Apparatus and method for performing and controlling encryption/decryption for data to be transmitted on local area network6275588
Abstract
A technique for performing compression, encryption and transmission, and reception, decryption and decompression, respectively, of data communication packages on an area network.
Claims
What is claimed is:
1. A communication controller for performing data encryption and data decryption of data communication packages to be transferred in a network (such as a LAN: Local Area Network, or a WAN: Wide Area Network), said data communication package containing a first section of non-encrypted data and a second section containing encrypted data, and comprising a session key LUT unit (186) and a transmission and encryption section comprising:
(a) a data read transmission control unit (102) connected to a system bus of a host system and receiving input data therefrom and communicating with said session key LUT (186), said session key LUT (186) providing a transmission encryption key for said data communication package,
(b) a data compressing unit (118) providing compression of a part of said input data thereby producing a compressed part of said input data contained in said second section of said data communication package,
(c) a data encryption unit (126) providing an encryption of said second section of said data communication package according to said transmission encryption key transferred from said session key LUT (186) to said data encryption unit (126),
(d) an integrity check value calculation unit (122) constituting a first series configuration from said data compression unit (118) intercommunicating through said integrity check value calculation unit (122) to said data encryption unit (126),
(e) a network transmission controller (134) providing said data communication package through a connection to said network, supplying said input data to said network in a transmission rate determined by said network transmission controller (134) and said network, and
(f) a first switch means (108) enabling switching between two modes of operation, a first mode of operation providing bypassing or disabling of said first series configuration and enabling communication between said data read transmission control unit (102) and said network transmission controller (134) for transferring said input data directly hereto and a second mode of operation enabling communication between said data read transmission control unit (102) through said first series configuration to said network transmission controller (134),
said communication controller further comprising a receiving and decrypting section comprising:
(g) a network receiving controller (140) providing a connection to said network and receiving a received data communication package from said network,
(h) a data receiving control unit (148) receiving said received data communication package through communication with said network receiving controller (140), and communicating with said session key LUT (186), said session key LUT (186) providing a reception encryption key for said received data communication package,
(i) a data decompression unit (172) providing decompression of said second section of said received data communication package,
(j) a data decryption unit (164) providing a decryption of said second section of said received data communication package according to a reception encryption key transferred from said session key LUT (186) to said data decryption unit (164),
(k) an integrity check value verification unit (168) receiving said received data communication package from said data decryption unit (164), and constituting a second series configuration from said data decryption unit (164) intercommunicating through said integrity check value verification unit (166) to said data decompression unit (172), said integrity check value verification unit (166) transferring said second section of said received data communication package to said data decompression unit (172),
(l) a data write unit (180) connected to said system bus of said host system, supplying said system bus with said received data communication package, and
(m) a second switch means (154) enabling switching between two modes of operation, a third mode of operation providing bypassing or disabling of said second series configuration and enabling communication between said data receiving control unit (148) and said data write unit (180) for transferring said first section of said received data communication package directly hereto, and a fourth mode of operation enabling communication between said data receiving control unit (148) through said second series configuration to said data write unit (180).
2. The communication controller according to claim 1, said transmission and encryption section further comprising a transmission FIFO (130) (first in first out storage means) constituting an input section of said network transmission controller (134).
3. The communication controller according to claim 1, said receiving and decrypting section further comprising a write FIFO (176) receiving said received data communication package from said data receiving control unit (148) in said third mode of operation, receiving said received data communication package from said data decompression unit (172) in said fourth mode of operation and transferring said received data communication package to said data write unit (180), and a receiving FIFO (144) receiving said received data communication package from said network reception control (140) and transferring said data communication package to said data receiving control unit (148).
4. The communication controller according to claim 2, said data compression unit (118) and said data encryption unit (126) being adapted to be operated substantially simultaneously and controlled by said network transmission controller (134) so as to guarantee the continuous supply of bytes from said transmission FIFO (130) to said network transmission controller (134).
5. A communication controller for performing data encryption and data decryption of data communication packages to be transferred in a network (such as a LAN: Local Area Network, or a WAN: Wide Area Network), said data communication package containing a first section of non-encrypted data and a second section containing encrypted data, and comprising a session key LUT unit (186) and a transmission and encryption section comprising:
(a) a data read transmission control unit (102) connected to a system bus of a host system and receiving input data therefrom and communicating with said session key LUT (186), said session key LUT (186) providing a transmission encryption key for said data communication package,
(b) a data compressing unit (118) providing compression of a part of said input data thereby producing a compressed part of said input data contained in said second section of said data communication package,
(c) a data encryption unit (126) providing an encryption of said second section of said data communication package according to said transmission encryption key transferred from said session key LUT (186) to said data encryption unit (126),
(d) an integrity check value calculation unit (122) constituting a first series configuration from said data compression unit (118) intercommunicating through said integrity check value calculation unit (122) to said data encryption unit (126),
(e) a network transmission controller (134) providing said data communication package through a connection to said network, supplying said input data to said network in a transmission rate determined by said network transmission controller (134) and said network, and
(f) a first switch means (108) enabling switching between two modes of operation, a first mode of operation providing bypassing or disabling of said first series configuration and enabling communication between said data read transmission control unit (102) and said network transmission controller (134) for transferring said input data directly hereto and a second mode of operation enabling communication between said data read transmission control unit (102) through said first series configuration to said network transmission controller (134),
said communication controller further comprising a receiving and decrypting section comprising:
(g) a network receiving controller (140) providing a connection to said network and receiving a received data communication package from said network,
(h) a data receiving control unit (148) receiving said received data communication package through communication with said network receiving controller (140), and communicating with said session key LUT (186), said session key LUT (186) providing a reception encryption key for said received data communication package,
(i) a data decompression unit (172) providing decompression of said second section of said received data communication package,
(j) a data decryption unit (164) providing a decryption of said second section of said received data communication package according to a reception encryption key transferred from said session key LUT (186) to said data decryption unit (164),
(k) an integrity check value verification unit (168) receiving said received data communication package from said data decryption unit (164), and constituting a second series configuration from said data decryption unit (164) intercommunicating through said integrity check value verification unit (166) to said data decompression unit (172), said integrity check value verification unit (166) transferring said second section of said received data communication package to said data decompression unit (172),
(l) a data write unit (180) connected to said system bus of said host system, supplying said system bus with said received data communication package, and
(m) a second switch means (154) enabling switching between two modes of operation, a third mode of operation providing bypassing or disabling of said second series configuration and enabling communication between said data receiving control unit (148) and said data write unit (180) for transferring said first section of said received data communication package directly hereto, and a fourth mode of operation enabling communication between said data receiving control unit (148) through said second series configuration to said data write unit (180), and said data read transmission control (102) being adapted to monitor the compression and encryption of said part of said input data for determining whether or not said part of said input data exceeds the amount of data containable within said second section of data communication package.
6. The communication controller according to claim 5, said integrity check value calculation unit (122) performing a subtraction, division, multiplication or preferably a summation of the data contained in said second section of said data communication package to be transmitted and adding a first integrity check value to said second section of said data communication package.
7. The communication controller according to claim 5, said data read transmission control unit (102) comprising control means for controlling said first switch means (108) in said two modes of operations.
8. The communication controller according to claim 5, said integrity check value verification unit (122) performing a subtraction, division, multiplication or preferably a summation of the data contained in said second section of a received data communication package obtaining a second integrity check value and comparing said second integrity check value with said first integrity check value contained in said second section of said received data communication package.
9. The communication controller according to claim 5, said data receiving control unit (148) comprising control means for controlling said second switch (154) in said two modes of operations.
10. The communication controller according to claim 5, said data read transmission control unit (102) further enabling communication to said data encryption unit (126) for transferring said transmission encryption key provided by said session key LUT (186) from said data read transmission control unit (102) to said data encryption unit (126).
11. The communication controller according to claim 5, said session key LUT (186) comprising encryption key information updated according to a key management protocol by said host system.
12. The communication controller according to claim 5, said communication controller for receiving and transmitting data communication packages on a network providing interrupt routines for units included in said communication controller hereby insuring a continuous data transmission on a network.
13. The communication controller according to claim 5, wherein said communication controller is implemented fully or partly as an integrated circuit applying VLSI, LSI, ASIC, FPGA, PLD techniques or any combinations thereof.
14. The communication controller according to claim 5, wherein said data compression unit (118) adds flag and fragment ID trailing said compressed part of said input data in said second section of said data communication package.
15. The communication controller according to claim 14, wherein said data decompression unit (170) extracts flag and fragment ID trailing said compressed part of input data contained in said second section of said data communication package.
16. The communication controller according to claim 5, said transmission and encryption section further comprising a transmission FIFO (130) (first in first out storage means) constituting an input section of said network transmission controller (134).
17. The communication controller according to claim 16, said network transmission controller (134) controlling said transmission FIFO (130) so as to guarantee the continuous supply of bytes from said transmission FIFO (130) to said network transmission controller (134).
18. The communication controller according to claim 5, said receiving and decrypting section further comprising a write FIFO (176) receiving said received data communication package from said data receiving control unit (148) in said third mode of operation, receiving said received data communication package from said data decompression unit (172) in said fourth mode of operation and transferring said received data communication package to said data write unit (180), and a receiving FIFO (144) receiving said received data communication package from said network reception control (140) and transferring said data communication package to said data receiving control unit (148).
19. The communication controller according to claim 5, said data compression unit (118) and said data encryption unit (126) being adapted to be operated substantially simultaneously and controlled by said network transmission controller (134) so as to guarantee the continuous supply of bytes from said transmission FIFO (130) to said network transmission controller (134).
20. A transmission and encryption section of a communication controller for performing data encryption and data decryption of data communication packages to be transferred in a network (such as a LAN: Local Area Network, or a WAN: Wide Area Network), said data communication package containing a first section of non-encrypted data and a second section containing encrypted data, and said communication controller comprising a session key LUT unit (186), and comprising:
(a) a data read transmission control unit (102) connected to a system bus of a host system and receiving input data therefrom and communicating with said session key LUT (186), said session key LUT (186) providing a transmission encryption key for said data communication package,
(b) a data compressing unit (118) providing compression of a part of said input data thereby producing a compressed part of said input data contained in said second section of said data communication package,
(c) a data encryption unit (126) providing an encryption of said second section of said data communication package according to said transmission encryption key transferred from said session key LUT (186) to said data encryption unit (126),
(d) an integrity check value calculation unit (122) constituting a first series configuration from said data compression unit (118) intercommunicating through said integrity check value calculation unit (122) to said data encryption unit (126),
(e) a network transmission controller (134) providing said data communication package through a connection to said network, supplying said input data to said network in a transmission rate determined by said network transmission controller (134) and said network, and
(f) a first switch means (108) enabling switching between two modes of operation, a first mode of operation providing bypassing or disabling of said first series configuration and enabling communication between said data read transmission control unit (102) and said network transmission controller (134) for transferring said input data directly hereto and a second mode of operation enabling communication between said data read transmission control unit (102) through said first series configuration to said network transmission controller (134).
21. The transmission and encryption section further comprising a transmission FIFO (130) (first in first out storage means). constituting an input section of said network transmission controller (134).
22. The transmission and encryption section according to claim 21, said data compression unit (118) and said data encryption unit (126) being adapted to be operated substantially simultaneously and controlled by said network transmission controller (134) so as to guarantee the continuous supply of bytes from said transmission FIFO (130) to said network transmission controller (134).
23. A transmission and encryption section of a communication controller for performing data encryption and data decryption of data communication packages to be transferred in a network (such as a LAN: Local Area Network, or a WAN: Wide Area Network), said data communication package containing a first section of non-encrypted data and a second section containing encrypted data, and said communication controller comprising a session key LUT unit (186), and comprising:
(a) a data read transmission control unit (102) connected to a system bus of a host system and receiving input data therefrom and communicating with said session key LUT (186), said session key LUT (186) providing a transmission encryption key for said data communication package,
(b) a data compressing unit (118) providing compression of a part of said input data thereby producing a compressed part of said input data contained in said second section of said data communication package,
(c) a data encryption unit (126) providing an encryption of said second section of said data communication package according to said transmission encryption key transferred from said session key LUT (186) to said data encryption unit (126),
(d) an integrity check value calculation unit (122) constituting a first series configuration from said data compression unit (118) intercomnunicating through said integrity check value calculation unit (122) to said data encryption unit (126),
(e) a network transmission controller (134) providing said data communication package through a connection to said network, supplying said input data to said network in a transmission rate determined by said network transmission controller (134) and said network,
(f) a first switch means (108) enabling switching between two modes of operation, a first mode of operation providing bypassing or disabling of said first series configuration and enabling communication between said data read transmission control unit (102) and said network transmission controller (134) for transferring said input data directly hereto and a second mode of operation enabling communication between said data read transmission control unit (102) through said first series configuration to said network transmission controller (134), and said data read transmission control (102) being adapted to monitor the compression and encryption of said part of said input data for determining whether or not said part of said input data exceeds the amount of data containable within said second section of data communication package.
24. The transmission and encryption section according to claim 23, said integrity check value calculation unit (122) performing a subtraction, division, multiplication or preferably a summation of the data contained in said second section of said data communication package to be transmitted and adding a first integrity calculation value to said second section of said data communication package.
25. The transmission and encryption section according to claim 23, said data read transmission control unit (102) comprising control means for controlling said first switch means (108) in said two modes of operations.
26. The transmission and encryption section according to claim 23, said data read transmission control unit (102) further enabling communication to said data encryption unit (126) for transferring said transmission encryption key provided by said session key LUT (186) from said data read transmission control unit (102) to said data encryption unit (126).
27. The transmission and encryption section according to claim 23, said session key LUT (186) comprising encryption key information updated according to a key management protocol by said host system.
28. The transmission and encryption section according to claim 23, said transmission and encryption section for encrypting and transmitting data communication packages on a network providing interrupt routines for units included in said communication controller hereby insuring a continuous data transmission on a network.
29. The transmission and encryption section according to claim 23, wherein said communication controller is implemented fully or partly as an integrated circuit applying VLSI, LSI, ASIC, FPGA, PLD techniques or any combinations thereof.
30. The transmission and encryption section according to claim 23, wherein said data compression unit (118) adds flag and fragment ID trailing said compressed part of said input data contained in said second section of said data communication package.
31. The transmission and encryption section according to claim 23 further comprising a transmission FIFO (130) (first in first out storage means) constituting an input section of said network transmission controller (134).
32. The transmission and encryption section according to claim 31, said network transmission controller (134) controlling said transmission FIFO (130) so as to guarantee the continuous supply of bytes from said transmission FIFO (130) to said network transmission controller (134).
33. A network controller of a communication controller comprising means for producing a data communication package comprising a non encrypted first section including clear header, and a encrypted second section including a protected header, a data section, a fragment ID, flags, padding and a ICV.
34. The network controller of a communication controller according to claim 33, wherein said network controller further comprising means for producing the data communication package wherein the data section comprises compressed data, end of data, padding and uncompressed data.
35. A data communication package comprising a data section including compressed data and uncompressed data.
36. The data communication package according to claim 35, said data section being included in an encrypted section of said data communication package.
37. The data communication package according to claim 35, further comprising a non-encrypted section preceding said encrypted section.
38. The data communication package according to claim 35, said encrypted section further including a protected header, a fragment ID, flags, padding and a ICV.
39. The data communication package according to claim 35, said data section further including end of data and padding following said compressed data and preceding said uncompressed data.
40. A communication controller chip for performing data encryption and data decryption of a multiplicity of data communication packages to be transferred in a network such as LAN (local area network) or WAN (wide area network) and including a plurality of processing units, each of said multiplicity of data communication packages containing a first section of non-encrypted data and a second section containing encrypted data and each said of multiplicity of data communication packages having an associated processing descriptor defining source, destination, process configuration of said plurality of processing units and processing of said data communication package, and said communication controller chip comprising:
(a) a bridge unit (86) connecting said communication controller through a bus (85) to a central processing unit (CPU) or a host,
(b) a random access memory RAM (82) for keys, processing descriptors and for temporary storage of data,
(c) a data transmission control unit (88) for providing access for said CPU to information regarding general configuration of said communication controller,
(d) an in-queue unit (90a) comprising a plurality of queues for pointers referencing processing descriptors for data communication packages in said RAM (82) to be processed by said plurality of processing units,
(e) an out-queue unit (90b) comprising a go-queue of pointers referencing processing descriptors for data communication packages in RAM (82) to be processed by a plurality of processing units, which process is monitored and analysed by said CPU or host system so as to establish if further processing is required, and said out-queue unit (90b) comprising a complete-queue of pointers referencing processing descriptors for data communication packages in said RAM (82) having completed processing in accordance with requirements of said CPU or host system,
(f) a decompression processing unit (92a) included in said plurality of processing units providing decompression of compressed data of said second section of said data communication packages thereby producing decompressed data in said RAM (82) or memory of said host in accordance with processing descriptors associated with said data communication packages,
(g) a compression processing unit (92b) providing compression of said second section of said outgoing data communication packages thereby producing compressed data in said RAM (82) or memory of said host in accordance with processing descriptors associated with said data communication packages,
(h) a decryption processing unit (94a) providing a decryption of said second section of a data communication package according to a reception decryption key provided in a decryption key space of said RAM (82), said decryption key space being referenced by a key pointer included in said processing descriptors, and said decryption processing unit (94a) providing generation of said second section of said data communication package,
(i) an encryption processing unit (94b) providing an encryption of said second section of a data communication package according to a transmission encryption key provided in an encryption key space of said RAM (82), said encryption key space being referenced by said key pointer of said processing descriptors, and said encryption processing unit (94b) providing generation said second section of said outgoing data communication package,
(j) a bus designated as first in first out (FIFO) bus (80) enabling communication between said bridge unit (86), said RAM (82), said data transmission control unit (88), said in-queue unit (90a), said out-queue unit (90b), said compressing processing unit (92b), said decompression processing unit (92a), said encryption processing unit (94b) and said decryption processing unit (94a), and
(k) a management bus (84) providing signaling and configuration between said data transmission control unit (88), said in-queue unit (90a), said out-queue unit (90b), said compressing processing unit (92b), said decompression processing unit (92a), said encryption processing unit (94b) and said decryption processing unit (94a),
said communication controller allowing for parallel processing of said multiplicity of said data communication packages to be performed in any arbitrary order in accordance said processing descriptors in RAM (82).
41. The communication controller chip according to claim 40, wherein said communication controller further comprising:
(l) a first authentication processing unit (96a) providing calculation of an integrity check value (ICV) to be included in an outgoing data communication package, said calculation utilising an ICV key provided in a ICV key space of said RAM (82), said ICV key space being referenced by said processing descriptors,
(m) a second authentication processing unit (96b) providing verification of an ICV to be extracted from an incoming data communication package, said calculation utilising a ICV key provided in said ICV key space of said RAM (82), said ICV key space being referenced by said processing descriptors,
(n) a receiving media access control unit (98a) (RX-MAC) constituting an address filter for said communication controller and providing a receiving gate for said network, said receiving media access control unit (98a) filtering all data communication packages on said network and communicating incoming data communication packages to a incoming data communication package space in said RAM (82), said receiving media access control unit (98a) simultaneously generating a processing descriptor for every incoming data communication packages, said processing descriptor including a start address of associated incoming data communication package in a incoming data communication package space in said RAM (82), said receiving media access control unit (98a) communicating said processing descriptor to said in-queue unit (90a), and said receiving media access control unit (98a) communicating an end address of said incoming data communication package space in said processing descriptor at completion of reception of said incoming data communication package, and
(o) a transmitting media access control unit (98b) (TX-MAC) providing a transmitting gate for said communication controller on said network and performing a transmission on said network of outgoing data communication packages identified by said processing descriptors in said RAM (82), said transmitting media access control unit (98b) performing evaluation of length of said outgoing data communication package and writing said length in said first section of said outgoing data communication package, and said transmitting media access control unit (98b) communicating said processing descriptors to said complete queue of said out-queue on completion of transmission of said data communication package.
42. The communication controller chip according to claim 41, wherein said first in first out (FIFO) bus (80) further enabling communication between said bridge unit (86), said RAM (82), said data transmission control unit (88), said in-queue unit (90a), said out-queue unit (90b), said compressing processing unit (92b), said decompression processing unit (92a), said encryption processing unit (94b), said decryption processing unit (94a), said first authentication processing unit (96a), said second authentication processing unit (96b), said receiving media access control unit (98a), and said transmitting media access control unit (98b).
43. The communication controller chip according to claim 41, wherein said communication controller chip further comprises an additional part similar to a communication controller chip for performing data encryption and data decryption of a multiplicity of data communication packages to be transferred in a network such as LAN (local area network) or WAN (wide area network) and including a plurality of processing units, each of said multiplicity of data communication packages containing a first section of non-encrypted data and a second section containing encrypted data and each of said multiplicity of data communication pages having an associated processing descriptor defining source, destination, process configuration of said plurality of processing units and processing of said data communication package, and said communication controller chip comprising:
(a) a bridge unit (86) connecting said communication controller through a bus (85) to a central process unit (CPU) or a host,
(b) a random access memory RAM (82) for keys, processing descriptors and for temporary storage of data,
(c) a data transmission control unit (88) for providing access for said CPU to information regarding general configuration of said communication controller,
(d) an in-queue unit (90a) comprising a plurality of queues for pointers referencing processing descriptors for data communication packages in said RAM (82) to be processed by said plurality of processing units,
(e) an out-queue unit (90b) comprising a go-queue of pointers referencing processing descriptors for data communication packages in RAM (82) to be processed by a plurality of processing units, which process is monitored and analyzed by said CPU or host system so as to establish if further processing is required, and said out-queue unit (90b) comprising a complete-queue of pointers referencing processing descriptors for data communication packages in said RAM (82) having completed processing in accordance with requirements of said CPU or host system,
(f) a decompression processing unit (92a) included in said plurality of processing units providing decompression of compressed data of said second section of said data communication packages thereby producing decompressed data in said RAM (82) or memory of said host in accordance with processing descriptors associated with said data communication packages,
(g) a compression processing unit (92b) providing compression of said second section of said outgoing data communication packages thereby producing compressed data in said RAM (82) or memory of said host in accordance with processing descriptors associated with said data communication packages,
(h) a decryption processing unit (94a) providing a decryption of said second section of a data communication package according to a reception decryption key provided in a decryption key space of said RAM (82), said decryption key space being referenced by a key pointer included in said processing descriptors, and said decryption processing unit (94a) providing generation of said second section of said data communication package,
(i) an encryption processing unit (94b) providing an encryption of said second section of a data communication package according to a transmission encryption key provided in an encryption key space of said RAM (82), said encryption key space being referenced by said key pointer of said processing descriptors, and said encryption processing unit (94b) providing generation of said second section of said outgoing data communication package,
(j) a bus designated as first in first out (FIFO) bus (80) enabling communication between said bridge unit (86), said RAM (82), said data transmission control unit (88), said in-queue unit (90a) said out-queue unit (90b), said compressing processing unit (92b), said decompression processing unit (92a), said encryption processing unit (94b) and said decryption processing unit (94a) and
(k) a management bus (84) providing signaling and configuration between said data transmission control unit (88), said in-queue unit (90a), said out-queue unit (90b), said compressing processing unit (92b), said decompression processing unit (92a), said encryption processing unit (94b) and said decryption processing unit (94a),
said communication controller allowing for parallel processing of said multiplicity of said data communication packages to be performed in any arbitrary order in accordance with said processing descriptors in RAM (82), aid communication controller further comprising:
(l) a first authentication processing unit (96a) providing calculation of an integrity check value (ICV) to be included in an outgoing data communication package, said calculation utilizing an ICV key provided in an ICV key space of said RAM (82), said ICV key space being referenced by said processing descriptors,
(m) a second authentication processing unit (96b) providing verification of an ICV to be extracted from an incoming data communication package, said calculation utilizing an ICV key provided in said ICV key space of said RAM (82), said ICV key space being referenced by said processing descriptors,
(n) a receiving media access control unit (98a) (RX-MAC) constituting an address filter for said communication controller and providing a receiving gate for said network, said receiving media access control unit (98a) filtering all data communication packages on said network and communicating incoming data communication packages to an incoming data communication package space in said RAM (82), said receiving media access control unit (98a) simultaneously generating a processing descriptor for every incoming data communication package, said processing descriptor including a start address of associated incoming data communication package in an incoming data communication package space in said RAM (82), said receiving media access control unit (98a) communicating said processing descriptor to said in-queue unit (90a), and said receiving media access control unit (98a) communicating an end address of said incoming data communication package space in said processing descriptor at completion of reception of said incoming data communication package, and
(o) a transmitting media access control unit (98b) (TX-MAC) providing a transmitting gate for said communication controller on said network and performing a transmission on said network of outgoing data communication packages identified by said processing descriptors in said RAM (82), said transmitting media access control unit (98b) performing evaluation of length of said outgoing data communication package and writing said length in said first section of said outgoing data communication package, and said transmitting media access control unit (98b) communicating said processing descriptors to said complete queue of said out-queue on completion of transmission of said data communication package, and
said communication controller separately including the features (a) to (o) enabling parallel transmission and reception of said data communication packages on a LAN and/or a WAN.
44. The communication controller chip according to claim 40, wherein said management bus (84) further providing signaling and configuration for said first authentication processing unit (96a), said second authentication processing unit (96b), said receiving media access control unit (98a), and said transmitting media access control unit (98b).
45. The communication controller chip according to claim 40, wherein said compressing processing unit (92b) has a maximum allowable space on said RAM (82) for compressed data included in said second section of said outgoing data communication package.
46. The communication controller chip according to claim 40, wherein said decompressing processing unit (92a) has a maximum allowable space on said RAM (82) for decompressed data included in said second section of said incoming data communication packages to be communicated to said CPU or said host.
47. The communication controller chip according to claim 40, wherein said RAM (82) is constituted by SRAM, DRAM, or SDRAM or any combinations thereof.
48. The communication controller chip according to claim 40, wherein said compression processing unit (92b) may be configured to detect compression efficiency and in accordance to said compression efficiency continue compression of data or disengage further compression.
49. The communication controller chip according to claim 48, wherein said communication controller chip being implemented on a single housing or an in two or more housing.
50. A communication controller for performing data encryption and data decryption of data communication packages to be transferred in a network (such as a LAN: Local Area Network, or a WAN: Wide Area Network), said data communication package containing a first section of non-encrypted data and a second section containing encrypted data, and comprising a session key LUT unit (186) and a transmission and encryption section comprising:
(a) a data read transmission control unit (102) connected to a system bus of a host system and receiving input data therefrom and communicating with said session key LUT (186), said session key LUT (186) providing a transmission encryption key for said data communication package,
(b) a data compressing unit (118) providing compression of a part of said input data thereby producing a compressed part of said input data contained in said second section of said data communication package,
(c) a data encryption unit (126) providing an encryption of said second section of said data communication package according to said transmission encryption key transferred from said session key LUT (186) to said data encryption unit (126),
(d) an integrity check value calculation unit (122) constituting a first series configuration from said data compression unit (118) intercommunicating through said integrity check value calculation unit (122) to said data encryption unit (126),
(e) a network transmission controller (134) providing said data communication package through a connection to said network, supplying said input data to said network in a transmission rate determined by said network transmission controller (134) and said network, and
(f) a first switch means (108) enabling switching between two modes of operation, a first mode of operation providing bypassing or disabling of said first series configuration and enabling communication between said data read transmission control unit (102) and said network transmission controller (134) for transferring said input data directly hereto and a second mode of operation enabling communication between said data read transmission control unit (102) through said first series configuration to said network transmission controller (134),
said communication controller further comprising a receiving and decrypting section comprising:
(g) a network receiving controller (140) providing a connection to said network and receiving a received data communication package from said network,
(h) a data receiving control unit (148) receiving said received data communication package through communication with said network receiving controller (140), and communicating with said session key LUT (186), said session key LUT (186) providing a reception encryption key for said received data communication package,
(i) a data decompression unit (172) providing decompression of said second section of said received data communication package,
(j) a data decryption unit (164) providing a decryption of said second section of said received data communication package according to a reception encryption key transferred from said session key LUT (186) to said data decryption unit (164),
(k) an integrity check value verification unit (168) receiving said received data communication package from said data decryption unit (164), and constituting a second series configuration from said data decryption unit (164) intercommunicating through said integrity check value verification unit (166) to said data decompression unit (172), said integrity check value verification unit (166) transferring said second section of said received data communication package to said data decompression unit (172),
(l) a data write unit (180) connected to said system bus of said host system, supplying said system bus with said received data communication package, and
(m) a second switch means (154) enabling switching between two modes of operation, a third mode of operation providing bypassing or disabling of said second series configuration and enabling communication between said data receiving control unit (148) and said data write unit (180) for transferring said first section of said received data communication package directly hereto, and a fourth mode of operation enabling communication between said data receiving control unit (148) through said second series configuration to said data write unit (180), and
said transmission and encryption section further comprising a transmission FIFO (130) (first in first out storage means) constituting an input section of said network transmission controller (134), and said data compression unit (118) comprising two modes of operation, a high compression mode of operation handling compression of said part of said input data substantially simultaneously to transmission of said data communication package, and a low compression mode of operation applying a reduced compression efficiency to said compression substantially simultaneously to transmission of said data communication package, said high compression mode of operation operating according to an amount of accumulated data in said transmission FIFO (130) and said data compression unit (118) being notified by said network transmission controller in case of said amount of accumulated data in transmission FIFO (130) is less than a predetermined value hence activating said low compression mode of operation.
51. A communication controller for performing data encryption and data decryption of data communication packages to be transferred in a network (such as a LAN: Local Area Network, or a WAN: Wide Area Network), said data communication package containing a first section of non-encrypted data and a second section containing encrypted data, and comprising a session key LUT unit (186) and a transmission and encryption section comprising:
(a) a data read transmission control unit (102) connected to a system bus of a host system and receiving input data therefrom and communicating with said session key LUT (186), said session key LUT (186) providing a transmission encryption key for said data communication package,
(b) a data compressing unit (118) providing compression of a part of said input data thereby producing a compressed part of said input data contained in said second section of said data communication package,
(c) a data encryption unit (126) providing an encryption of said second section of said data communication package according to said transmission encryption key transferred from said session key LUT (186) to said data encryption unit (126),
(d) an integrity check value calculation unit (122) constituting a first series configuration from said data compression unit (118) intercommunicating through said integrity check value calculation unit (122) to said data encryption unit (126),
(e) a network transmission controller (134) providing said data communication package through a connection to said network, supplying said input data to said network in a transmission rate determined by said network transmission controller (134) and said network, and
(f) a first switch means (108) enabling switching between two modes of operation, a first mode of operation providing bypassing or disabling of said first series configuration and enabling communication between said data read transmission control unit (102) and said network transmission controller (134) for transferring said input data directly hereto and a second mode of operation enabling communication between said data read transmission control unit (102) through said first series configuration to said network transmission controller (134),
said communication controller further comprising a receiving and decrypting section comprising:
(g) a network receiving controller (140) providing a connection to said network and receiving a received data communication package from said network,
(h) a data receiving control unit (148) receiving said received data communication package through communication with said network receiving controller (140), and communicating with said session key LUT (186), said session key LUT (186) providing a reception encryption key for said received data communication package,
(i) a data decompression unit (172) providing decompression of said second section of said received data communication package,
(j) a data decryption unit (164) providing a decryption of said second section of said received data communication package according to a reception encryption key transferred from said session key LUT (186) to said data decryption unit (164),
(k) an integrity check value verification unit (168) receiving said received data communication package from said data decryption unit (164), and constituting a second series configuration from said data decryption unit (164) intercommunicating through said integrity check value verification unit (166) to said data decompression unit (172), said integrity check value verification unit (166) transferring said second section of said received data communication package to said data decompression unit (172),
(l) a data write unit (180) connected to said system bus of said host system, supplying said system bus with said received data communication package, and
(m) a second switch means (154) enabling switching between two modes of operation, a third mode of operation providing bypassing or disabling of said second series configuration and enabling communication between said data receiving control unit (148) and said data write unit (180) for transferring said first section of said received data communication package directly hereto, and a fourth mode of operation enabling communication between said data receiving control unit (148) through said second series configuration to said data write unit (180), and
said transmission and encryption section further comprising a transmission FIFO (130) (first in first out storage means) constituting an input section of said network transmission controller (134), said data read transmission control (102) being adapted to monitor the compression and encryption of said part of said input data for determining whether or not said part of said input data exceeds the amount of data containable within said second section of data communication package, and said data compression unit (118) comprising two modes of operation, a high compression mode of operation handling compression of said part of said input data substantially simultaneously to transmission of said data communication package, and a low compression mode of operation applying a reduced compression efficiency to said compression substantially simultaneously to transmission of said data communication package, said high compression mode of operation operating according to an amount of accumulated data in said transmission FIFO (130) and said data compression unit (118) being notified by said network transmission controller in case of said amount of accumulated data in transmission FIFO (130) is less than a predetermined value hence activating said low compression mode of operation.
52. The transmission and encryption section according to claim 51, said data compression unit (118) and said data encryption unit (126) being adapted to be operated substantially simultaneously and controlled by said network transmission controller (134) so as to guarantee the continuous supply of bytes from said transmission FIFO (130) to said network transmission controller (134).
53. A transmission and encryption section of a communication controller for performing data encryption and data decryption of data communication packages to be transferred in a network (such as a LAN: Local Area Network, or a WAN: Wide Area Network), said data communication package containing a first section of non-encrypted data and a second section containing encrypted data, and said communication controller comprising a session key LUT unit (186), and comprising:
(a) a data read transmission control unit (102) connected to a system bus of a host system and receiving input data therefrom and communicating with said session key LUT (186), said session key LUT (186) providing a transmission encryption key for said data communication package,
(b) a data compressing unit (118) providing compression of a part of said input data thereby producing a compressed part of said input data contained in said second section of said data communication package,
(c) a data encryption unit (126) providing an encryption of said second section of said data communication package according to said transmission encryption key transferred from said session key LUT (186) to said data encryption unit (126),
(d) an integrity check value calculation unit (122) constituting a first series configuration from said data compression unit (118) intercommunicating through said integrity check value calculation unit (122) to said data encryption unit (126),
(e) a network transmission controller (134) providing said data communication package through a connection to said network, supplying said input data to said network in a transmission rate determined by said network transmission controller (134) and said network, and
(f) a first switch means (108) enabling switching between two modes of operation, a first mode of operation providing bypassing or disabling of said first series configuration and enabling communication between said data read transmission control unit (102) and said network transmission controller (134) for transferring said input data directly hereto and a second mode of operation enabling communication between said data read transmission control unit (102) through said first series configuration to said network transmission controller (134), and
said transmission and encryption section further comprising a transmission FIFO (130) (first in first out storage means) constituting an input section of said network transmission controller (134), and said data compression unit (118) comprising two modes of operation, a high compression mode of operation handling compression of said part of said input data substantially simultaneously to transmission of said data communication package, and a low compression mode of operation applying a reduced compression efficiency to said compression substantially simultaneously to transmission of said data communication package, said high compression mode of operation operating according to an amount of accumulated data in said transmission FIFO (130) and said data compression unit (118) being notified by said network transmission controller (134) in case of said amount of accumulated data transmission FIFO (130) is less than a predetermined value hence activating said low compression mode of operation.
54. A transmission and encryption section of a communication controller for performing data encryption and data decryption of data communication packages to be transferred in a network (such as a LAN: Local Area Network, or a WAN: Wide Area Network), said data communication package containing a first section of non-encrypted data and a second section containing encrypted data, and said communication controller comprising a session key LUT unit (186), and comprising:
(a) a data read transmission control unit (102) connected to a system bus of a host system and receiving input data therefrom and communicating with said session key LUT (186), said session key LUT (186) providing a transmission encryption key for said data communication package,
(b) a data compressing unit (118) providing compression of a part of said input data thereby producing a compressed part of said input data contained in said second section of said data communication package,
(c) a data encryption unit (126) providing an encryption of said second section of said data communication package according to said transmission encryption key transferred from said session key LUT (186) to said data encryption unit (126),
(d) an integrity check value calculation unit (122) constituting a first series configuration from said data compression unit (118) intercommunicating through said integrity check value calculation unit (122) to said data encryption unit (126),
(e) a network transmission controller (134) providing said data communication package through a connection to said network, supplying said input data to said network in a transmission rate determined by said network transmission controller (134) and said network, and
(f) a first switch means (108) enabling switching between two modes of operation, a first mode of operation providing bypassing or disabling of said first series configuration and enabling communication between said data read transmission control unit (102) and said network transmission controller (134) for transferring said input data directly hereto and a second mode of operation enabling communication between said data read transmission control unit (102) through said first series configuration to said network transmission controller (134), said transmission and encryption section further comprising a transmission FIFO (130) (first in first out storage means) constituting an input section of said network transmission controller (134), said data read transmission control (102) being adapted to monitor the compression and encryption of said part of said input data for determining whether or not said part of said input data exceeds the amount of data containable within said second section of data communication package, and said data compression unit (118) comprising two modes of operation, a high compression mode of operation handling compression of said part of said input data substantially simultaneously to transmission of said data communication package, and a low compression mode of operation applying a reduced compression efficiency to said compression substantially simultaneously to transmission of said data communication package, said high compression mode of operation operating according to an amount of accumulated data in said transmission FIFO (130) and said data compression unit (118) being notified by said network transmission controller (134) in case of said amount of accumulated data transmission FIFO (130) is less than a predetermined value hence activating said low compression mode of operation.
55. A method for transmitting and encrypting in a communication controller for performing data encryption and data decryption of data communication packages to be transferred in a network (such as a LAN: Local Area Network, or a WAN: Wide Area Network), said data communication package containing a first section of non-encrypted data and a second section containing encrypted data, and said communication controller comprising a session key storage means, a data read transmission control means, a data encryption means, a data compression means and an integrity check value calculation means constituting a first series configuration from said data compression means intercommunicating through said integrity check value calculation means to said data encryption means, said method for transmitting and encrypting, comprising:
(a) receiving input data from a system bus of a host system by means of said data read transmission control means connected to said session key storage means, providing a transmission encryption key for said data communication package by means of said session key storage means,
(b) providing compression of a part of said input data thereby producing a compressed part of said input data contained in said second section of said data communication package by means of said data compressing means,
(c) providing an encryption by means of said data encryption means, according to said transmission encryption key transferred from said session key storage means, of said second section of said data communication package transferred from said data compressing means,
(d) supplying said data communication package to said network in a transmission rate determined by said controller means for network transmission and said network by means of a connection to said network from a controller means for network transmission, and
(e) switching by means of a first switching means between two modes of operation, a first mode of operation providing bypassing or disabling of said first series configuration and enabling communication between said data read transmission control means and said controller means for network transmission and transferring said input data directly hereto and a second mode of operation enabling communication between said data read transmission control means through said first series configuration to said controller means for network transmission, and
further comprising monitoring the compression and encrypting of said part of said input data by means of said data read transmission control means for determining whether or not said part of said input data exceeds the amount of data containable within said second section of data communication package.
56. The method for transmitting and encrypting according to claim 55, further comprising constituting an input section of said controller means for network transmission by means of a transmission FIFO means (first in first out storage means).
57. The method for transmitting and encrypting according to claim 56, further comprising controlling said transmission FIFO means by means of said controller means for network transmission so as to guarantee the continuous supply of bytes from said transmission FIFO means to said controller means for network transmission.
58. A method for transmitting and encrypting in a communication controller for performing data encryption and data decryption of data communication packages to be transferred in a network (such as a LAN: Local Area Network, or a WAN: Wide Area Network), said data communication package containing a first section of non-encrypted data and a second section containing encrypted data, and said communication controller comprising a session key storage means, a data read transmission control means, a data encryption means, a data compression means and an integrity check value calculation means constituting a first series configuration from said data compression means intercommunicating through said integrity check value calculation means to said data encryption means, said method for transmitting and encrypting, comprising:
(a) receiving input data from a system bus of a host system by means of said data read transmission control means connected to said session key storage means, providing a transmission encryption key for said data communication package by means of said session key storage means,
(b) providing compression of a part of said input data thereby producing a compressed part of said input data contained in said second section of said data communication package by means of said data compressing means,
(c) providing an encryption by means of said data encryption means, according to said transmission encryption key transferred from said session key storage means, of said second section of said data communication package transferred from said data compressing means,
(d) supplying said data communication package to said network in a transmission rate determined by said controller means for network transmission and said network by means of a connection to said network from a controller means for network transmission, and
(e) switching by means of a first switching means between two modes of operation, a first mode of operation providing bypassing or disabling of said first series configuration and enabling communication between said data read transmission control means and said controller means for network transmission and transferring said input data directly hereto and a second mode of operation enabling communication between said data read transmission control means through said first series configuration to said controller means for network transmission.
59. The method for transmitting and encrypting according to claim 58, further comprising constituting an input section of said controller means for network transmission by means of a transmission FIFO means (first in first out storage means).
60. The method for transmitting and encrypting according to claim 59, further comprising substantially simultaneously operating said data compression means and said data encryption means, and controlling by said controller means for network transmission so as to guarantee the continuous supply of bytes from said transmission FIFO means to said controller means for network transmission.
61. The method transmitting and encrypting according to claim 55, further comprising performing a subtraction, division, multiplication or preferably a summation of the data contained in said second section of said data communication package to be transmitted and adding a first integrity calculation value to said second section of said data communication package by means of said integrity check value calculation means.
62. The method for transmitting and encrypting according to claim 55, further comprising controlling said first switching means in said two modes of operations by means of said data read transmission control means.
63. The method for transmitting and encrypting according to claim 55, further comprising transferring said transmission encryption key provided by said session key storage means from said data read transmission control means to said data encryption means by means of a connection means.
64. The method for transmitting and encrypting according to claim 55, further comprising providing interrupt routines for units included in said communication controller hereby insuring a continuous data transmission on said network by means of said controller means for network transmission.
65. The method for transmitting and encrypting according to claim 55, further comprising adding flag and fragment ID trailing said compressed part of said input data contained in said second section of said data communication package by means of said data compression means.
66. The method for transmitting and encryption according to claim 55, said communication controller further comprising receiving means, a data writing means, a data decompressing means, a data decryption means, a data receiving control means and an integrity check value verification means constituting a second series configuration from said data decryption means intercommunicating through said integrity check value verification means to said data decompression means, comprising:
(f) providing a connection to said network and receiving a received data communication package from said network by means of controller means for network reception,
(g) receiving said received data communication package through a communication between said controller means for network reception and communicating to said session key storage means by means of a data receiving control means, providing a reception encryption key for said data communication package by means of said session key storage means,
(h) providing a decryption of said second section of said received data communication package according to said reception encryption key transferred from said session key storage means and providing a decrypted second section of said received data communication package by means of a data decryption means,
(i) providing decompression of a compressed part of said decrypted second section of said received data communication package and providing a decompressed part in said second section of said received data communication package instead of said compressed part in said second section of said data communication package by means of a data decompression means,
(j) supplying said system bus of said host system with received data communication package by means of said data writing means, and
(k) switching by means of a second switching means enabling switching between two modes of operation, a third mode of operation providing bypassing or disabling of said second series configuration and enabling communication between said data receiving control means and said data writing means and transferring said received input data directly hereto, and a fourth mode of operation enabling communication between said data receiving control means through said second series configuration said data writing means.
67. The method for transmitting and encrypting according to claim 66, further comprising receiving said received data communication package from said data receiving control means in said third mode of operation, receiving said received data communication package from said data decompression means in said fourth mode of operation and transferring said received data communication package to said data writing means by means of a write FIFO means, and receiving said received data communication package from said control means for network reception and transferring said data communication package to said data receiving control means by means of a receiving FIFO means.
68. The method for transmitting and encrypting according to claim 66, further comprising performing a subtraction, division, multiplication or preferably a summation of the data contained in said second section of a received data communication package, obtaining a second integrity check value and comparing said second integrity check value with said first integrity check value contained in said received data communication package by means of said integrity check value verification means.
69. The method for transmitting and encrypting according to claim 66, further comprising controlling said second switching means in said two modes of operations by means of said data receiving control means.
70. The method for transmitting and encrypting according to claim 66, further comprising providing interrupt routines for units included in said communication controller hereby insuring a continuous data transmission on said network by means of said receiving means for receiving said data communication packages on said network.
71. The method for transmitting and encrypting according to claim 66, further comprising extracting flag and fragment ID trailing said compressed part of said decrypted second section of said received data communication package by means of said data decompression means.
72. The method for transmitting and encrypting according to claim 55, further comprising updating encryption key information in said session key storage means according to a key management protocol by said host system.
73. The method for transmitting and encrypting according to claim 55, further comprising substantially simultaneously operating said data compression means and said data encryption means, and controlling by said controller means for network transmission so as to guarantee the continuous supply of bytes from said transmission FIFO means to said controller means for network transmission.
74. A method for transmitting and encrypting in a communication controller for performing data encryption and data decryption of data communication packages to be transferred in a network (such as a LAN: Local Area Network, or a WAN: Wide Area Network), said data communication package containing a first section of non-encrypted data and a second section containing encrypted data, and said communication controller comprising a session key storage means, a data read transmission control means, a data encryption means, a data compression means and an integrity check value calculation means constituting a first series configuration from said data compression means intercommunicating through said integrity check value calculation means to said data encryption means, said method for transmitting and encrypting, comprising:
(a) receiving input data from a system bus of a host system by means of said data read transmission control means connected to said session key storage means, providing a transmission encryption key for said data communication package by means of said session key storage means,
(b) providing compression of a part of said input data thereby producing a compressed part of said input data contained in said second section of said data communication package by means of said data compressing means,
(c) providing an encryption by means of said data encryption means, according to said transmission encryption key transferred from said session key storage means, of said second section of said data communication package transferred from said data compressing means,
(d) supplying said data communication package to said network in a transmission rate determined by said controller means for network transmission and said network by means of a connection to said network from a controller means for network transmission,
(e) switching by means of a first switching means between two modes of operation, a first mode of operation providing bypassing or disabling of said first series configuration and enabling communication between said data read transmission control means and said controller means for network transmission and transferring said input data directly hereto and a second mode of operation enabling communication between said data read transmission control means through said first series configuration to said controller means for network transmission, constituting an input section of said controller means for network transmission by means of a transmission FIFO means (first in first out storage means), and operating said data compression means in two modes of operation, a high compression mode of operation handling compression of said part of said input data substantially simultaneously to transmission of said data communication package, and a low compression mode of operation applying a reduced compression efficiency to said compression substantially simultaneously to transmission of said data communication package, said high compression mode of operation operating according to an amount of accumulated data in said transmission FIFO means and said data compression means being notified by said controller means for network transmission in case of said amount of accumulated data in said transmission FIFO means is less than a predetermined value hence activating said low compression mode of operation.
75. A method for transmitting and encrypting in a communication controller for performing data encryption and data decryption of data communication packages to be transferred in a network (such as a LAN: Local Area Network, or a WAN: Wide Area Network), said data communication package containing a first section of non-encrypted data and a second section containing encrypted data, and said communication controller comprising a session key storage means, a data read transmission control means, a data encryption means, a data compression means and an integrity check value calculation means constituting a first series configuration from said data compression means intercommunicating through said integrity check value calculation means to said data encryption means, said method for transmitting and encrypting, comprising:
(a) receiving input data from a system bus of a host system by means of said data read transmission control means connected to said session key storage means, providing a transmission encryption key for said data communication package by means of said session key storage means,
(b) providing compression of a part of said input data thereby producing a compressed part of said input data contained in said second section of said data communication package by means of said data compressing means,
(c) providing an encryption by means of said data encryption means, according to said transmission encryption key transferred from said session key storage means, of said second section of said data communication package transferred from said data compressing means,
(d) supplying said data communication package to said network in a transmission rate determined by said controller means for network transmission and said network by means of a connection to said network from a controller means for network transmission,
(e) switching by means of a first switching means between two modes of operation, a first mode of operation providing bypassing or disabling of said first series configuration and enabling communication between said data read transmission control means and said controller means for network transmission and transferring said input data directly hereto and a second mode of operation enabling communication between said data read transmission control means through said first series configuration to said controller means for network transmission,
(f) constituting an input section of said controller means for network transmission by means of a transmission FIFO means (first in first out storage means), and monitoring the compression and encrypting of said part of said input data by means of said data read transmission control means for determining whether or not said part of said input data exceeds the amount of data containable within said second section of data communication package, and operating said data compression means in two modes of operation, a high compression mode of operation handling compression of said part of said input data substantially simultaneously to transmission of said data communication package, and a low compression mode of operation applying a reduced compression efficiency to said compression substantially simultaneously to transmission of said data communication package, said high compression mode of operation operating according to an amount of accumulated data in said transmission FIFO means and said data compression means being notified by said controller means for network transmission in case of said amount of accumulated data in said transmission FIFO means is less than a predetermined value hence activating said low compression mode of operation.
Description
The present invention generally relates to a technique for performing compression, encryption and transmission, and reception, decryption and decompression, respectively, of data communication packages on an area network.
The most commonly applied technique for performing transmissions on a network such as LAN (local area network) or WAN (wide area network) involves performing compression/decompression, encode/decode and transmission/reception of data communication packages to establish a fast communication between stations in the LAN. Techniques are disclosed in following patents and published patent applications DE 3 606 869, EP 0 582 907, U.S. Pat. Nos. 4,701,745, 4,996,690, 5,003,307, 5,016,009, 5,126,739, 5,146,221, 5,414,425, 5,463,390, 5,506,580, 5,532,694, 4,586,027, 4,872,009, 4,701,745 and 4,988,998 describing various aspects of compression/decompression and transmission from one unit to another unit. Reference is made to the above patents and published patent applications, and the above US patents are hereby incorporated in the present specification by reference.
According to present technology it appears that no technique is currently available ensuring a secure communication in combination with a fast communication. To secure data communication packages one must encrypt the data communication packages according to a between stations known encryption key or keys. This is a time consuming process and therefor slows down and in particular delays the transmission between two or more stations and consequently contradicts the combination of a secure and fast communication. Furthermore, according to present technology operations such as compression, encryption and transmission, and reception, decryption and decompression are performed consecutively and which further slows the transmissions on the LAN as the data packages increase. Since computer networking becomes a more and more significant part of today's computer applications and communication on networks becomes everyday practise, it is rendered necessary to develop an apparatus and method for performing secure transmissions and increased transmission rates between stations in a computer network.
An object of the present invention is to provide a novel apparatus and method for securing data communication packages by encryption and simultaneously ensuring a fast communication between stations in a network such as LAN or WAN.
A particular advantage of the present invention is the significant reduction or substantially elimination of delays in transmitting data communication packages through a network by continuously insuring data is presented to the LAN or WAN in an encrypted state.
A particular feature of the present invention relates to the fact that the apparatus according to the present invention may be produced fully or partly in a process compatible with the production of integrated electronic circuits using any appropriate circuit technology involving VLSI, LSI, ASIC, FPGA, PLD production techniques or any combinations thereof.
The above object, the above advantage and the above feature together with numerous other objects, advantages and features which will be evident from the below detailed description of a preferred embodiment of the present invention is according to a first aspect of the present invention obtained by a communication controller for performing data encryption and data decryption of data communication packages to be transferred in a network such as a LAN (local area network) or WAN (wide area network), the data communication package containing a first section of non-encrypted data and a second section containing encrypted data, and comprising a session key LUT unit and a transmission and encryption section comprising:
(a) a data read transmission control unit (102) connected to a system bus of a host system and receiving input data therefrom and communicating with said session key LUT (186), said session key LUT (186) providing a transmission encryption key for said data communication package,
(b) a data compressing unit (118) providing compression of a part of said input data thereby producing a compressed part of said input data contained in said second section of said data communication package,
(c) a data encryption unit (126) providing an encryption of said second section of said data communication package according to said transmission encryption key transferred from said session key LUT (186) to said data encryption unit (126),
(d) an integrity check value calculation unit (122) constituting a first series configuration from said data compression unit (118) intercommunicating through said integrity check value calculation unit (122) to said data encryption unit (126),
(e) a network transmission controller (134) providing said data communication package through a connection to said network, supplying said input data to said network in a transmission rate determined by said network transmission controller (134) and said network, and
(f) a first switch means (108) enabling switching between two modes of operation, a first mode of operation providing bypassing or disabling of said first series configuration and enabling communication between said data read transmission control unit (102) and said network transmission controller (134) for transferring said input data directly hereto and a second mode of operation enabling communication between said data read transmission control unit (102) through said first series configuration to said network transmission controller (134), said communication controller further comprising a receiving and decrypting section comprising:
(g) a LAN receiving controller (140) providing a connection to said network and receiving a received data communication package from said network,
(h) a data receiving control unit (148) receiving said received data communication package through communication with said network receiving controller (140), and communicating with said session key LUT (186), said session key LUT (186) providing a reception encryption key for said received data communication package,
(i) a data decompression unit (172) providing decompression of said second section of said received data communication package,
(j) a data decryption unit (164) providing a decryption of said second section of said received data communication package according to a reception encryption key transferred from said session key LUT (186) to said data decryption unit (164),
(k) an integrity check value verification unit (168) receiving said received data communication package from said data decryption unit (164), and constituting a second series configuration from said data decryption unit (164) intercommunicating through said integrity check value verification unit (166) to said data decompression unit (172), said integrity check value verification unit (166) transferring said second section of said received data communication package to said data decompression unit (172),
(l) a data write unit (180) connected to said system bus of said host system, supplying said system bus with said received data communication package, and
(m) a second switch means (154) enabling switching between two modes of operation, a third mode of operation providing bypassing or disabling of said second series configuration and enabling communication between said data receiving control unit (148) and said data write unit (180) for transferring said first section of said received data communication package directly hereto, and a fourth mode of operation enabling communication between said data receiving control unit (148) through said second series configuration to said data write unit (180).
By incorporating several of the functions of the communication controller, according to the first aspect of the present invention, in a single electronic circuit the time delay from one unit to the next is considerable reduced compared to time delays between discrete electronic components.
The term unit is to be understood as a generic term including all equivalent elements, blocks and sections etc. The term unit may comprise a single entity or may comprise a multiple of entities into one self-contained and defined unit, element, block or section.
In the communication controller according to the first aspect of the present invention, the transmission and encryption section further comprises a transmission FIFO (first in first out storage means) constituting an input section of the network transmission controller. Furthermore in the communication controller according to the first aspect of the present invention, the receiving and decrypting section further comprises a write FIFO receiving the received data communication package from the data receiving control unit in the third mode of operation, receiving the received data communication package from the data decompression unit in said fourth mode of operation and transferring the received data communication package through a connection to the data write unit, and a receiving FIFO receiving the received data communication package from the network reception control and transferring the data communication package through a connection to the data receiving control unit.
Since the communication controller, according to the first aspect of the present invention, comprises storage means for transmission as well as reception of data communication packages, full compatibility is achieved between a host system and the network. Especially differences in reading rates between stations and network transmission rates are compensated for. The host system may operate at one frequency, while the network may operate at another without overloading either the host system or the network. This relieves processing time available to the host system, since delivering a data communication package to the controller frees the host system's central processing unit to perform other tasks than waiting for completion of transmission and therefor optimises the transmission performed on the network.
The communication controller, according to the first aspect of the present invention, for receiving and transmitting data communication packages on a network provides interrupt routines for units included in the communication controller hereby insuring a continuous data transmission on a network. The communication controller, having the data compression unit and the data encryption unit adapted to be operated substantially simultaneously and controlled by the network transmission controller. The network transmission controller furthermore controls the transmission FIFO so as to guarantee the continuous supply of bytes from the transmission FIFO to the network transmission controller. This ensures that the transmission is extraordinarily fast. Furthermore, since the communication controller preferably is implemented in accordance with a technique for producing integrated electronic circuits, a fast internal control of the operation may be achieved. By operating data compression and data encryption substantially simultaneously instead of operating consecutively considerably improves the transmission time and reduces the delay for transmitting a secure data communication package.
The communication controller, according to the first aspect of the present invention, having the data read transmission control adapted to monitor the compression and encryption of the part of the input data for determining, whether or not, the part of the input data exceeds the amount of data containable within said second section of data communication package. By continuously monitoring if the data communication packages processed are within the package specifications of the network, any redundant operations are eliminated, and thus the number of data communication package transmitted on the network is reduced.
The communication controller, according to the first aspect of the present invention, wherein the integrity check value calculation unit performs a subtraction, division, multiplication or preferably a summation of the data contained in the second section of the data communication package to be transmitted, and adds a first integrity check value to the second section of the data communication package. Additionally, the communication controller, according to the first aspect of the present invention, wherein the integrity check value verification unit performs a subtraction, division, multiplication or preferably a summation of the data contained in the second section of a received data communication package. Hereby obtaining a second integrity check value and comparing the second integrity check value with the first integrity check value contained in the second section of the data communication package. The integrity check value calculation and verification ensures that no excessive time is spent on corrupted data communication packages at the receiving end of a transmission, therefor, implementation of this calculation and verification may reduce unnecessary data communication package processing.
The communication controller, according to the first aspect of the present invention, wherein the data read transmission control unit comprises control means for controlling the first switch means in the two modes of operations. Furthermore, wherein the data receiving control unit comprises control means for controlling the second switch means in the two modes of operations. These switching means ensures a fast recognition of the clear text and consequently bypassing or disabling of the first and second series configuration, respectively.
The communication controller, according to the first aspect of the present invention, wherein the data read transmission control unit further comprising a connection to the data encryption unit for transferring the transmission encryption key provided by the session key LUT from the data read transmission control unit to the data encryption unit.
The communication controller, according to the first aspect of the present invention, wherein the session key LUT comprising encryption key information is updated according to a key management protocol by the host system. Encryption key administration is entirely managed by the host system thus delegating this cumbersome task to the host rather than a local processing unit on the communication controller. In an alternative embodiment of the present invention, the encryption key or keys may be updated through the data read transmission control of the communication controller. Further alternatively the encryption key or keys may be generated locally by the communication controller rather than by updating from the host system.
According to the basic realisation of the present invention the communication controller, according to the first aspect of the present invention, is implemented fully or partly as an integrated circuit applying VLSI, LSI, ASIC, FPGA, PLD techniques or any combinations thereof. This provides considerable production cost reductions since by implementing the communication controller according to the first aspect of the present invention utilising these production techniques the production time and the product handling are greatly reduced, and furthermore, the amount of costly pin connections and component casings are subsequently minimised.
The communication controller, according to the first aspect of the present invention, wherein the data compression unit adds flag and fragment ID trailing the compressed part of the input data contained the second section of the data communication package, and wherein the data decompression unit extracts flag and fragment ID trailing the compressed part of the input data in the second section of the data communication package. The flag and fragment ID provides information as to how the data communication package is configured. The data compression unit comprising two modes of operation, a high compression mode of operation handling compression of the part of the input data substantially simultaneously to transmission of the data communication package, and a low compression mode of operation applying a reduced compression efficiency to the compression substantially simultaneously to transmission of the data communication package, the high compression mode of operation operating according to an amount of accumulated data in the transmission FIFO and the data compression unit being notified by the network transmission controller in case of the amount of accumulated data in transmission FIFO is less than a predetermined value hence activating the low compression mode of operation. The capability of switching between two modes of compression enables the communication controller to perform at a maximum rate continuously and supplying the network with transmission data bytes until the end of the data communication package is reached. In this context the low compression mode may involve low compression, no compression or even expansion or decompression.
The above object, the above advantage and the above feature together with numerous other objects, advantages and features which will be evident from the below detailed description of a preferred embodiment of the present invention is according to a second aspect of the present invention obtained by a transmission and encryption section of a communication controller for performing data encryption and data decryption of data communication packages to be transferred in a network (such as a LAN: Local Area Network, or a WAN: Wide Area Network), the data communication package containing a first section of non-encrypted data and a second section containing encrypted data, and said communication controller comprising a session key LUT unit, and comprising:
(a) a data read transmission control unit (102) connected to a system bus of a host system and receiving input data therefrom and connected to said session key LUT (186), said session key LUT (186) providing a transmission encryption key for said data communication package,
(b) a data compressing unit (118) providing compression of a part of said input data thereby producing a compressed part of said input data contained in said second section of said data communication package,
(c) a data encryption unit (126) providing an encryption of said second section of said data communication package according to said transmission encryption key transferred from said session key LUT (186) to said data encryption unit (126),
(d) an integrity check value calculation unit (122) constituting a first series configuration from said data compression unit (118) interconnecting through said integrity check value calculation unit (122) to said data encryption unit (126),
(e) a network transmission controller (134) providing said data communication package through a connection to said network, supplying said input data to said LAN in a transmission rate determined by said network transmission controller (134) and said network, and
(f) a first switch means (108) enabling switching between two modes of operation, a first mode of operation providing bypassing or disabling of said first series configuration and providing a connection from said data read transmission control unit (102) with said network transmission controller (134) for transferring said input data directly hereto and a second mode of operation providing a connection to said data read transmission control unit (102) through said first series configuration to said network transmission controller (134).
The transmission and encryption section of a communication controller, according to the second aspect of the present invention is new, and incorporates several of its functions in a single electronic circuit. Hereby considerably reducing the time delay from on section to the next compared to time delays between discrete electronic components.
The communication controller, according to the second aspect of the present invention, wherein the transmission and encryption section further comprises a transmission FIFO (first in first out storage means) constituting an input section of the network transmission controller. Since the transmission and encryption section of a communication controller, according to the second aspect of the present invention, comprises storage means for transmission of data communication packages, full compatibility is achieved between a host system and the network. Especially differences in reading rates between stations and network transmission rates are compensated for. The host system may operate at one transmission frequency, while the network may operate at another without overloading the host system or the network. This relieves processing time available to the host system, since delivering a data communication package to the controller frees the host system's central processing unit to perform other tasks than waiting for completion of transmission and therefor optimises the transmission performed on the network.
The transmission and encryption section of a communication controller, according to the second aspect of the present invention, for encrypting and transmitting data communication packages on a network provides interrupt routines for units included in the communication controller hereby insuring a continuous data transmission on a network. The transmission and encryption section, having the data compression unit and the data encryption unit adapted to be operated substantially simultaneously and controlled by the network transmission controller. The network transmission controller controls the transmission FIFO so as to guarantee the continuous supply of bytes from the transmission FIFO to the network transmission controller. This ensures that the transmission is extraordinarily fast.
Furthermore, since the communication controller preferably is implemented in accordance with a technique for producing integrated electronic circuits, a fast internal control of the operation may be achieved. By operating data compression and data encryption substantially simultaneously instead of operating consecutively considerably improves the transmission time and reduces the delay for transmitting a secure data communication package.
The transmission and encryption section of a communication controller, according to the second aspect of the present invention, having the data read transmission control adapted to monitor the compression and encryption of the part of the input data for determining, whether or not, the part of the input data exceeds the amount of data containable within the second section of data communication package. By continuously monitoring if the data communication packages processed are within the package specifications of the network, any redundant operations are eliminated, and thus the number of data communication packages transmitted on the network is reduced.
The transmission and encryption section of a communication controller, according to the second aspect of the present invention, wherein the integrity check value calculation unit performs a subtraction, division, multiplication or preferably a summation of the data contained in the second section of the data communication package to be transmitted, and adding a first integrity calculation value to the second section of the data communication package. The integrity check value calculation ensures that no excessive time is spent on corrupted data communication packages at the receiving end of a transmission, therefor, implementation of this calculation may reduce unnecessary data communication package processing.
The transmission and encryption section of a communication controller, according to the second aspect of the present invention, wherein the data read transmission control unit comprises control means for controlling the first switch means in the two modes of operations. These switching means ensures a fast recognition of the clear text and consequently bypassing or disabling of the first series configuration.
The transmission and encryption section of a communication controller, according to the second aspect of the present invention, wherein the data read transmission control unit further comprises a connection to the data encryption unit for transferring the transmission encryption key provided by the session key LUT from the data read transmission control unit to the data encryption unit.
The transmission and encryption section of a communication controller, according to the second aspect of the present invention, wherein the session key LUT comprising encryption key information is updated according to a key management protocol by the host system. Encryption key administration is entirely managed by the host system thus delegating this cumbersome task to the host rather than a local processing unit on the communication controller. In an alternative embodiment of the present invention, the encryption key or keys may be updated through the data read transmission control of the communication controller. Further alternatively the encryption key or keys may be generated locally by the communication controller rather than by updating from the host system.
According to the basic realisation of the present invention the transmission and encryption section of a communication controller, according to the second aspect of the present invention, is implemented fully or partly as an integrated circuit applying VLSI, LSI, ASIC, FPGA, PLD techniques or any combinations thereof. This provides considerable production cost reductions since by implementing the communication controller according to the first aspect of the present invention utilising these production techniques the production time and the product handling are greatly reduced, and furthermore, the amount of costly pin connections and component casings are subsequently minimised.
The transmission and encryption section of a communication controller, according to the second aspect of the present invention, wherein the data compression unit adds flag and fragment ID trailing the compressed part of the input data contained in the second section of the data communication package. The flag and fragment ID provides information as to how the data communication package is configured. The data compression unit comprising two modes of operation, a high compression mode of operation handling compression of the part of the input data substantially simultaneously to transmission of the data communication package, and a low compression mode of operation applying a reduced compression efficiency to the compression substantially simultaneously to transmission of the data communication package the high compression mode of operation operating according to an amount of accumulated data in the transmission FIFO and the data compression unit being notified by the network transmission controller in case of the amount of accumulated data in transmission FIFO is less than a predetermined value hence activating the low compression mode of operation. The capability of switching between two modes of compression enables the communication controller to perform at a maximum rate continuously and supplying the network with transmission data bytes until the end of the data communication package is reached.
The above object, the above advantage and the above feature together with numerous other objects, advantages and features which will be evident from the below detailed description of a preferred embodiment of the present invention is according to a third aspect of the present invention obtained by a method for transmitting and encrypting in a communication controller for performing data encryption and data decryption of data communication packages to be transferred in a network (such as a LAN: Local Area Network, or a WAN: Wide Area Network), said data communication package containing a first section of non-encrypted data and a second section containing encrypted data, and said communication controller comprising a session key storage means, a transmission FIFO (first in first out storage facility) means, a data read transmission control means, a data encryption means, a data compression means and an integrity check value calculation means constituting a first series configuration from said data compression means interconnecting through said integrity check value calculation means to said data encryption means, said method for transmitting and encrypting, comprising:
(a) receiving input data from a system bus of a host system by means of said data read transmission control means connected to said session key storage means, providing a transmission encryption key for said data communication package by means of said session key storage means,
(b) providing compression of a part of said input data thereby producing a compressed part of said input data contained in said second section of said data communication package by means of said data compressing means,
(c) providing an encryption by means of said data encryption means, according to said transmission encryption key transferred from said session key storage means, of said second section of said data communication package transferred from said data compressing means,
(d) supplying said data communication package to said network in a transmission rate determined by said controller means for network transmission and said network by means of a connection to said network from a controller means for network transmission, and
(e) switching by means of a first switching means between two modes of operation, a first mode of operation providing bypassing or disabling of said first series configuration and connecting said data read transmission control means with said controller means for network transmission and transferring said input data directly hereto and a second mode of operation providing a connection from said data read transmission control means through said first series configuration to said controller means for network transmission through a connection hereto by means of said means for data encryption.
The method for transmitting and encrypting in a communication controller, according to the third aspect of the present invention, is new and ensures a secure and fast transmission. Furthermore by incorporating the means in a single method the time delays are considerably reduced.
The method for transmitting and encrypting, according to the third aspect of the present invention, further comprising constituting an input section of said controller means for network transmission by means of a transmission FIFO means (first in first out storage means). Since the method for transmission and encryption in a communication controller, according to the third aspect of the present invention, comprises storage means for transmission of data communication packages, full compatibility is achieved between a host system and the network. Especially differences in reading rates between stations and network transmission rates are compensated for. The host system may operate at one transmission frequency, while the network may operate at another without overloading the host system or the network. This relieves processing time available to the host system, since delivering a data communication package to the controller frees the host system's central processing unit to perform other tasks than waiting for completion of transmission and therefor optimises the transmission performed on the network.
The method for transmitting and encrypting in a communication controller, according to the third aspect of the present invention, further comprising provision of interrupt routines for units included in the communication controller hereby insuring a continuous data transmission on the network by means of the controller means for network transmission. The method for transmitting and encrypting further comprising substantially simultaneously operations of the data compression means and the data encryption means, and controlling by the controller means for network transmission. The method for transmitting and encrypting, further comprising controlling the transmission FIFO means by means of the controller means for network transmission so as to guarantee the continuous supply of bytes from the transmission FIFO means to the controller means for network transmission. This ensures that the transmission is performed extraordinarily fast. Furthermore, since the means incorporate several operations in the method a fast internal control of the operations may be achieved. Performing data compression and data encryption substantially simultaneously instead of performing the operations consecutively considerably improves the transmission time and reduces the delay for transmitting a secure data communication package.
The method for transmitting and encrypting in a communication controller, according to the third aspect of the present invention, further comprising monitoring the compression and encryption of the part of the input data by means of the data read transmission control means for determining, whether or not, the part of the input data exceeds the amount of data containable within the second section of data communication package. By continuously monitoring if the data communication packages processed are within the package specifications of the network, any redundant operations are eliminated, and thus the number of data communication packages transmitted on the network is reduced. If a data communication package is within the package size specification of the network the method prevents further data compression relieving the means hereby obtaining valuable processing time.
The method for transmitting and encrypting in a communication controller, according to the third aspect of the present invention further, comprising transferring the transmission encryption key provided by the session key storage means from the data read transmission control means to the data encryption means by means of a connection means.
The method for transmitting and encrypting in a communication controller, according to the third aspect of the present invention, further comprising operating the data compression means in two modes of operation, a high compression mode of operation handling compression of the part of the input data substantially simultaneously to transmission of the data communication package, and a low compression mode of operation applying a reduced compression efficiency to the compression substantially simultaneously to transmission of the data communication package, the high compression mode of operation operating according to an amount of accumulated data in the transmission FIFO means and the data compression means being notified by the controller means for network transmission in case of the amount of accumulated data in the transmission FIFO means is less than a predetermined value hence activating the low compression mode of operation. The capability of switching between two modes of compression enables the continuous performance of a maximum rate and supply of transmission data bytes to the network until the end of the data communication package is reached.
The method for transmitting and encryption in a communication controller, according to the third aspect of the present invention, the communication controller further comprising receiving means, a data writing means, a data decompressing means, a data decryption means, a data receiving control means and an integrity check value verification means constituting a second series configuration from said data decryption means interconnecting through said integrity check value verification means to said data decompression means, comprising:
(f) providing a connection to said network and receiving a received data communication package from said network by means of controller means for network reception,
(g) receiving said received data communication package through a connection to said controller means for network reception and connecting to said session key storage means by means of a data receiving control means, providing a reception encryption key for said data communication package by means of said session key storage means,
(h) providing a decryption of said second section of said received data communication package according to said reception encryption key transferred from said session key storage means and providing a decrypted second section of said received data communication package by means of a data decryption means,
(i) providing decompression of a compressed part of said decrypted second section of said received data communication package and providing a decompressed part in said second section of said received data communication package instead of said compressed part in said second section of said data communication package by means of a data decompression means,
(j) supplying said system bus of said host system with received data communication package by means of said data writing means, and
(k) switching by means of a second switching means enabling switching between two modes of operation, a third mode of operation providing bypassing or disabling of said second series configuration and connecting said data receiving control means with said data writing means and transferring said received input data directly hereto, and a fourth mode of operation providing a connection from said data receiving control means through said second series configuration to said data writing means.
By introducing receiving means to the method for transmitting and encrypting several advantages are achieved. By performing transmission and reception by applying a single method simplifies processes and enables common actions of both transmission and reception to be shared.
The method for transmitting and encrypting, according to the third aspect of the present invention, further comprising receiving said received data communication package from said data receiving control means in said third mode of operation, receiving said received data communication package from said data decompression means in said fourth mode of operation and transferring said received data communication package through a connection to said data writing means by means of a write FIFO means, and receiving said received data communication package from said control means for network reception and transferring said data communication package through a connection to said data receiving control means by means of a receiving FIFO means.
The method for transmitting and encrypting in a communication controller, according to the third aspect of the present invention, further comprising updating encryption key information in the session key storage means according to a key management protocol by the host system. Encryption key administration is entirely managed by the host system thus delegating this cumbersome task to the host rather than a local processing means on the communication controller. In an alternative embodiment of the present invention, the encryption key or keys may be updated through the data read transmission control means.
The method transmitting and encrypting in a communication controller, according to the third aspect of the present invention, further comprising performing a subtraction, division, multiplication or preferably a summation of the data contained in the second section of the data communication package to be transmitted, and adding a first integrity check value to the second section of the data communication package by means of the integrity check value calculation means. Additionally, the method for transmitting and encrypting in a communication controller, according to the third aspect of the present invention, further comprising performing a subtraction, division, multiplication or preferably a summation of the data contained in the second section of a received data communication package. Hereby obtaining a second integrity check value and comparing the second integrity check value with the first integrity check value contained in the received data communication package by means of the integrity check value verification means. The integrity check value calculation and verification ensures that no excessive time is spent on corrupted data communication packages at the receiving end of a transmission, therefor, implementation of this calculation and verification may reduce unnecessary data communication package processing.
The method for transmitting and encrypting in a communication controller, according to the third aspect of the present invention, further comprising controlling the first switching means in the two modes of operations by means of the data read transmission control means. The method transmitting and encrypting in a communication controller, according to the third aspect of the present invention, further comprising controlling the second switching means in the two modes of operations by means of the data receiving control means. These switching means ensures a fast recognition of the clear text and consequently bypassing or disabling of the first and second series configuration, respectively.
The method for transmitting and encrypting in a communication controller, according to the third aspect of the present invention, further comprising providing interrupt routines for units included in the communication controller hereby insuring a continuous data transmission on the network by means of the receiving means for receiving the data communication packages on the network.
The method for transmitting and encrypting in a communication controller, according to the third aspect of the present invention, further comprising adding flag and fragment ID trailing the compressed part of the input data contained in the second section of the data communication package by means of the data compression means, and further comprising extracting flag and fragment ID trailing the compressed part of the input data in the decrypted second section of the data communication package by means of the data decompression means.
The above object the above advantage and the above feature together with numerous other objects, advantages and features which will be evident from the below detailed description of a preferred embodiment of the present invention is according to a fourth aspect of the present invention obtained by a network controller of a communication controller comprising means for producing a data communication package comprising a non encrypted first section including clear header, and a encrypted second section including a protected header, a data section, a fragment ID, flags, padding and a ICV.
By placing flags and the fragment ID contrary to normal practice trailing the data section an improved configuration is obtained, since the transmission may be initiated without delay. Thus a significant reduction in transmission time is achieved.
The network controller of a communication controller, according to the fourth aspect of the present invention, further comprising means for producing the data communication package wherein the data section comprises compressed data, end of data, padding and uncompressed data. In case transmission data in non-compressed form are larger than a maximum payload of the data section then the transmission data are compressed until the transmission data are smaller than the maximum payload of the data section. If the transmission data in compressed are larger than the maximum payload of the data section then the transmission data are transmitted uncompressed. Therefor the data section is configured as comprising compressed data as well as an uncompressed data. The compressed data part may contain 0 bytes of data. By continuously monitoring of the compression of the transmission data delays in the transmission are eliminated.
The network controller of a communication controller, according to the fourth aspect of the present invention, may further advantageously comprise any of the features of the communication controller according to the first and second aspects of the present invention and may further advantageously be adapted to perform the method according to the third aspect of the present invention.
The above object, the above advantage and the above feature together with numerous other objects, advantages and features which will be evident from the below detailed description of a preferred embodiment of the present invention is according to a fifth aspect of the present invention obtained by a data communication package comprising a data section including compressed data and uncompressed data.
The above object, the above advantage and the above feature together with numerous other objects, advantages and features which will be evident from the below detailed description of a preferred embodiment of the present invention is according to a sixth aspect of the present invention obtained by a communication controller chip for performing data encryption and data decryption of a multiplicity of data communication packages to be transferred in a network such as LAN (local area network) or WAN (wide area network) and including a plurality of processing units, each of said multiplicity of data communication packages containing a first section of non-encrypted data and a second section containing encrypted data and each said of multiplicity of data communication packages having an associated processing descriptor defining source, destination, process configuration of said plurality of processing units and processing of said data communication package, and said communication controller chip comprising:
(a) a bridge unit connecting said communication controller through a bus to a central processing unit (CPU) or a host,
(b) a random access memory RAM for keys, processing descriptors and for temporary storage of data.
(c) a data transmission control unit for providing access for said CPU to information regarding general configuration of said communication controller,
(d) an in-queue unit comprising a plurality of queues for pointers referencing processing descriptors for data communication packages in said RAM to be processed by said plurality of processing units,
(e) an out-queue unit comprising a go-queue of pointers referencing processing descriptors for data communication packages in RAM to be processed by a plurality of processing units, which process is monitored and analysed by said CPU or host system so as to establish if further processing is required, and said out-queue unit comprising a complete-queue of pointers referencing processing descriptors for data communication packages in said RAM having completed processing in accordance with requirements of said CPU or host system,
(f) a decompression processing unit included in said plurality of processing units providing decompression of compressed data of said second section of said data communication packages thereby producing decompressed data in said RAM or memory of said host in accordance with processing descriptors associated with said data communication packages,
(g) a compression processing unit providing compression of said second section of said outgoing data communication packages thereby producing compressed data in said RAM or memory of said host in accordance with processing descriptors associated with said data communication packages,
(h) a decryption processing unit providing a decryption of said second section of a data communication package according to a reception decryption |
