1. Technical Field of the Invention
The present invention relates generally to data communications and in particular to data communication interconnects. Still more particularly, the present invention relates to a circuit for providing secure communication over data communication interconnects and a method of operation thereof.
2. Description of the Related Art
Transmission of data over a network is generally accomplished in one of three forms; namely multicasting, unicasting or broadcasting. Multicasting is a network of service that provides for efficient delivery of data from a source to multiple recipients, i.e., a network multicast group. In multicasting, typically only one copy of the data will pass over any link in the network and copies of the data will be made only where the paths diverge. Consequently, multicasting reduces sender transmission overhead, bandwidth requirements as well as the latency observed by the recipients. Unicasting on the other hand, provides for delivery of data from a source to only one recipient. The third form of network transmission, i.e., broadcasting, involves transmitting data from a source to every recipient that is connected to the network.
The emergence of electronic network systems, such as the Internet, as forums for a wide variety of transactions and communications has highlighted the need for secure data transfer. These network systems are highly vulnerable to an uninvited xe2x80x9cguestxe2x80x9d who may have an interest in a private communication or transaction and may attempt to intercept the contents of the communication or transaction.
Communications and transaction security begins with authentication and encryption. Encryption involves encoding data to an unreadable form to ensure privacy between a sender and recipient. Cryptography involves the transmission of an encrypted message from one party to another. The message is encrypted using a mathematical function known as a cryptographic algorithm, which for security reasons allows for a large number of initial settings, the selection being determined by a cryptographic xe2x80x9ckey.xe2x80x9d The cryptographic algorithm must be complex enough so that an encrypted message cannot be decrypted by an unauthorized party if the cryptographic algorithm is known but the key is not. If both the key and the algorithm are known by an unauthorized party then the unauthorized party may decrypt the encrypted message. Typically, the algorithm is known to all, but the key is known only by the intended recipients. Consequently, the security of the encrypted message lies in maintaining the secrecy of the key.
An uncrypted message, i.e., plaintext, is encrypted, i.e., converted to ciphertext, by a sender by using a cryptographic system to mathematically alter the plaintext using a cryptographic algorithm and a key. An intended recipient recovers the plaintext by mathematically altering the ciphertext using a crypto-algorithm and a key in a manner that is the mathematical inverse of the mathematical function performed by the sender.
Modern cryptographic systems fall into two categories: symmetric-key crypto-systems and public-key crypto-systems. A symmetric-key crypto-system is one wherein the encryption key and decryption key are computable from one another (the keys acre often the same), so that an agreed upon secret must be established off-line before secure communication can take place. A public-key crypto-system is one in which the decryption key cannot feasiblely be computed from the encryption key, so that the encryption key can be made public without compromising the security of the system. Having two different keys for encryption and decryption, where knowledge of the encryption keys does not betray the decryption key, solves a problem that exists in a symmetric-key system, i.e., key distribution, and enables the parties to perform additional functions, e.g., electronic key exchange, non-repudiation and message authentication.,
Secure data transmission involves controlling access to the data being transmitted. Current approaches to implementing a secure transmission utilize software/device drivers at both ends of the data transmission, i.e., sender and recipient, to encrypt and decrypt the data transmission. These approaches, however, require that the same encryption methodology be employed to ensure that they are all 100% compatible in their implementation. Additionally, a substantial performance penalty is introduced since additional software processing of the data transmission is required.
Accordingly, what is needed in the art is an improved secure data transmission scheme that mitigates the above described limitations.
It is therefore an object of the present invention to provide improved data communications.
It is another object of the present invention to provide a circuit for providing secure communication over a data communication interconnect and a method of operation thereof.
To achieve the foregoing objects, and in accordance with the invention as embodied and broadly described herein a secure communication circuit for use with a data communication interconnect adapter is disclosed. The secure communication circuit includes a first data buffer coupled to a data input terminal, an encoder/decoder coupled to the first data buffer, a second data buffer coupled to the encoder/decoder and a switching device coupled to a data output terminal. The switching device is couplable to either the first or second data buffers. A controller, coupled to the switching device, selectively connects the switching device to the first or second data buffers. In a related embodiment, the secure communication circuit further includes a first serializer/deserializer (SERDES) coupled to the data input and a second SERDES coupled to the switching device.
The present invention introduces a novel secure communication circuit that provides a more time efficient methodology for encrypting and decrypting data transmissions. The present invention accomplishes this by implementing the encryption and decryption scheme in the secure communication circuit, preferably in hardware external to the sending and receiving devices. The hardware implementation reduces significantly or eliminates the performance degradation, encountered by currently employed software implementations.
In one embodiment of the present invention, the data communication interconnect adapter is a Fibre Channel node. It should be noted that in other advantageous embodiments, the data communication interconnect adapters are those employed with other interconnect technologies, such as gigabit ethernet and asynchronous transfer mode (ATM) technologies. The present invention does not contemplate limiting its practice to any one specific interconnect technology.
In another embodiment, the first SERDES is coupled to a transmit port of the Fibre Channel node. This is the case where the Fibre Channel node is attached to a device that is originating a data transmission. In a related embodiment, the second SERDES is coupled to a receive port of the Fibre Channel node wherein the attached device is the destination of the data transmission.
In yet another embodiment, the encoder/decoder utilizes a Data Encryption Standard (DES) algorithm. Those skilled in the art should readily appreciate that other encrytion algorithms employing symmetric or public keys may also be advantageously utilize,d in the practice of the present invention.
In another embodiment of the present invention the first and second data buffers are implemented utilizing registers. Additionally, in a related embodiment, the controller is a state machine.
The foregoing description has outlined, rather broadly, preferred and alternative features of the present invention so that those skilled in the art may better understand the detailed description of the invention that follows. Additional features of the invention will be described hereinafter that form the subject matter of the claims of the invention. Those skilled in the art should appreciate that they can readily use the disclosed conception and specific embodiment as a basis for designing or modifying other structures for carrying out the same purposes of the present invention. Those skilled in the art should also realize that such equivalent constructions do not depart from the spirit and scope of the invention in its broadest form.