Conventional security protocols offer data confidentiality (also referred to as “data encryption”) and data integrity (also referred as “authentication)” to data packets and datagrams being transmitted between interested parties. A packet or datagram may be described as a unit of data that is routed between an origin and a destination, containing addressing information, protocol control and data information. Within the context of the description herein, the transmitted unit of data may be referred to as a packet, a datagram or a frame and is intended to signify a generic block of data.
Data encryption provides confidentiality by using an encryption operation and a secret key to process the original data (also referred to as “plaintext”) and transforms this into encrypted data (also referred to as “cyphertext”). A secret key may be described as a piece of data shared between two or more parties when using symmetric key cryptography and a private key pertinent to one party with an associated public key available to the data receiving party when using asymmetric key cryptography. The encryption operation does not change the size of data from the input stream to the output stream, but changes the value of the data. The receiver of the data performs a reverse encryption operation by using the same (symmetric) or different (asymmetric) secret key to retrieve the original data. A reverse encryption operation may be described as an operation that performs the same or similar steps of the original encryption operation in a contrary order.
Data integrity provides a mechanism to ensure that a given data stream has not been modified while being transmitted between two entities across some transport medium. This is achieved by using the input stream and performing a data integrity operation on that input stream to determine its integrity. The data integrity operation performs a calculation using some one way operation such as a hash function, resulting in a Cyclic Redundancy Check (CRC) value or an Integrity Check Value (ICV). The data integrity operation may involve an additional secret key that is input into the calculation to increase security. The result is a computed integrity check value (also referred to as a “checksum”) of a pre-defined length that is technique specific. This integrity check value is traditionally transmitted as an addition to the original data. The receiver of the data performs the same calculation on the data to compute the integrity check value. The computed integrity check value is then compared with the integrity check value transmitted with the data, and, if they match, it is determined that the data was not modified in transit. Existing techniques operating in this manner expand the packet size by transmitting the integrity check value with the data packet.
Data integrity operations have been employed for many years and have had a more notable impact in recent times with the usage of tunneling protocols. A tunneling protocol may be described as protocol that allows isolation of a packet, preserving the packet, and enables the packet to be sent between two points. With current techniques, the integrity check value is carried as additional data within the packet. That is, the addition of the integrity check value expands the packet size as a result of transmitting the integrity check value with the packet. Expansion of the packet size requires dealing with associated overhead on the sending/receiving and intermediate nodes. The expansion may also have implications for the sending/receiving and intermediate nodes in conveying the packet between nodes. These implications are generally associated with handling larger packet sizes, which may result in recalculation of the MTU size for the transmission of the packet or lead to fragmentation of the packet. Finally, additional headers may be needed, and legacy infrastructure components may not be able to recognize the modified frame format, making deployment difficult.
FIG. 1 illustrates a prior art packet 100. The packet 100 includes a header 110 and a payload 130. The header 110 includes an Ethernet field 112, an optional Virtual Local Area Network (VLAN) field 114, an Internet Protocol (IP) field 116, and a Transmission Control Protocol (TCP)/User Datagram Protocol (UDP) field 118. The Ethernet field 112 indicates that the Ethernet protocol is being used (IEEE std. 802.3, published Mar. 8, 2002), Fibre Channel (American National Standards Institute (ANSI) X3.269-199X, Revision 012, Dec. 4, 1995). The IP field 116 indicates that the Internet Protocol is being used (Internet Engineering Task Force (IETF) Request for Comments (RFC) 791, published September 1981, RFC 2460, published December 1998). The TCP/UDP field 118 indicates whether the Transmission Control Protocol (Transmission Control Protocol DARPA Internet Program Protocol Specification, Request for Comments (RFC) 791 and 793, September 1981) or the User Datagram Protocol (Internet Engineering Task Force (IETF) Request for Comments (RFC) 768, Aug. 28, 1980) is being used. The header information described in FIG. 1 is provided as an example for illustration purposes only and may take a different form in another data exchange. The payload 130 includes a data field 132 for storing data and an Integrity Check Value (ICV) field 134 for storing the integrity check value. In FIG. 1, a data integrity operation is performed on the information in the VLAN field 414, the IP field 416, the TCP/UDP field 418, and the data field 132, which fields are also referred to as an authenticated portion 240 of the packet. For this example, the integrity check value that is calculated by the data integrity operation is stored in the ICV field 134. Also, the data in the data field 132 is an encrypted portion 150 of the packet.
Open Systems Interconnection (OSI) is a standard description for how messages may be transmitted between two points in a network. (International Organization of Standards (ISO), International Telecommunications Union (ITU), Recommendation X.200, July 1994). With OSI, communication between two end points in a network is divided into seven layers, with each layer adding certain functions. When a message is sent originating from Layer 7, the message goes down through the seven layers. When the message is received destined for Layer 7, the message goes up through the seven layers. Layer 3 of the seven layers handles the routing of the data for the network, and Layer 2 of the seven layers provides transmission protocol knowledge.
In a traditional security technique that provides data confidentiality and data integrity services, the data confidentiality service is provided over an upper layer protocol, such as TCP or UDP and associated data, for a Layer 3 technique, unless some form of tunneling is employed. This may extend to the IP header and beyond for a Layer 2 technique. For the Layer 3 technique, data integrity is provided over the entire packet, up to the IP field 116 or TCP/UDP field 118 and may extend up to and include the Ethernet field 112 for a Layer 2 technique. In both cases, the integrity check value is transmitted with the packet, generally at the end of the packet.
In the example of FIG. 1, although the data confidentiality may not add any additional overhead to the packet (depending on the encryption operation employed and associated padding or Initialization Vector (IV) requirements), the integrity check value adds overhead to the packet, resulting in an expansion of the packet size. Padding may be described as adding bits to a packet to meet a pre-defined boundary, required by the technique employed. For encryption, an Initialization Vector is a nonsecret binary vector that is used as the initializing input for the encryption of plaintext.
Thus, there is a need in the art for improved data transmission techniques.