one advantageous aspect of the inventions, key exchange can be conducted over the Red Route while transmission of the encrypted data can be effected over the Green Route. As one of skill in the art can appreciate, there are numerous combinations of Routes and Virtual Paths in any system of the invention. Thus, while a network or system of the invention might select the Red Route for transmission of a datastream or key exchange, there are numerous possible Virtual Paths through the Red Route.
[0080] In embodiments where there are multiple Segments (SEG's), or where one or more of the Segments comprises several or many optical fibers, wires, coaxial cables or devices or junctions, there are thus numerous unique Virtual Paths that can be utilized. The combinations and permutations of these Segments and the unique Virtual Paths, such as those determined by the range of wavelengths the optical fibers can transmit, yield an enormous number of possible unique Virtual Paths from S to R or from R to S.
[0081] The broad applicability of the inventions, as well as their advantageous characteristics as components of networks or othexjdigital systems are, exemplified with reference_to the. devices with which they can be uses, or incorporated into. The invention can advantageously be embodied in many devices, systems and networks. These devices include switches, routers, multi-interface servers or workstations, add-drop multiplexers (ADM's), and optical add-drop multiplexer (OADM'sj. The invention can also be used with, or in association with any application with more than one physical connectivity to a network and the ability to dynamically switch between these interfaces.
[0082] In this regard, the networks, systems and methods of the invention include also where a divided key exchange session can be effected, wherein the key exchange session is conducted over.2 or more virtual paths, with different portions of the key being transmitted over different Virtual Paths. Similarly, the networks, systems, devices and methods of the invention include also wherein a divided datastream or message can be conducted over 2 or more Virtual Paths, thus increasing the level of security even further.
[0083] Additional positive characteristics pertain to the software aspects and modules of the invention. Examples of this include wherein the software means for performing the required activities to effect the functions of the present invention is adapted and arranged, or can be adaptable and arrangable, to provide any capabilities necessary in order to perform the desired functions. [0084] As an example, some software modules of the invention include those which are adapted and arranged to effect measurements of the performance parameters of any system in which they are utilized. In some preferred embodiments, the invention can thereby take the form of one that both monitors the system in which it is being used, and tracks the parameters of the system while it is in use. Similarly, the setting of alarms or path- switching, and of correlating or correlated actions can be defined based on system needs or requirements.
[0085] Thus, the invention may further comprise software means for configuring and reconfiguring, and for dynamically switching, one or a plurality of Routes and Virtual Paths such that security is continually maintained. The present invention includes also methods for using and configuring the various elements, apparatus, devices and networks of the invention. As an example, the invention includes a method for increasing the speed„and management characteristics of a fiber-optic communications network while increasing its security against hacking and other breaches.
[0086] The present methods and systems of the invention are thus directed toward increasing the speed, applicability and dependability of the transfer of encrypted digital data in one or more networks, or between one or more senders and one or more receivers of the encrypted data. The present methods, networks, apparatus, software, hardware, devices, systems, and combinations thereof are also fully integratable into conventional networks and systems, in accordance with standard and known procedures and equipment in the field, with the assistance of the present disclosure.
[0087] In another key aspect of the devices of the present invention, software means, or combinations of hardware and software means, are used to facilitate many of their critical functions. For example, the invention includes software means for accomplishing, in combination with switches and other hardware, all of the desired functions and capabilities of the invention.
[0088] Although the present invention and its advantages in the field have been described in detail, those of ordinary skill in the art will understand that various changes, substitutions, alterations and adaptations can be made herein without departing from the scope and spirit of the invention as defined by the following claims and elsewhere herein.

Claims

WHAT IS CLAIMED IS:
1. A network adapted and arranged for the early detection and counteraction of breaches of digital communications between at least one sender and at least one receiver in a digital communications network, the network utilizing at least one form of key exchange encryption, the network comprising:
A. means A, wherein means A is adapted and arranged for mapping a plurality of unique virtual paths over the possible routes between the at least one sender and the at least one receiver to create a formulated virtual path set,
B. means B, wherein means B is adapted and arranged for choosing from the formulated virtual path set a first key exchange path over which a key exchange session can be performed,
C. means C, wherein means C is adapted and arranged for performing a first key exchange, session over the first key exchange path,
D. means D, wherein means D is adapted and arranged for choosing from the formulated virtual path set a first data virtual path over which the encrypted data is to be transmitted, wherein the first data virtual exchange path is different from the first key exchange path,
E. means E, wherein means E is adapted and arranged for transmitting the encrypted data over the first data virtual path,
F. means F, wherein means F is adapted and arranged for monitoring the chosen virtual paths to effect detection of breaches or possible breaches, and
G. means G, wherein means G is adapted and arranged for choosing, when detection of a breach or possible breach is effected, from the formulated virtual path set, one or more alternative key exchange paths over which a key exchange session can be performed.
2. The network of claim 1, further comprising means H, wherein means H is adapted and arranged such that, when a breach or possible breach is detected, means H effects one or more selections from the formulated virtual path set to provide one or more alternative data paths or routes over which the data can be transmitted.
3. The network of claim 2, further comprising means I, wherein means I is adapted and arranged for transmitting the data over one or more of the chosen alternative virtual paths.
4. The network of claim 3, further comprising means J, wherein means J is adapted and arranged, in response to the detection of a breach or possible breach, effects one or more selections from the formulated virtual path set to provide one or more alternative data paths or routes over which the data can be transmitted.
5. The network of claim 4, wherein one or more of means A, B, C, D, E, F, G, H, I and J, are software means or software-facilitated means.
6 The network of claim 1, wherein means B is adapted and arranged to be used repeatedly to provide one or more alternate virtual key exchange paths for performing the key exchange session.
7. The network of claim 1, wherein means D is adapted and arranged to be utilized repeatedly to provide one or more alternate data virtual paths for transmitting the encrypted data.
8. The network of claim 1, adapted and arranged such that the data is encrypted before being transmitted.
9. The network of claim 1, wherein means F and G are adapted and arranged to function in conjunction with one or more of means B, means C, means D, and means E.
10. The network of claim 1, wherein each of the virtual paths of the formulated virtual path set comprise at least one physical segment.
1 1. The method of claim 1, wherein each possible route comprises numerous or a plurality of virtual paths.
12. The network of claim 1, wherein the network comprises optical transport segments and the different routes comprise physical links in the network.
13. The network of claim 1, wherein the network comprises optical transport segments and the different routes and paths comprise distinct wavelengths.
14. The network of claim 13, wherein each distinct wavelength is mapped to a different physical port in the network.
15. The network of claim 1, wherein the network comprises one or more characteristics selected from the group comprising SONET and SONET/SDH networks and the routes and paths are one or more selected from the group comprising APS. BLSR and UPSR.
16. The network of claim 1, wherein the network is an MPLS network and the different routes comprise physical links.
17. The network of claim 1, wherein operative connections between the various segments of routes and paths are facilitated by one or more of software means, hardware means, firmware means, and combinations thereof.
18. The network of claim 1, wherein the network comprises one or more devices from the group comprising switches, routers, pluggable optical devices, multi-interface servers or workstations, add-drop multiplexers (ADM's), and optical add-drop multiplexer (Ό ADM's) .
19. The network of claim 18, wherein one or more of the devices stores or otherwise keeps track of the paths and routes of the formulated virtual path set for one or more of the key exchange and the data transmission
20. The network of claim 1 , wherein the network or portions thereof, art incorporated into one or more devices, or one or more chips.
21. A chip comprising software for effecting the functions of the network of Claim 1.
22. The network of claim 18, wherein one or more of the devices stores information regarding, or otherwise keeps track of, the paths and routes of the formulated virtual path set for one or more of the key exchange and the data transmission functions.
23. A method for the early detection and counteraction of breaches of digital communications between at least one sender and at least one receiver in a digital communications network, the network utilizing at least one form of key exchange encryption, the method comprising the steps of:
A. mapping a plurality of unique virtual paths over the possible routes between the at least one sender and the at least one receiver to create a formulated virtual path set,
D . cnoosing from the formulated virtual path set a first key exchange path over which a key exchange session can be performed,
C. performing a first key exchange session over the first key exchange path,
D. choosing from the formulated virtual path set a first data virtual path over which the encrypted data is to be transmitted, wherein the first data virtual exchange path is different from the first key exchange path,
E. transmitting the encrypted data over the first data virtual path,
F. monitoring the chosen virtual paths to effect detection of breaches or possible breaches, and
G. when detection of a breach or possible breach is effected, choosing from the formulated virtual path set, one or more alternative key exchange paths over which a key exchange session can be performed.
24. The method of claim 23, further comprising the Step of H, when a breach or possible breach is detected, choosing from the formulated virtual path set one or more alternative data virtual paths over which the data can be transmitted.
25. The method of claim 24, further comprising the Step of I, transmitting the data over one or more of the chosen alternative virtual paths.
26. The method of claim 23, wherein the data is encrypted before being transmitted.
27. The method of claim 23, wherein Steps F and G are performed during Step C, Step E, or both.
28. The method of claim 23, further comprising the Step of J, in response to the detection of a problem, choosing from the formulated virtual path set one or more alternative key exchange paths over which a key exchange session can be performed.
29. The method of claim 23, wherein each of the virtual paths of the formulated virtual pathset.comprise_at_leasLQne physical.segment.
30. The method of claim 23, wherein each possible route comprises numerous or a plurality of virtual paths.
31. The method of claim 23, wherein the network comprises optical transport segments and the different routes comprise physical links in the network.
32. The method of claim 23, wherein the network comprises optical transport segments and the different routes and paths comprise distinct wavelengths.
33. The method of claim 23, wherein each distinct wavelength is mapped to a different physical port in the network.
34. The method of claim 23, wherein the network comprises one or more selected from the group comprising SONET and SONET/SDH networks and the routes and paths are one or more selected from the group comprising APS, BLSR and UPSR.
35. The method of claim 23, wherein the network is an MPLS network and the different routes comprise physical links.
36. The method of claim 23, wherein the network is switched Ethernet and the different routes comprise physical links.
37. The method of claim 5, wherein the detection of the security breach in Step G is effected early with respect to one or more optical fibers or cables, and the detection is facilitated by means of standard digital diagnostics.
38. The method of claim 37, wherein the standard digital diagnostics are contained within one or more pluggable optical devices provided in the network.
39. The method of claim 37, wherein changes in the virtual data routes and paths and the encryption key routes and paths are effected immediately upon detection of at least one breach.
40. The method of claim 23, wherein operative connections between the various segments of routes and paths are facilitated by one or more of software means, hardware means, firmware means, and combinations thereof.
41. The method of claim 23, in combination with a network, wherein the network comprises one or more devices from the group comprising switches, routers, pluggable optical devices, multi-interface servers or workstations, add-drop multiplexers (ADM's), and optical add-drop multiplexer (Ό ADM's).
42. The method of claim 41 , wherein one or more of the devices stores or otherwise keeps track of the paths and routes of the formulated virtual path set for one or more of the key exchange and the data transmission
43. The method of claim 23, incorporated into one or more devices, or one or more chips.
PCT/US2010/002371 2009-09-04 2010-08-30 Dynamically switchable, encryption-adaptable and monitored, high speed, high capacity networks, methods, modules and systems, utilizing multiple and variable path transmission and breach detection capabilities WO2011028265A2 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US27227309P 2009-09-04 2009-09-04
US61/272,273 2009-09-04
US34458310P 2010-08-26 2010-08-26
US61/344,583 2010-08-26

Publications (2)

Publication Number Publication Date
WO2011028265A2 true WO2011028265A2 (en) 2011-03-10
WO2011028265A3 WO2011028265A3 (en) 2011-10-06

Family

ID=43649841

Family Applications (2)

Application Number Title Priority Date Filing Date
PCT/US2010/002371 WO2011028265A2 (en) 2009-09-04 2010-08-30 Dynamically switchable, encryption-adaptable and monitored, high speed, high capacity networks, methods, modules and systems, utilizing multiple and variable path transmission and breach detection capabilities
PCT/US2010/002372 WO2011028266A2 (en) 2009-09-04 2010-08-30 Dynamic encryption and breach solution methods, networks, devices, software, apparatus, systems and combinations thereof, for enhancing the security of data transfer using asymmetric public key encryption transmission over networks and other systems

Family Applications After (1)

Application Number Title Priority Date Filing Date
PCT/US2010/002372 WO2011028266A2 (en) 2009-09-04 2010-08-30 Dynamic encryption and breach solution methods, networks, devices, software, apparatus, systems and combinations thereof, for enhancing the security of data transfer using asymmetric public key encryption transmission over networks and other systems

Country Status (1)

Country Link
WO (2) WO2011028265A2 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3038313A1 (en) * 2014-12-23 2016-06-29 Siemens Aktiengesellschaft Method for transmitting data in an automation system with improved securing of the data against unauthorised spying, electronic device for carrying out the method and automation system with at least one such device
AU2021104109B4 (en) * 2021-07-13 2022-01-27 ZOU, Yuxin MR Encryption signalling network and authentication-link

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030149869A1 (en) * 2002-02-01 2003-08-07 Paul Gleichauf Method and system for securely storing and trasmitting data by applying a one-time pad
US20080240435A1 (en) * 2005-11-17 2008-10-02 Mehmet Utku Celik Perpetual Masking For Secure Watermark Embedding

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3743246B2 (en) * 2000-02-03 2006-02-08 日本電気株式会社 Biometric input device and biometric verification device
US20090060182A1 (en) * 2007-09-04 2009-03-05 Thomas Killian Apparatus and method for enhancing the protection of media content

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030149869A1 (en) * 2002-02-01 2003-08-07 Paul Gleichauf Method and system for securely storing and trasmitting data by applying a one-time pad
US20080240435A1 (en) * 2005-11-17 2008-10-02 Mehmet Utku Celik Perpetual Masking For Secure Watermark Embedding

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3038313A1 (en) * 2014-12-23 2016-06-29 Siemens Aktiengesellschaft Method for transmitting data in an automation system with improved securing of the data against unauthorised spying, electronic device for carrying out the method and automation system with at least one such device
AU2021104109B4 (en) * 2021-07-13 2022-01-27 ZOU, Yuxin MR Encryption signalling network and authentication-link

Also Published As

Publication number Publication date
WO2011028265A3 (en) 2011-10-06
WO2011028266A2 (en) 2011-03-10
WO2011028266A3 (en) 2011-09-29

Similar Documents

Publication Publication Date Title
Skorin-Kapov et al. Physical-layer security in evolving optical networks
EP3243295B1 (en) Quantum key distribution system, method and apparatus based on trusted relay
Aguado et al. Secure NFV orchestration over an SDN-controlled optical network with time-shared quantum key distribution resources
US10014933B2 (en) Transmitting communications traffic across an optical communication network
Tysowski et al. The engineering of a scalable multi-site communications system utilizing quantum key distribution (QKD)
Cao et al. KaaS: Key as a service over quantum key distribution integrated optical networks
Szyrkowiec et al. Automatic intent-based secure service creation through a multilayer SDN network orchestration
US9451453B2 (en) Architecture for reconfigurable quantum key distribution networks based on entangled photons directed by a wavelength selective switch
EP1465368B1 (en) Traffic monitoring system in a packet switched network with wireless connected data aggregation node
US7548556B1 (en) Secure communication through a network fabric
Rejeb et al. Fault and attack management in all-optical networks
CN112671809A (en) Data transmission method, signal source end and receiving end
CN105409157A (en) Adaptive traffic encryption for optical networks
JP2002535918A (en) Optical Layer Survivability and Security System
US11336622B2 (en) Apparatus and method for deploying firewall on SDN and network using the same
AU2018231407A1 (en) Methods and devices for providing cyber security for time aware end-to-end packet flow networks
US20230188513A1 (en) Data sending method and apparatus and data receiving method and apparatus for resisting network communication monitoring
Pan et al. Privacy-preserving multilayer in-band network telemetry and data analytics: For safety, please do not report plaintext data
Zhao et al. Quantum key distribution (QKD) over software-defined optical networks
WO2011028265A2 (en) Dynamically switchable, encryption-adaptable and monitored, high speed, high capacity networks, methods, modules and systems, utilizing multiple and variable path transmission and breach detection capabilities
Hajduczenia et al. On EPON security issues
Meier et al. itap: In-network traffic analysis prevention using software-defined networks
KR100889753B1 (en) Method of protection switching for link aggregation group and Apparatus thereof
Aguado et al. First Experimental demonstration of secure NFV orchestration over an SDN-controlled optical network with time-shared quantum key distribution
US20190014092A1 (en) Systems and methods for security in switched networks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10814071

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase in:

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10814071

Country of ref document: EP

Kind code of ref document: A2