Data transferred over a network can be encrypted to protect its confidentiality and integrity. Because many different encryption methods are used, data packets contain an index into a table of structures containing cryptography (crypto) information necessary to indicate to the receiving system how to decrypt the data. The crypto information can be contained in a data structure called a security association (SA). Network interface devices in the transmitting and receiving systems perform crypto operations (e.g., encryption, decryption, authentication) on the data packets based on the crypto information in the SA.
A device driver directs how the network interface devices will perform crypto operations. The device driver stores in system memory a table of crypto information necessary for the network interface devices to perform crypto operations on data packets. The information may also be stored in tables on the devices. These tables can include, for example, unique identifiers for the cryptography data structures, cryptography keys, source addresses, destination addresses, network protocol types, and other information related to crypto operations.
One technique for populating a table of crypto information is for a high level application such as an operating system (OS) to control the process. With this technique, the high level application is responsible for maintaining consistency of the security state between the upper system layers (e.g., OS, high level applications) and the lower system layers (e.g., base drivers, hardware devices) that perform crypto operations. The high level application manages a unique handle that the driver creates for each data structure of crypto information which is passed to the intermediate security layer and/or base driver. All operations on data packets by the intermediate security layer driver and/or network interface device drivers and/or network interface devices references crypto information with the handle. If, for some reason, the network interface device and/or its associated driver is reset, the data in the crypto information tables is lost and the handles must be discarded. The high level application is then responsible for passing the crypto information to the base driver again so that it can repopulate the crypto information tables.
Some operating systems, for example, Windows® 2000 and Windows® XP, both available from Microsoft Corporation, guarantee that the crypto information tables are populated. Thus, if a network interface device and/or its associated device driver is reset, the operating system will pass the crypto information to the base drivers in order to allow the repopulation of the tables contained by the network interface device and/or its associated driver. One shortfall of such a technique is an inefficient use of resources because the entire table is repopulated, even though some of the information may not be used in the future. Another shortfall occurs with dynamic installation or removal of a network interface device; crypto information can be lost, or a device may be unable to acquire the proper security state. Another shortfall is that attempts to store crypto information in a network interface device and its associated driver during reset often fails, which requires repeated tries to store the information and/or failure to store the information.