The advent of the local area network (LAN) has greatly extended the power of the computer by providing the freedom of efficient and high speed communications between host computers and other devices (nodes) within a geographical region. Many buildings and complexes of buildings such as college campuses are now wired for various mixes of LANs, extended-LANs, and wide area networks (WANs).
It is not uncommon to see LANs with several hundred or even thousands of nodes. LANs can be used as hops or segments in larger wide area networks, containing many thousands of nodes. Current trends are placing more of the essential services and resources associated with computers on networks where they can be shared by many users. Local area terminal concentrators (LATs) provide flexibility not possible with terminals that are hard-wired to a particular computer.
Local area print servers eliminate the necessity of dedicating a printer to each computer and permit the efficient use of multiple device types by sharing their resources among the computers they serve. Local area file and disk servers permit the shared use of large data bases without the necessity and cost of maintaining multiple copies of the data bases on each computer.
This flexibility and efficiency, however, poses severe security risks not addressed by most local network architectures. Information sent over the network is available to all devices connected to it. For example, when a user logs onto a computer over the network via a terminal concentrator his password appears in the clear, that is, undisguised at every node on the network. The same is true with every file transferred to or from a file server or every document printed by a print server. While most nodes will normally only receive information or packets addressed to them or to multicast packets, any node can be easily programmed to receive packets for any other address, send packets claiming to be any source node, or be in a "promiscuous" mode and receive all packets.
While data transmission networks have been designed to include devices such as encryption/decryption units which permit secure handling of data, the devices used in such networks are commonly designed only for point-to-point links. Such devices are specially designed, tend to be complex and expensive, and cannot be applied to a multi-system bus like, for example, "Ethernet."
Specifically, conventional encryption/decryption units for existing networks have included encryption control apparatus specifically designed for use with nodes of only a given transmission bus/local area network combination. The encryption control apparatus have not typically operated external to the encryption/decryption units to control encryption across a transmission bus. The conventional encryption/decryption units have been used in connection with encryption keys, one such encryption key being used for each transmission session between any two points, or nodes in the network.
Given the network-specific design of conventional encryption/decryption devices, such devices have been incapable of generic application to a variety of networks. Also, the use of unique keys to encrypt/decrypt each transmission has required generation and storage of numerous keys and has resulted in the need for complex protocols for generating and utilizing the numerous keys.