US20030005279A1 - Synchronizing the exchange of cryptography information between kernel drivers - Google Patents
Synchronizing the exchange of cryptography information between kernel drivers Download PDFInfo
- Publication number
- US20030005279A1 US20030005279A1 US09/895,061 US89506101A US2003005279A1 US 20030005279 A1 US20030005279 A1 US 20030005279A1 US 89506101 A US89506101 A US 89506101A US 2003005279 A1 US2003005279 A1 US 2003005279A1
- Authority
- US
- United States
- Prior art keywords
- cryptography
- data packet
- system layer
- cryptography information
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
Definitions
- the invention relates to processing of cryptography information. More specifically, the invention relates to techniques for passing security association information between kernel drivers.
- Data transferred over a network can be encrypted to protect its confidentiality and integrity. Because many different encryption methods are used, data packets contain an index into a table of structures containing cryptography (crypto) information necessary to indicate to the receiving system how to decrypt the data. The crypto information can be contained in a data structure called a security association (SA).
- SA security association
- Network interface devices in the transmitting and receiving systems perform crypto operations (e.g., encryption, decryption, authentication) on the data packets based on the crypto information in the SA.
- a device driver directs how the network interface devices will perform crypto operations.
- the device driver stores in system memory a table of crypto information necessary for the network interface devices to perform crypto operations on data packets.
- the information may also be stored in tables on the devices. These tables can include, for example, unique identifiers for the cryptography data structures, cryptography keys, source addresses, destination addresses, network protocol types, and other information related to crypto operations.
- One technique for populating a table of crypto information is for a high level application such as an operating system (OS) to control the process.
- the high level application is responsible for maintaining consistency of the security state between the upper system layers (e.g., OS, high level applications) and the lower system layers (e.g., base drivers, hardware devices) that perform crypto operations.
- the high level application manages a unique handle that the driver creates for each data structure of crypto information which is passed to the intermediate security layer and/or base driver. All operations on data packets by the intermediate security layer driver and/or network interface device drivers and/or network interface devices references crypto information with the handle.
- the network interface device and/or its associated driver is reset, the data in the crypto information tables is lost and the handles must be discarded.
- the high level application is then responsible for passing the crypto information to the base driver again so that it can repopulate the crypto information tables.
- Some operating systems for example, Windows® 2000 and Windows® XP, both available from Microsoft Corporation, guarantee that the crypto information tables are populated. Thus, if a network interface device and/or its associated device driver is reset, the operating system will pass the crypto information to the base drivers in order to allow the repopulation of the tables contained by the network interface device and/or its associated driver.
- One shortfall of such a technique is an inefficient use of resources because the entire table is repopulated, even though some of the information may not be used in the future.
- Another shortfall occurs with dynamic installation or removal of a network interface device; crypto information can be lost, or a device may be unable to acquire the proper security state.
- Another shortfall is that attempts to store crypto information in a network interface device and its associated driver during reset often fails, which requires repeated tries to store the information and/or failure to store the information.
- FIG. 1 is one embodiment of a block diagram of an electronic system.
- FIG. 2 is one embodiment of a block diagram of an electronic system coupled to a network through a network interface.
- FIG. 3 is one embodiment of a block diagram of an intermediate driver agent.
- FIG. 4 is one embodiment of a block diagram of a base driver agent.
- FIG. 5 is one embodiment of a block diagram of a data packet.
- FIG. 6 is one embodiment of a flow diagram for transmission of a data packet from an electronic system implementing a layered security driver.
- FIG. 7 is one embodiment of a flow diagram for reception of a data packet by an electronic system implementing a layered security driver.
- SA Security Association
- IP Internet Protocol
- Ipsec IP Security Internet Engineering Task Force
- RRC Request for Comments
- a pointer to the crypto information is created and passed to a base driver.
- the base driver uses the pointer to populate a crypto information table to enable a network interface device to perform crypto operations on the data packets.
- the pointer is used to repopulate the crypto information table as needed with the specific data structures of crypto information needed to perform crypto operations on the data packets.
- Security status information is indicated from a base driver to an intermediate driver.
- the intermediate driver uses the security status information to determine whether processing should be performed on the packet.
- the security status information indicates that crypto information necessary to process a data packet was missing.
- the intermediate driver then passes the missing crypto information to the base driver.
- FIG. 1 is one embodiment of an electronic system.
- Electronic system 100 may be, for example, a computer, a Personal Digital Assistant (PDA), a set top box, or any other electronic system.
- System 100 includes bus 101 or other communication device to communicate information, and processor 102 coupled with bus 101 to process information and to execute instructions.
- System 100 further includes memory 103 , coupled to bus 101 to store information and instructions to be executed by processor 102 .
- Memory 103 may also be used to store temporary variables or other intermediate information during execution of instructions by processor 102 .
- Memory 103 may include random access memory (RAM), read-only memory (ROM), flash, or other static or dynamic storage media.
- RAM random access memory
- ROM read-only memory
- flash or other static or dynamic storage media.
- User interfaces 104 are coupled to bus 101 too allow interaction with a user.
- User interfaces 104 can be, for example, input devices (e.g., mouse, keyboard, touchpad, etc.) and/or output devices (e.g., cathode ray tube (CRT) monitor, liquid crystal display (LCD), etc.).
- Mass storage 105 can be coupled to system 100 to provide instructions to memory 103 .
- Mass storage 105 can be, for example, a magnetic disk or optical disc and its corresponding drive, a memory card, or another device capable of storing machine-readable instructions.
- Network interfaces 106 can be coupled to bus 101 to enable system 100 to communicate with other electronic systems via a network.
- Driver agent 107 maybe coupled to system 100 to perform driver features in hardware.
- Driver agent 107 may be an Application Specific Integrated Circuit (ASIC), a special function controller or processor, a Field Programmable Gate Array (FPGA), or other hardware device to perform the functions of a driver.
- Driver agent 107 is not a necessary part of system 100 .
- system 100 may contain a driver agent that provides system control over network interfaces 106 , for example, a Network Interface Card (NIC) driver controlling a NIC.
- NIC Network Interface Card
- Network interfaces 106 couples electronic system 100 to other electronic systems over a network.
- non-secure traffic streams are transmitted and/or received by system 100 through network interfaces 106 .
- secure traffic streams can be transmitted and/or received by system 100 through network interfaces 106 .
- Transmitting secure traffic streams requires that crypto operations be performed on data packets to authenticate and/or encrypt data before being transmitted.
- Receiving secure traffic streams requires that crypto operations be performed on data packets to authenticate and/or decrypt data after being received.
- the crypto operations can be performed by network interfaces 106 .
- a driver agent can direct network interfaces 106 decrypt a received data packet.
- the driver agent can be driver agent 107 or a software driver agent incorporated from a series of machine-readable instructions stored within memory 103 .
- Instructions can be provided to memory 103 from a storage device, such as magnetic disk, CD-ROM, DVD, via a remote connection (e.g., over a network), etc.
- a storage device such as magnetic disk, CD-ROM, DVD
- a remote connection e.g., over a network
- hard-wired circuitry can be used in place of or in combination with software instructions to enable system 100 to transfer crypto information from an intermediate driver agent to a base driver agent as described below.
- the electronic system depicted above is not limited to any specific combination of hardware circuitry and software structure.
- a machine-accessible medium includes any mechanism that provides (i.e., stores and/or transmits) information in a form readable by a machine (e.g., a computer).
- a machine-accessible medium includes read only memory (ROM); random access memory (RAM); magnetic disk storage media; optical storage media; flash memory devices; electrical, optical, acoustical or other form of propagated signals (e.g., carrier waves, infrared signals, digital signals); etc.
- FIG. 2 is one embodiment of a block diagram of an electronic system coupled to a network through a network interface.
- Network Interface (NI) 210 is a communication interface that enables system 200 to communicate to other electronic systems coupled to network 220 .
- NI 210 can be a NIC.
- data packets are received from network 220 into NI 210 .
- data packets can be transmitted to network 220 from NI 210 .
- cache 211 contains a table of crypto information necessary to perform crypto operations on the packets.
- NI 210 can use data stored in cache 211 to decrypt a packet after it receives the packet.
- Memory 103 contains operating system (OS) 231 which directs operations of system 200 .
- OS 231 is the highest layer of control of system 200 .
- Intermediate driver agent 233 and base driver agent 235 are lower layers of system control.
- OS 231 delivers crypto information to intermediate driver agent 233 .
- applications 232 can contain agents of a higher layer of control than intermediate driver agent 233 and deliver crypto information to intermediate driver agent 233 .
- Applications 232 can also contain other programs (e.g., word processor(s), electronic mail (e-mail) programs).
- delivering and/or passing crypto information as described can be practiced by other system layers.
- an OS may deliver crypto information to a base driver agent.
- a base driver agent may pass information to a high level application.
- system layers applications and/or system elements that control the flow of operations in an electronic system from a low level layer, such as network hardware, to a high level layer, such as an OS.
- memory 103 contains security association tables 233 and 236 , which are data structures of SAs.
- Memory 103 may contain other tables of crypto information like SA table 234 and SA table 236 , which are examples of tables of crypto information.
- Memory 103 can also contain intermediate driver agent 233 and/or base driver agent 235 .
- intermediate driver agent 233 creates pointers to crypto information in SA table 234 .
- intermediate driver agent 233 creates handles for the crypto information data structures that are unique identifiers for the SAs. The pointers can be used to access the data structures of crypto information, including the unique identifiers.
- Intermediate driver agent 233 passes the pointers to base driver agent 235 .
- a packet created for transmission by the upper system layers is passed by intermediate driver agent 233 to base driver agent 235 with a pointer to the memory location of the SA associated with the data packet.
- Base driver agent 235 can then use the pointer access the crypto information in SA table 234 .
- Base driver agent 235 maintains SA table 236 for directing the processing of secure traffic data streams.
- base driver agent 235 uses the pointer to populate SA table 236 .
- base driver agent 235 uses the pointer to access SA table 234 to repopulate SA table 236 with SAs if the information in the table is lost.
- the data in SA table 236 is lost if NI 210 is reset.
- base driver agent 235 uses the pointer to populate cache 211 if the data in cache 211 is lost, such as if NI 210 or its associated base driver agent is reset.
- base driver agent 235 uses the pointer to obtain crypto information from SA table 234 if the data necessary to perform crypto operations on a data packet is missing from SA table 236 .
- an NI device may be dynamically added to system 200 whose base driver agent may be unable to acquire the proper security state.
- an NI device may be dynamically removed from system 200 .
- a base driver agent may be dynamically removed from system 200 . If the information necessary to process data packets from secure traffic streams is not found in SA table 236 , the information can be obtained with the pointer.
- base driver agent 235 uses the pointer associated with a packet to access crypto information necessary to perform crypto operations on data packets from SA table 234 if adding a data structure of crypto information to SA table 236 fails. For example, in an IPsec implementation, adding SAs during reset often fails. Tracking when a network interface device or its associated driver is ready to receive the data structures of crypto information is difficult. In prior art, if the data in SA table 236 is lost, missing, or unable to be added, the NI device will be unable to process data packets.
- FIG. 3 is one embodiment of a block diagram of an intermediate driver agent.
- Control logic 310 directs the flow of operation of driver agent 300 .
- control logic 310 is a series of software instructions to perform logic operations.
- control logic 310 can be implemented by hardware control logic, or a combination of hardware-based control logic and software instructions.
- System interfaces 340 provide a communications interface between intermediate driver agent 300 and an electronic system.
- intermediate driver agent 300 can be part of a computer system and system interfaces 340 provide a communications interface between intermediate driver agent 300 and the computer system via a system bus.
- control logic 310 can receive a series of instructions from application software external to intermediate driver agent 300 .
- Intermediate driver agent 300 is not limited to being local to an electronic system.
- system interfaces 340 may provide a communications interface between intermediate driver agent 300 and an electronic system through a network.
- intermediate driver agent 300 may contain applications 320 to provide internal instructions to control logic 310 . Applications 320 are not necessary to the function of intermediate driver agent 300 .
- Packet classification feature 351 enables intermediate driver agent 300 to match a data packet with its corresponding crypto information from a table of crypto information so that the data packet can be processed correctly.
- packet classification feature 351 can enable intermediate driver agent 300 to direct a base driver agent which SA to use to encrypt a data packet prior to transmission of the data packet.
- Packet transfer feature 352 enables intermediate driver agent 300 to transfer data packets to/from other system layers.
- intermediate driver agent driver agent 300 can pass a data packet to be transmitted to a base driver agent.
- a high-level system layer such as an OS can create a data packet for transmission and pass the packet down to intermediate driver agent 300 .
- a base driver agent can pass a packet of ingress data up to intermediate driver agent 300 .
- Pointer feature 353 enables driver agent 300 to create a pointer to memory location of crypto information.
- pointer feature 353 enables intermediate driver agent 300 to create a pointer to the memory location of crypto information, such as data in an SA table.
- the pointer can be passed to a base driver agent and used to access a unique identifier for the crypto information stored with the information in a crypto information table.
- the base driver agent can then use the pointer to access crypto information necessary to perform crypto operations on data packets.
- Packet classification feature 351 , packet transfer feature 352 , and pointer feature 353 can exist independently of and/or be external to intermediate driver agent 300 .
- driver engine 350 may exist as a more complex or less complex embodiment, containing some, all, or additional features to those represented in FIG. 3.
- intermediate driver agent 300 is part of a layered security driver.
- intermediate driver agent 300 can be an Advanced Networking Services (ANS) driver as part of a Bump In The Stack (BITS) or Bump In The Wire (BITW) layered security driver implementation.
- ANS Advanced Networking Services
- BIOS Bump In The Stack
- BITW Bump In The Wire
- a Transmission Control Protocol/Internet Protocol (TCP/IP) stack may pass a data packet to an ANS driver, which then classifies the packet with its crypto information, and then passes the packet down the line for encryption and transmission.
- an NI device driver passes a received data packet to an ANS driver, which can then process the packet and/or pass it up to a TCP/IP stack.
- FIG. 4 is one embodiment of a block diagram of a base driver agent.
- Control logic 410 directs the flow of operation of base driver agent 400 .
- control logic 410 is a series of software instructions to perform logic operations.
- control logic 410 can be implemented by hardware control logic, or a combination of hardware-based control logic and software instructions.
- System interfaces 440 provide a communications interface between base driver agent 400 and an electronic system.
- base driver agent 400 can be part of a computer system and system interfaces 440 provide a communications interface between base driver agent 400 and the computer system via a system bus.
- control logic 410 can receive a series of instructions from application software external to base driver agent 400 .
- Base driver agent 400 is not limited to being local to an electronic system.
- system interfaces 440 may provide a communications interface between base driver agent 400 and an electronic system through a network.
- base driver agent 400 contains applications 420 to provide internal instructions to control logic 410 . Applications 420 are not necessary to the function of base driver agent 400 .
- Dereferencing feature 451 enables base driver agent 400 to utilize a pointer to acquire information referenced by the pointer. For example, dereferencing feature 451 enables base driver agent 400 to dereference a pointer to information in a table of crypto information passed by a higher layer driver agent to acquire the SA information necessary to direct processing of a data packet. In another example, dereferencing feature 451 enables base driver agent 400 to access the SA information necessary to populate a table of crypto information maintained by base driver agent 400 . In another example, dereferencing feature 451 enables base driver agent 400 to use a pointer passed by a higher layer to a memory location in a table of crypto information to acquire the information necessary to populate a cache on a network interface device. This enables population of the table and/or the cache to be performed independently of the OS in the electronic system. Dereferencing can be performed in any manner known in the art.
- Packet transfer feature 452 enables base driver agent 400 to transfer data packets to/from other system layers.
- an NI device associated with base driver agent 400 can receive a data packet which base driver agent 400 passes up to an intermediate driver agent.
- the NI device could be connected to the Internet and receive a data packet from a secure traffic stream that base driver agent 400 passes up to a higher layer of a security driver.
- a higher-level system layer such as an intermediate driver agent, can pass a data packet down to base driver agent 400 to be transmitted over a network.
- base driver agent 400 could be a NIC driver and an ANS driver could pass it a data packet to be transmitted over a secure traffic network stream.
- Populating feature 453 enables base driver agent 400 to populate a crypto information table with data. For example, if an NI device associated with base driver agent 400 was reset, causing the data in its crypto information table to be lost, populating feature 453 enables base driver agent 400 to restore the data in the table.
- the table could be a table of SAs maintained by base driver agent 400 , or optionally a cache of SAs on a NIC. The information in the table or tables that base driver agent 400 populates enables the NIC to perform hardware offload processing on data packets.
- Packet status feature 454 enables base driver agent 400 to indicate to system upper layers the status of the processing of a data packet.
- a packet may be from a non-secure source, and packet status feature 454 could indicate that the packet was processed without needing offload processing.
- packet status feature 454 may indicate that a packet was processed successfully in hardware.
- packet status feature 454 may indicate that a packet was processed, but that the packet failed authentication.
- packet status feature 454 may indicate that the crypto information needed to process the packet was missing.
- Dereferencing feature 451 , packet transfer feature 452 , populating feature 453 , and packet status feature 454 can exist independently of and/or be external to driver agent 400 .
- driver engine 450 may exist as a more complex or less complex embodiment, containing some, all, or additional features to those represented in FIG. 4.
- base driver agent 400 is part of a layered security driver.
- base driver agent 400 can be a NIC driver in a BITS/BITW layered security driver implementation.
- an ANS driver may pass a data packet down to the NIC driver, which then passes the packet to the NIC for transmission.
- a NIC driver directs how the NIC receives data packets, including directing hardware offload processing.
- FIG. 5 is one embodiment of a block diagram of a data packet.
- data packet 501 is embodied in traffic stream 500 .
- traffic stream 500 can be a secure traffic stream used by multiple networked electronic systems to communicate.
- traffic stream 500 may be a network traffic stream between two electronic systems using the IPsec encryption standard to transfer secure information over the Internet.
- data packet 501 consists of header 510 , cryptography information 520 , and data 530 .
- cryptography information 520 consists of network protocol 521 , security parameter index 522 , source identifier 523 , and destination identifier 524 .
- Network protocol 521 , security parameter index 522 , source identifier 523 , and destination identifier 524 can exist independently of and be external to cryptography information 520 .
- cryptography information may be more or less complex, consisting of some, all, or additional elements to those depicted in FIG. 5.
- cryptography information 520 is necessary for an electronic system to process data packet 501 .
- an electronic system receiving data packet 501 using IPsec will locate cryptography information 520 to authenticate the packet and determine how to decrypt data 530 .
- an electronic system transmitting data packet 501 using IPsec will use cryptography information 520 to encrypt the data prior to transmission.
- FIG. 6 is one embodiment of a flow diagram for transmission of a data packet from an electronic system implementing a layered security driver.
- Data packet 600 is generated by high level application process 610 and prepared for transmission.
- high level application process can be a TCP/IP stack.
- Generation and preparation of data packet 600 can include, for example, creating bit patterns to represent a data communication, and bit patterns to represent security information necessary to perform crypto operations on data packet 600 .
- Data packet 600 is passed to intermediate driver agent 620 .
- Intermediate driver agent 620 can be, for example, an ANS driver as part of a BITS/BITW layered security driver implementation.
- intermediate driver agent 620 maintains SA table 621 , which is a table of SAs that contains all the information necessary to perform crypto operations on data packet 600 .
- SA table 621 is a table of SAs that contains all the information necessary to perform crypto operations on data packet 600 .
- FIG. 6 depicts data structures of crypto information as containing SAs
- SA table 621 and SA table 631 are only example embodiments of data structures of crypto information, and are not limited to containing crypto information data structures that are SAs.
- Intermediate driver agent 620 provides memory management for SA table 621 , but SA table 621 does not necessarily reside in intermediate driver agent 620 .
- intermediate driver agent 620 includes packet classifier 622 , which associates data packet 600 with an SA for hardware offload processing.
- the SA corresponds to data in SA table 621 .
- a system TCP/IP stack may create a data packet to transmit as part of an IPsec traffic exchange.
- an ANS driver will associate it with an SA from an SA table in memory maintained by the ANS driver.
- Data packet 600 is passed to base driver agent 630 .
- Base driver agent 630 can be, for example, a NIC driver.
- intermediate driver agent 620 passes *SA info 632 with data packet 600 , *SA info 632 being a pointer to information in SA table 621 corresponding to the SA associated with data packet 600 .
- Pointer *SA info 632 is created by intermediate driver agent 620 .
- Base driver agent 630 accesses SA table 621 through *SA info 632 created by intermediate driver agent 620 . Creating and passing pointer *SA info 632 may be accomplished by any manner known in the art.
- a pointer is a reference to actual data, typically the address of a location in memory.
- a pointer can be created by any function for most data structures or data residing in fixed memory locations.
- a handle is a reference to actual data that is managed by an electronic system OS. The handle can be treated as another system resource, the OS preventing conflicting memory access by multiple functions. Thus, a handle differs from a pointer in that the handle is controlled by the OS, whereas a pointer can be created and controlled by any function. Because *SA info 632 is a pointer rather than a handle, base driver agent 630 can access the information in SA table 621 simply by dereferencing *SA info 632 .
- Base driver agent also contains SA table 631 , which is a table of SAs that contain all the information necessary to perform crypto operations on data packet 600 .
- Base driver agent 630 provides memory management for SA table 631 , but SA table 631 does not necessarily reside in base driver agent 630 .
- base driver agent 630 uses pointer to *SA info 632 to populate SA table 631 . For example, if the NI device associated with base driver agent 630 was reset, causing the information in SA table 631 to be lost, base driver agent 630 could use pointer *SA info 632 to acquire the specific SA information necessary to perform crypto operations on data packet 600 to repopulate the table with that information.
- Base driver agent 630 can also use *SA info 632 to acquire the SA information necessary to process data packet 600 . For example, if base driver agent 630 was reset, the information in SA table 631 would be lost, and the SA necessary to process data packet 600 could be acquired using *SA info 632 . In another example, if NI 640 was dynamically installed and was unable to acquire the correct SA state, base driver agent 630 could use *SA info 632 to acquire the SA information necessary to perform crypto operations.
- Data packet 600 is passed to NI 640 by base driver agent 630 .
- NI 640 has SA cache 641 that contains SA information.
- NI 640 processes data packet 600 with crypto information received from base driver agent 630 .
- NI 640 can then transmit data packet 600 over a network (not depicted in FIG. 6).
- a data packet can be transmitted over the Internet on a secure traffic stream using IPsec.
- FIG. 7 is one embodiment of a flow diagram for reception of a data packet by an electronic system implementing a layered security driver.
- Data packet 700 is received by NI 710 from a network (not depicted in FIG. 7).
- data packet 700 can be part of a secure network stream from the Internet using IPsec.
- NI 710 checks data packet 700 for its crypto information to determine how to perform crypto operations on data packet 700 , such as authentication or decryption. If the crypto information associated with data packet 700 is in SA cache 711 , NI 710 will extract crypto info 712 .
- FIG. 7 is one embodiment of a flow diagram for reception of a data packet by an electronic system implementing a layered security driver.
- Data packet 700 is received by NI 710 from a network (not depicted in FIG. 7).
- data packet 700 can be part of a secure network stream from the Internet using IPsec.
- NI 710 checks data packet 700 for its crypto information to determine how to perform crypto operations on data packet 700 , such as authentication or
- NI 7 depicts data structures of crypto information as containing SAs
- SA cache 711 SA table 721 , and SA table 731 are only example embodiments of data structures of crypto information, and are not limited to containing crypto information data structures that are SAs.
- NI 710 uses crypto info 712 to perform hardware offload processing on data packet 700 prior to passing the received data packet 700 to base driver agent 720 .
- the SA necessary for performing crypto operations is not in cache 711 , and NI 710 passes data packet 700 to base driver agent 720 without processing the packet.
- Base driver agent 720 can be, for example, a NIC driver.
- base driver agent 720 contains SA table 721 , which is a table of SAs that contain all the information necessary to perform cryptography operations on data packet 700 .
- Base driver agent 720 provides memory management for SA table 721 , but SA table 721 does not necessarily reside in base driver agent 720 .
- base driver agent 720 checks SA table 720 for the SA associated with data packet 700 . If it is not found, it can, for example, create a message indicating that the SA for that secure traffic stream is missing.
- base driver agent 720 creates SA status 721 , which is status information about the processing of data packet 700 .
- SA status 722 indicates one of four predetermined messages regarding the processing of data packet 700 .
- SA status 722 may indicate that the packet was processed successfully without requiring hardware offloading.
- SA status 722 may indicate that the packet was processed successfully by hardware.
- SA status 722 may indicate that the packet was processed, but that the packet failed to pass authentication.
- SA status 722 may indicate that the packet could not be processed because there was a missing SA.
- Base driver agent 720 passes data packet 700 up to intermediate driver agent 730 .
- intermediate driver agent 730 contains packet classifier 732 .
- intermediate driver agent 730 contains SA table 731 .
- Packet classifier 732 checks data packet 700 for its SA information and matches it to a corresponding SA in SA table 731 .
- intermediate driver agent 730 uses the information in SA status 722 passed by base driver agent 720 to make decisions regarding the processing of data packet 700 . For example, if the message of SA status 722 is that the data packet was processed successfully, or that it was processed but failed to pass authentication, no more processing will be performed on data packet 700 , and it can be indicated by driver agent 730 to the upper layers.
- intermediate driver agent 730 directs the processing of data packet 700 .
- intermediate driver agent 730 may direct the processing of data packet 700 by software processing methods known in the art.
- intermediate driver agent 730 may direct the processing of data packet 700 by hardware processing methods known in the art.
- Intermediate driver agent 730 may also choose to add the SA for data packet 700 to SA table 721 and/or SA cache 711 so that future data packets using that SA can be processed with hardware.
- intermediate driver agent 730 indicates data packet 700 to system upper layers.
- intermediate driver agent 730 may be an ANS driver that is the top layer of a BITS/BITW security driver implementation.
- intermediate driver agent 730 may pass data packet 700 to a system upper layer as conventional in known BITS/BITW implementations.
- data packet 700 is passed to high level application process 740 .
- High level application process 740 can be, for example, a TCP/IP stack.
Abstract
Methods and apparatuses for synchronizing the exchange of cryptography information between kernel drivers. A high level application in an electronic system passes a pointer to a base driver. The pointer is a unique identifier for cryptography information, such as a Security Association (SA), that the base driver uses to populate a cryptography information table for performing cryptography operations on secure traffic data packets. If the network interface device and/or its associated driver are reset, the pointer is used to repopulate the cryptography information table with specific cryptography information needed to perform cryptography operations on the data packets.
Description
- The invention relates to processing of cryptography information. More specifically, the invention relates to techniques for passing security association information between kernel drivers.
- Data transferred over a network can be encrypted to protect its confidentiality and integrity. Because many different encryption methods are used, data packets contain an index into a table of structures containing cryptography (crypto) information necessary to indicate to the receiving system how to decrypt the data. The crypto information can be contained in a data structure called a security association (SA). Network interface devices in the transmitting and receiving systems perform crypto operations (e.g., encryption, decryption, authentication) on the data packets based on the crypto information in the SA.
- A device driver directs how the network interface devices will perform crypto operations. The device driver stores in system memory a table of crypto information necessary for the network interface devices to perform crypto operations on data packets. The information may also be stored in tables on the devices. These tables can include, for example, unique identifiers for the cryptography data structures, cryptography keys, source addresses, destination addresses, network protocol types, and other information related to crypto operations.
- One technique for populating a table of crypto information is for a high level application such as an operating system (OS) to control the process. With this technique, the high level application is responsible for maintaining consistency of the security state between the upper system layers (e.g., OS, high level applications) and the lower system layers (e.g., base drivers, hardware devices) that perform crypto operations. The high level application manages a unique handle that the driver creates for each data structure of crypto information which is passed to the intermediate security layer and/or base driver. All operations on data packets by the intermediate security layer driver and/or network interface device drivers and/or network interface devices references crypto information with the handle. If, for some reason, the network interface device and/or its associated driver is reset, the data in the crypto information tables is lost and the handles must be discarded. The high level application is then responsible for passing the crypto information to the base driver again so that it can repopulate the crypto information tables.
- Some operating systems, for example, Windows® 2000 and Windows® XP, both available from Microsoft Corporation, guarantee that the crypto information tables are populated. Thus, if a network interface device and/or its associated device driver is reset, the operating system will pass the crypto information to the base drivers in order to allow the repopulation of the tables contained by the network interface device and/or its associated driver. One shortfall of such a technique is an inefficient use of resources because the entire table is repopulated, even though some of the information may not be used in the future. Another shortfall occurs with dynamic installation or removal of a network interface device; crypto information can be lost, or a device may be unable to acquire the proper security state. Another shortfall is that attempts to store crypto information in a network interface device and its associated driver during reset often fails, which requires repeated tries to store the information and/or failure to store the information.
- The invention is illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings in which like reference numerals refer to similar elements.
- FIG. 1 is one embodiment of a block diagram of an electronic system.
- FIG. 2 is one embodiment of a block diagram of an electronic system coupled to a network through a network interface.
- FIG. 3 is one embodiment of a block diagram of an intermediate driver agent.
- FIG. 4 is one embodiment of a block diagram of a base driver agent.
- FIG. 5 is one embodiment of a block diagram of a data packet.
- FIG. 6 is one embodiment of a flow diagram for transmission of a data packet from an electronic system implementing a layered security driver.
- FIG. 7 is one embodiment of a flow diagram for reception of a data packet by an electronic system implementing a layered security driver.
- Methods and apparatuses for passing cryptography information between kernel drivers are described. In the following description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the invention. It will be apparent, however, to one skilled in the art that the invention can be practiced without these specific details. In other instances, structures and devices are shown in block diagram form in order to avoid obscuring the invention.
- Reference in the specification to “one embodiment” or “an embodiment” means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, the appearances of the phrase “in one embodiment” appearing in various places throughout the specification are not necessarily all referring to the same embodiment. Likewise, the appearances of the phrase “in another embodiment,” or “in an alternate embodiment” appearing in various places throughout the specification are not all necessarily all referring to the same embodiment.
- Briefly, techniques for passing cryptography (crypto) information, such as Security Associations (SAs), necessary to perform crypto operations (e.g., encryption, decryption, authentication) on secure traffic data packets between kernel drivers are described. For example, a Security Association (SA) is a data structure of crypto information used in the Internet Protocol (IP) Security (Ipsec) standard, IP Security Internet Engineering Task Force (IETF) Request for Comments (RFC) 2401, published November 1998, that is passed between layers of an electronic system implementing IPsec. A pointer to the crypto information is created and passed to a base driver. The base driver uses the pointer to populate a crypto information table to enable a network interface device to perform crypto operations on the data packets. In one embodiment, if the network interface device and/or its associated driver are reset, the pointer is used to repopulate the crypto information table as needed with the specific data structures of crypto information needed to perform crypto operations on the data packets.
- Security status information is indicated from a base driver to an intermediate driver. The intermediate driver uses the security status information to determine whether processing should be performed on the packet. In one embodiment, the security status information indicates that crypto information necessary to process a data packet was missing. In one embodiment, the intermediate driver then passes the missing crypto information to the base driver.
- FIG. 1 is one embodiment of an electronic system.
Electronic system 100 may be, for example, a computer, a Personal Digital Assistant (PDA), a set top box, or any other electronic system.System 100 includesbus 101 or other communication device to communicate information, andprocessor 102 coupled withbus 101 to process information and to execute instructions.System 100 further includesmemory 103, coupled tobus 101 to store information and instructions to be executed byprocessor 102.Memory 103 may also be used to store temporary variables or other intermediate information during execution of instructions byprocessor 102.Memory 103 may include random access memory (RAM), read-only memory (ROM), flash, or other static or dynamic storage media. -
User interfaces 104 are coupled tobus 101 too allow interaction with a user.User interfaces 104 can be, for example, input devices (e.g., mouse, keyboard, touchpad, etc.) and/or output devices (e.g., cathode ray tube (CRT) monitor, liquid crystal display (LCD), etc.).Mass storage 105 can be coupled tosystem 100 to provide instructions tomemory 103.Mass storage 105 can be, for example, a magnetic disk or optical disc and its corresponding drive, a memory card, or another device capable of storing machine-readable instructions.Network interfaces 106 can be coupled tobus 101 to enablesystem 100 to communicate with other electronic systems via a network. -
Driver agent 107 maybe coupled tosystem 100 to perform driver features in hardware.Driver agent 107 may be an Application Specific Integrated Circuit (ASIC), a special function controller or processor, a Field Programmable Gate Array (FPGA), or other hardware device to perform the functions of a driver.Driver agent 107 is not a necessary part ofsystem 100. In one embodiment,system 100 may contain a driver agent that provides system control overnetwork interfaces 106, for example, a Network Interface Card (NIC) driver controlling a NIC. -
Network interfaces 106 coupleselectronic system 100 to other electronic systems over a network. In one embodiment, non-secure traffic streams are transmitted and/or received bysystem 100 through network interfaces 106. Similarly, secure traffic streams can be transmitted and/or received bysystem 100 through network interfaces 106. Transmitting secure traffic streams requires that crypto operations be performed on data packets to authenticate and/or encrypt data before being transmitted. Receiving secure traffic streams requires that crypto operations be performed on data packets to authenticate and/or decrypt data after being received. The crypto operations can be performed by network interfaces 106. For example, a driver agent can direct network interfaces 106 decrypt a received data packet. The driver agent can bedriver agent 107 or a software driver agent incorporated from a series of machine-readable instructions stored withinmemory 103. - Instructions can be provided to
memory 103 from a storage device, such as magnetic disk, CD-ROM, DVD, via a remote connection (e.g., over a network), etc. In alternative embodiments, hard-wired circuitry can be used in place of or in combination with software instructions to enablesystem 100 to transfer crypto information from an intermediate driver agent to a base driver agent as described below. Thus, the electronic system depicted above is not limited to any specific combination of hardware circuitry and software structure. - Instructions can be provided to
memory 103 from a form of machine-accessible medium. A machine-accessible medium includes any mechanism that provides (i.e., stores and/or transmits) information in a form readable by a machine (e.g., a computer). For example, a machine-accessible medium includes read only memory (ROM); random access memory (RAM); magnetic disk storage media; optical storage media; flash memory devices; electrical, optical, acoustical or other form of propagated signals (e.g., carrier waves, infrared signals, digital signals); etc. - FIG. 2 is one embodiment of a block diagram of an electronic system coupled to a network through a network interface. In one embodiment, Network Interface (NI)210 is a communication interface that enables
system 200 to communicate to other electronic systems coupled tonetwork 220. For example,NI 210 can be a NIC. In one embodiment, data packets are received fromnetwork 220 intoNI 210. Similarly, data packets can be transmitted to network 220 fromNI 210. In one embodiment,cache 211 contains a table of crypto information necessary to perform crypto operations on the packets. For example,NI 210 can use data stored incache 211 to decrypt a packet after it receives the packet. -
Memory 103 contains operating system (OS) 231 which directs operations ofsystem 200. In one embodiment,OS 231 is the highest layer of control ofsystem 200.Intermediate driver agent 233 andbase driver agent 235 are lower layers of system control. In one embodiment,OS 231 delivers crypto information tointermediate driver agent 233. In another embodiment,applications 232 can contain agents of a higher layer of control thanintermediate driver agent 233 and deliver crypto information tointermediate driver agent 233.Applications 232 can also contain other programs (e.g., word processor(s), electronic mail (e-mail) programs). - Although referred to herein as delivering and/or passing crypto information between an intermediate driver agent and a base driver agent, delivering and/or passing crypto information as described can be practiced by other system layers. For example, an OS may deliver crypto information to a base driver agent. In another example, a base driver agent may pass information to a high level application. In general, system layers applications and/or system elements that control the flow of operations in an electronic system, from a low level layer, such as network hardware, to a high level layer, such as an OS.
- In one embodiment,
memory 103 contains security association tables 233 and 236, which are data structures of SAs.Memory 103 may contain other tables of crypto information like SA table 234 and SA table 236, which are examples of tables of crypto information.Memory 103 can also containintermediate driver agent 233 and/orbase driver agent 235. In one embodiment,intermediate driver agent 233 creates pointers to crypto information in SA table 234. In one embodiment,intermediate driver agent 233 creates handles for the crypto information data structures that are unique identifiers for the SAs. The pointers can be used to access the data structures of crypto information, including the unique identifiers.Intermediate driver agent 233 passes the pointers tobase driver agent 235. For example, a packet created for transmission by the upper system layers is passed byintermediate driver agent 233 tobase driver agent 235 with a pointer to the memory location of the SA associated with the data packet.Base driver agent 235 can then use the pointer access the crypto information in SA table 234. -
Base driver agent 235 maintains SA table 236 for directing the processing of secure traffic data streams. In one embodiment,base driver agent 235 uses the pointer to populate SA table 236. For example,base driver agent 235 uses the pointer to access SA table 234 to repopulate SA table 236 with SAs if the information in the table is lost. For example, the data in SA table 236 is lost ifNI 210 is reset. In one embodiment,base driver agent 235 uses the pointer to populatecache 211 if the data incache 211 is lost, such as ifNI 210 or its associated base driver agent is reset. - In one embodiment,
base driver agent 235 uses the pointer to obtain crypto information from SA table 234 if the data necessary to perform crypto operations on a data packet is missing from SA table 236. For example, an NI device may be dynamically added tosystem 200 whose base driver agent may be unable to acquire the proper security state. In another example, an NI device may be dynamically removed fromsystem 200. In another example, a base driver agent may be dynamically removed fromsystem 200. If the information necessary to process data packets from secure traffic streams is not found in SA table 236, the information can be obtained with the pointer. - In one embodiment,
base driver agent 235 uses the pointer associated with a packet to access crypto information necessary to perform crypto operations on data packets from SA table 234 if adding a data structure of crypto information to SA table 236 fails. For example, in an IPsec implementation, adding SAs during reset often fails. Tracking when a network interface device or its associated driver is ready to receive the data structures of crypto information is difficult. In prior art, if the data in SA table 236 is lost, missing, or unable to be added, the NI device will be unable to process data packets. - FIG. 3 is one embodiment of a block diagram of an intermediate driver agent.
Control logic 310 directs the flow of operation ofdriver agent 300. In one embodiment,control logic 310 is a series of software instructions to perform logic operations. In another embodiment,control logic 310 can be implemented by hardware control logic, or a combination of hardware-based control logic and software instructions. - System interfaces340 provide a communications interface between
intermediate driver agent 300 and an electronic system. For example,intermediate driver agent 300 can be part of a computer system and system interfaces 340 provide a communications interface betweenintermediate driver agent 300 and the computer system via a system bus. Thus,control logic 310 can receive a series of instructions from application software external tointermediate driver agent 300. -
Intermediate driver agent 300 is not limited to being local to an electronic system. For example, system interfaces 340 may provide a communications interface betweenintermediate driver agent 300 and an electronic system through a network. In one embodiment,intermediate driver agent 300 may containapplications 320 to provide internal instructions to controllogic 310.Applications 320 are not necessary to the function ofintermediate driver agent 300. -
Packet classification feature 351 enablesintermediate driver agent 300 to match a data packet with its corresponding crypto information from a table of crypto information so that the data packet can be processed correctly. For example,packet classification feature 351 can enableintermediate driver agent 300 to direct a base driver agent which SA to use to encrypt a data packet prior to transmission of the data packet. -
Packet transfer feature 352 enablesintermediate driver agent 300 to transfer data packets to/from other system layers. For example, intermediate driveragent driver agent 300 can pass a data packet to be transmitted to a base driver agent. In another example, a high-level system layer such as an OS can create a data packet for transmission and pass the packet down tointermediate driver agent 300. Similarly, a base driver agent can pass a packet of ingress data up tointermediate driver agent 300. -
Pointer feature 353 enablesdriver agent 300 to create a pointer to memory location of crypto information. For example,pointer feature 353 enablesintermediate driver agent 300 to create a pointer to the memory location of crypto information, such as data in an SA table. The pointer can be passed to a base driver agent and used to access a unique identifier for the crypto information stored with the information in a crypto information table. The base driver agent can then use the pointer to access crypto information necessary to perform crypto operations on data packets. -
Packet classification feature 351,packet transfer feature 352, andpointer feature 353 can exist independently of and/or be external tointermediate driver agent 300. Thus,driver engine 350 may exist as a more complex or less complex embodiment, containing some, all, or additional features to those represented in FIG. 3. In one embodiment,intermediate driver agent 300 is part of a layered security driver. For example,intermediate driver agent 300 can be an Advanced Networking Services (ANS) driver as part of a Bump In The Stack (BITS) or Bump In The Wire (BITW) layered security driver implementation. On transmit, a Transmission Control Protocol/Internet Protocol (TCP/IP) stack may pass a data packet to an ANS driver, which then classifies the packet with its crypto information, and then passes the packet down the line for encryption and transmission. On receive, an NI device driver passes a received data packet to an ANS driver, which can then process the packet and/or pass it up to a TCP/IP stack. - FIG. 4 is one embodiment of a block diagram of a base driver agent.
Control logic 410 directs the flow of operation ofbase driver agent 400. In one embodiment,control logic 410 is a series of software instructions to perform logic operations. In another embodiment,control logic 410 can be implemented by hardware control logic, or a combination of hardware-based control logic and software instructions. - System interfaces440 provide a communications interface between
base driver agent 400 and an electronic system. For example,base driver agent 400 can be part of a computer system and system interfaces 440 provide a communications interface betweenbase driver agent 400 and the computer system via a system bus. Thus,control logic 410 can receive a series of instructions from application software external tobase driver agent 400.Base driver agent 400 is not limited to being local to an electronic system. For example, system interfaces 440 may provide a communications interface betweenbase driver agent 400 and an electronic system through a network. In one embodiment,base driver agent 400 containsapplications 420 to provide internal instructions to controllogic 410.Applications 420 are not necessary to the function ofbase driver agent 400. -
Dereferencing feature 451 enablesbase driver agent 400 to utilize a pointer to acquire information referenced by the pointer. For example, dereferencingfeature 451 enablesbase driver agent 400 to dereference a pointer to information in a table of crypto information passed by a higher layer driver agent to acquire the SA information necessary to direct processing of a data packet. In another example, dereferencingfeature 451 enablesbase driver agent 400 to access the SA information necessary to populate a table of crypto information maintained bybase driver agent 400. In another example, dereferencingfeature 451 enablesbase driver agent 400 to use a pointer passed by a higher layer to a memory location in a table of crypto information to acquire the information necessary to populate a cache on a network interface device. This enables population of the table and/or the cache to be performed independently of the OS in the electronic system. Dereferencing can be performed in any manner known in the art. -
Packet transfer feature 452 enablesbase driver agent 400 to transfer data packets to/from other system layers. For example, an NI device associated withbase driver agent 400 can receive a data packet whichbase driver agent 400 passes up to an intermediate driver agent. The NI device could be connected to the Internet and receive a data packet from a secure traffic stream that basedriver agent 400 passes up to a higher layer of a security driver. In another example, a higher-level system layer, such as an intermediate driver agent, can pass a data packet down tobase driver agent 400 to be transmitted over a network. Thus,base driver agent 400 could be a NIC driver and an ANS driver could pass it a data packet to be transmitted over a secure traffic network stream. - Populating
feature 453 enablesbase driver agent 400 to populate a crypto information table with data. For example, if an NI device associated withbase driver agent 400 was reset, causing the data in its crypto information table to be lost, populatingfeature 453 enablesbase driver agent 400 to restore the data in the table. The table could be a table of SAs maintained bybase driver agent 400, or optionally a cache of SAs on a NIC. The information in the table or tables that basedriver agent 400 populates enables the NIC to perform hardware offload processing on data packets. -
Packet status feature 454 enablesbase driver agent 400 to indicate to system upper layers the status of the processing of a data packet. For example, a packet may be from a non-secure source, andpacket status feature 454 could indicate that the packet was processed without needing offload processing. In another example,packet status feature 454 may indicate that a packet was processed successfully in hardware. In another example,packet status feature 454 may indicate that a packet was processed, but that the packet failed authentication. In another example,packet status feature 454 may indicate that the crypto information needed to process the packet was missing. -
Dereferencing feature 451,packet transfer feature 452, populatingfeature 453, andpacket status feature 454 can exist independently of and/or be external todriver agent 400. Thus,driver engine 450 may exist as a more complex or less complex embodiment, containing some, all, or additional features to those represented in FIG. 4. In one embodiment,base driver agent 400 is part of a layered security driver. For example,base driver agent 400 can be a NIC driver in a BITS/BITW layered security driver implementation. On transmit, an ANS driver may pass a data packet down to the NIC driver, which then passes the packet to the NIC for transmission. On receive, a NIC driver directs how the NIC receives data packets, including directing hardware offload processing. - FIG. 5 is one embodiment of a block diagram of a data packet. In one embodiment,
data packet 501 is embodied intraffic stream 500. For example,traffic stream 500 can be a secure traffic stream used by multiple networked electronic systems to communicate. For example,traffic stream 500 may be a network traffic stream between two electronic systems using the IPsec encryption standard to transfer secure information over the Internet. - In one embodiment,
data packet 501 consists ofheader 510,cryptography information 520, anddata 530. In one embodiment,cryptography information 520 consists ofnetwork protocol 521,security parameter index 522,source identifier 523, anddestination identifier 524.Network protocol 521,security parameter index 522,source identifier 523, anddestination identifier 524 can exist independently of and be external tocryptography information 520. Thus, cryptography information may be more or less complex, consisting of some, all, or additional elements to those depicted in FIG. 5. - In one embodiment,
cryptography information 520 is necessary for an electronic system to processdata packet 501. For example, an electronic system receivingdata packet 501 using IPsec will locatecryptography information 520 to authenticate the packet and determine how to decryptdata 530. Similarly, an electronic system transmittingdata packet 501 using IPsec will usecryptography information 520 to encrypt the data prior to transmission. - FIG. 6 is one embodiment of a flow diagram for transmission of a data packet from an electronic system implementing a layered security driver.
Data packet 600 is generated by highlevel application process 610 and prepared for transmission. For example, high level application process can be a TCP/IP stack. Generation and preparation ofdata packet 600 can include, for example, creating bit patterns to represent a data communication, and bit patterns to represent security information necessary to perform crypto operations ondata packet 600. -
Data packet 600 is passed tointermediate driver agent 620.Intermediate driver agent 620 can be, for example, an ANS driver as part of a BITS/BITW layered security driver implementation. In one embodiment,intermediate driver agent 620 maintains SA table 621, which is a table of SAs that contains all the information necessary to perform crypto operations ondata packet 600. Although FIG. 6 depicts data structures of crypto information as containing SAs, SA table 621 and SA table 631 are only example embodiments of data structures of crypto information, and are not limited to containing crypto information data structures that are SAs. -
Intermediate driver agent 620 provides memory management for SA table 621, but SA table 621 does not necessarily reside inintermediate driver agent 620. In one embodiment,intermediate driver agent 620 includespacket classifier 622, which associatesdata packet 600 with an SA for hardware offload processing. The SA corresponds to data in SA table 621. For example, a system TCP/IP stack may create a data packet to transmit as part of an IPsec traffic exchange. When the packet is passed to a BITS/BITW security driver, an ANS driver will associate it with an SA from an SA table in memory maintained by the ANS driver. -
Data packet 600 is passed tobase driver agent 630.Base driver agent 630 can be, for example, a NIC driver. In one embodiment,intermediate driver agent 620 passes *SA info 632 withdata packet 600, *SA info 632 being a pointer to information in SA table 621 corresponding to the SA associated withdata packet 600. Pointer *SA info 632 is created byintermediate driver agent 620.Base driver agent 630 accesses SA table 621 through *SA info 632 created byintermediate driver agent 620. Creating and passing pointer *SA info 632 may be accomplished by any manner known in the art. - A pointer is a reference to actual data, typically the address of a location in memory. A pointer can be created by any function for most data structures or data residing in fixed memory locations. A handle is a reference to actual data that is managed by an electronic system OS. The handle can be treated as another system resource, the OS preventing conflicting memory access by multiple functions. Thus, a handle differs from a pointer in that the handle is controlled by the OS, whereas a pointer can be created and controlled by any function. Because *
SA info 632 is a pointer rather than a handle,base driver agent 630 can access the information in SA table 621 simply by dereferencing *SA info 632. - Base driver agent also contains SA table631, which is a table of SAs that contain all the information necessary to perform crypto operations on
data packet 600.Base driver agent 630 provides memory management for SA table 631, but SA table 631 does not necessarily reside inbase driver agent 630. In one embodiment,base driver agent 630 uses pointer to *SA info 632 to populate SA table 631. For example, if the NI device associated withbase driver agent 630 was reset, causing the information in SA table 631 to be lost,base driver agent 630 could use pointer *SA info 632 to acquire the specific SA information necessary to perform crypto operations ondata packet 600 to repopulate the table with that information.Base driver agent 630 can also use *SA info 632 to acquire the SA information necessary to processdata packet 600. For example, ifbase driver agent 630 was reset, the information in SA table 631 would be lost, and the SA necessary to processdata packet 600 could be acquired using *SA info 632. In another example, ifNI 640 was dynamically installed and was unable to acquire the correct SA state,base driver agent 630 could use *SA info 632 to acquire the SA information necessary to perform crypto operations. -
Data packet 600 is passed toNI 640 bybase driver agent 630. In one embodiment,NI 640 hasSA cache 641 that contains SA information. In one embodiment,NI 640 processesdata packet 600 with crypto information received frombase driver agent 630.NI 640 can then transmitdata packet 600 over a network (not depicted in FIG. 6). For example, a data packet can be transmitted over the Internet on a secure traffic stream using IPsec. Some operating systems, for example, Windows® 2000 and Windows® XP, both available from Microsoft Corporation, guarantee that the SA tables are populated. This means that if SA table 631 loses it data, to maintain consistency with SA table 621 and the OS, the entire cache must be repopulated with data guaranteed by the OS to be in the tables, whether or not the data will be used in the future to perform crypto operations. One advantage to theintermediate driver agent 620 passing a pointer tobase driver agent 630, is that if SA table 631 loses its data, the table can be repopulated as SAs are needed. - FIG. 7 is one embodiment of a flow diagram for reception of a data packet by an electronic system implementing a layered security driver.
Data packet 700 is received byNI 710 from a network (not depicted in FIG. 7). For example,data packet 700 can be part of a secure network stream from the Internet using IPsec. In one embodiment,NI 710checks data packet 700 for its crypto information to determine how to perform crypto operations ondata packet 700, such as authentication or decryption. If the crypto information associated withdata packet 700 is inSA cache 711,NI 710 will extractcrypto info 712. Although FIG. 7 depicts data structures of crypto information as containing SAs,SA cache 711, SA table 721, and SA table 731 are only example embodiments of data structures of crypto information, and are not limited to containing crypto information data structures that are SAs. In one embodiment,NI 710 usescrypto info 712 to perform hardware offload processing ondata packet 700 prior to passing the receiveddata packet 700 tobase driver agent 720. In another embodiment, the SA necessary for performing crypto operations is not incache 711, andNI 710 passesdata packet 700 tobase driver agent 720 without processing the packet. -
Base driver agent 720 can be, for example, a NIC driver. In one embodiment,base driver agent 720 contains SA table 721, which is a table of SAs that contain all the information necessary to perform cryptography operations ondata packet 700.Base driver agent 720 provides memory management for SA table 721, but SA table 721 does not necessarily reside inbase driver agent 720. In one embodiment,base driver agent 720 checks SA table 720 for the SA associated withdata packet 700. If it is not found, it can, for example, create a message indicating that the SA for that secure traffic stream is missing. - In one embodiment,
base driver agent 720 createsSA status 721, which is status information about the processing ofdata packet 700. In one embodiment, SA status 722 indicates one of four predetermined messages regarding the processing ofdata packet 700. For example, SA status 722 may indicate that the packet was processed successfully without requiring hardware offloading. In another example, SA status 722 may indicate that the packet was processed successfully by hardware. In another example, SA status 722 may indicate that the packet was processed, but that the packet failed to pass authentication. In another example, SA status 722 may indicate that the packet could not be processed because there was a missing SA. -
Base driver agent 720 passesdata packet 700 up tointermediate driver agent 730. In one embodiment,intermediate driver agent 730 containspacket classifier 732. In one embodiment,intermediate driver agent 730 contains SA table 731.Packet classifier 732checks data packet 700 for its SA information and matches it to a corresponding SA in SA table 731. In one embodiment,intermediate driver agent 730 uses the information in SA status 722 passed bybase driver agent 720 to make decisions regarding the processing ofdata packet 700. For example, if the message of SA status 722 is that the data packet was processed successfully, or that it was processed but failed to pass authentication, no more processing will be performed ondata packet 700, and it can be indicated bydriver agent 730 to the upper layers. - In another example, if the message of SA status722 is that the data packet could not be processed because the SA was missing,
intermediate driver agent 730 directs the processing ofdata packet 700. For example,intermediate driver agent 730 may direct the processing ofdata packet 700 by software processing methods known in the art. In another example,intermediate driver agent 730 may direct the processing ofdata packet 700 by hardware processing methods known in the art.Intermediate driver agent 730 may also choose to add the SA fordata packet 700 to SA table 721 and/orSA cache 711 so that future data packets using that SA can be processed with hardware. - In one embodiment,
intermediate driver agent 730 indicatesdata packet 700 to system upper layers. For example,intermediate driver agent 730 may be an ANS driver that is the top layer of a BITS/BITW security driver implementation. Thus,intermediate driver agent 730 may passdata packet 700 to a system upper layer as conventional in known BITS/BITW implementations. In one embodiment,data packet 700 is passed to highlevel application process 740. Highlevel application process 740 can be, for example, a TCP/IP stack.
Claims (44)
1. A method comprising:
associating cryptography information with a data packet to be used to perform cryptography operations on the data packet;
storing the cryptography information in memory;
generating a pointer to a memory location for the cryptography information;
passing the pointer to the cryptography information from a first system layer to a second system layer;
accessing the cryptography information not stored in the second system layer using the pointer;
performing cryptography operations on the data packet; and
transmitting the data packet.
2. The method of claim 1 wherein the first system layer comprises an intermediate driver agent.
3. The method of claim 1 wherein the second system layer comprises a base driver agent.
4. The method of claim 1 wherein the cryptography information comprises one or more of: a unique identifier, a network protocol associated with the data packet, a security parameter index, cryptographic keys, a source identifier, and a destination identifier.
5. The method of claim 1 wherein the cryptography information comprises a security association.
6. The method of claim 1 wherein the pointer is used to cache the cryptography information on network hardware.
7. The method of claim 1 wherein accessing the cryptography information not stored in the second system layer is performed by the second system layer to populate a cryptography information table.
8. The method of claim 7 wherein the population of the cryptography information table is performed when cryptography information for the data packet is needed for network hardware to perform cryptography operations on the data packet.
9. A method comprising:
receiving a data packet;
associating cryptography information with the data packet, the cryptography information to be used to perform cryptography operations on the data packet;
generating a message indicating that the cryptography information necessary to perform cryptography operations on the data packet is not stored in a cryptography information table; and
passing the message from a first system layer to a second system layer.
10. The method of claim 9 wherein the first system layer comprises a base driver agent.
11. The method of claim 9 wherein the second system layer comprises an intermediate driver agent.
12. The method of claim 9 wherein the cryptography information comprises one or more of: a unique identifier, a network protocol associated with the data packet, a security parameter index, cryptographic keys, a source identifier, and a destination identifier.
13. The method of claim 9 wherein the cryptography information comprises a security association.
14. The method of claim 9 further comprising the second system layer passing cryptography information to the first system layer to populate the cryptography information table.
15. The method of claim 14 wherein the second system layer passing cryptography information to populate the cryptography information table occurs only as the cryptography information is needed to perform cryptography operations on a data packet.
16. The method of claim 9 wherein passing the message causes the second system layer to determine which of multiple methods of data packet processing should be used to process the data packet.
17. An article comprising a machine-accessible medium to provide machine-readable instructions that, when executed, cause one or more electronic systems to:
associate cryptography information with a data packet to be used to perform cryptography operations on the data packet;
store the cryptography information in memory;
generate a pointer to a memory location for the cryptography information;
pass the pointer to the cryptography information from a first system layer to a second system layer;
access the cryptography information not stored in the second system layer using the pointer;
perform cryptography operations on the data packet; and
transmit the data packet.
18. The article of claim 17 wherein the pointer is used to cache the cryptography information on network hardware.
19. The article of claim 17 wherein accessing the cryptography information not stored in the second system layer is performed by the second system layer to populate a cryptography information table.
20. The article of claim 19 wherein the population of the cryptography information table is performed when cryptography information for the data packet is needed for network hardware to perform cryptography operations on the data packet.
21. An article comprising a machine-accessible medium to provide machine-readable instructions that, when executed, cause one or more electronic systems to:
receive a data packet;
associate cryptography information with the data packet, the cryptography information to be used to perform cryptography operations on the data packet;
generate a message indicating that the cryptography information necessary to perform cryptography operations on the data packet is not stored in a cryptography information table; and
pass the message from a first system layer to a second system layer.
22. The article of claim 21 further comprising the second system layer passing cryptography information to the first system layer to populate the cryptography information table.
23. The article of claim 22 wherein the second system layer passing cryptography information to populate the cryptography information table occurs only as the cryptography information is needed to perform cryptography operation on the data packet.
24. The article of claim 21 wherein passing the message causes the second system layer to determine which of multiple methods of data packet processing should be used to process the data packet.
25. An electronic data signal embodied in a data communications medium shared among a plurality of network devices comprising sequences of instructions that, when executed, cause one or more electronic systems to:
associate cryptography information with a data packet to be used to perform cryptography operations on the data packet;
store the cryptography information in memory;
generate a pointer to a memory location for the cryptography information;
pass the pointer to the cryptography information from a first system layer to a second system layer;
access the cryptography information not stored in the second system layer using the pointer;
perform cryptography operations on the data packet; and
transmit the data packet.
26. The electronic data signal of claim 25 wherein the pointer is used to cache the cryptography information on network hardware.
27. The electronic data signal of claim 25 wherein accessing the cryptography information not stored in the second driver agent is performed by the second system layer to populate a cryptography information table.
28. The electronic data signal of claim 27 wherein the population of the cryptography information table is performed when cryptography information for the data packet is needed for network hardware to perform cryptography operations on the data packet.
29. An electronic data signal embodied in a data communications medium shared among a plurality of network devices comprising sequences of instructions that, when executed, cause one or more electronic systems to:
receive a data packet;
associate cryptography information with the data packet, the cryptography information to be used to perform cryptography operations on the data packet;
generate a message indicating that the cryptography information necessary to perform cryptography operations on the data packet is not stored in a cryptography information table; and
pass the message from a first system layer to a second system layer.
30. The electronic data signal of claim 29 further comprising the second system layer passing cryptography information to the first system layer to populate the cryptography information table.
31. The electronic data signal of claim 30 wherein the second system layer passing cryptography information to populate the cryptography information table occurs only as the cryptography information is needed to perform cryptography operations on a data packet.
32. The electronic data signal of claim 29 wherein passing the message causes the second system layer to determine which of multiple methods of data packet processing should be used to process the data packet.
33. An apparatus comprising a first system layer coupled to a second system layer, the first system layer to store cryptography information in memory, and to generate and to pass to the second system layer a pointer to cryptography information stored in memory, the cryptography information necessary to perform cryptography operations on a data packet, the second system layer to access the cryptography information not stored in the second system layer using the pointer.
34. The apparatus of claim 33 wherein the first system layer comprises an intermediate driver agent.
35. The apparatus of claim 33 wherein the second system layer comprises a base driver agent.
36. The apparatus of claim 33 wherein the pointer is used to cache the cryptography information on network hardware.
37. The apparatus of claim 33 wherein accessing the cryptography information not stored in the second system layer is performed by the second system layer to populate a cryptography information table.
38. The apparatus of claim 37 wherein the population of the cryptography information table is performed when cryptography information for the data packet is needed for network hardware to perform cryptography operations on the data packet.
39. An apparatus comprising a first system layer coupled to a second system layer, the first system layer to generate a message indicating that cryptography information necessary to perform cryptography operations on a data packet is not stored in a cryptography information table, and to pass to the second system layer the message.
40. The apparatus of claim 39 wherein the first system layer comprises a base driver agent.
41. The apparatus of claim 39 wherein the second system layer comprises an intermediate driver agent.
42. The apparatus of claim 39 further comprising the second system layer passing cryptography information to the first system layer to populate the cryptography information table.
43. The apparatus of claim 42 wherein the second system layer passing cryptography information to populate the cryptography information table occurs only as the cryptography information is needed to perform cryptography operations on the data packet.
44. The apparatus of claim 39 wherein passing the message causes the second system layer to determine which of multiple methods of data packet processing should be used to process the data packet.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US09/895,061 US20030005279A1 (en) | 2001-06-29 | 2001-06-29 | Synchronizing the exchange of cryptography information between kernel drivers |
US11/413,394 US7697694B2 (en) | 2001-06-29 | 2006-04-28 | Synchronizing the exchange of cryptography information between kernel drivers |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US09/895,061 US20030005279A1 (en) | 2001-06-29 | 2001-06-29 | Synchronizing the exchange of cryptography information between kernel drivers |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/413,394 Division US7697694B2 (en) | 2001-06-29 | 2006-04-28 | Synchronizing the exchange of cryptography information between kernel drivers |
Publications (1)
Publication Number | Publication Date |
---|---|
US20030005279A1 true US20030005279A1 (en) | 2003-01-02 |
Family
ID=25403896
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US09/895,061 Abandoned US20030005279A1 (en) | 2001-06-29 | 2001-06-29 | Synchronizing the exchange of cryptography information between kernel drivers |
US11/413,394 Expired - Fee Related US7697694B2 (en) | 2001-06-29 | 2006-04-28 | Synchronizing the exchange of cryptography information between kernel drivers |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/413,394 Expired - Fee Related US7697694B2 (en) | 2001-06-29 | 2006-04-28 | Synchronizing the exchange of cryptography information between kernel drivers |
Country Status (1)
Country | Link |
---|---|
US (2) | US20030005279A1 (en) |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030046585A1 (en) * | 2001-09-06 | 2003-03-06 | Linden Minnick | Techniques for offloading cryptographic processing for multiple network traffic streams |
US20040059911A1 (en) * | 2002-07-19 | 2004-03-25 | Matsushita Electric Industrial Co., Ltd. | Transmission apparatus and receiving apparatus |
US20040103278A1 (en) * | 2002-11-27 | 2004-05-27 | Microsoft Corporation | Native wi-fi architecture for 802.11 networks |
US20050080923A1 (en) * | 2003-09-10 | 2005-04-14 | Uri Elzur | System and method for load balancing and fail over |
US20050120141A1 (en) * | 2003-09-10 | 2005-06-02 | Zur Uri E. | Unified infrastructure over ethernet |
US20060095793A1 (en) * | 2004-10-08 | 2006-05-04 | International Business Machines Corporation | Secure memory control parameters in table look aside buffer data fields and support memory array |
US20060123474A1 (en) * | 2004-11-12 | 2006-06-08 | Sony Deutschland Gmbh | Method for data transfer in a network |
US20080086760A1 (en) * | 2006-10-05 | 2008-04-10 | Microsoft Corporation | Extensible network discovery |
US20090080656A1 (en) * | 2007-09-24 | 2009-03-26 | International Business Machine Corporation | Methods and computer program products for performing cryptographic provider failover |
US7562213B1 (en) * | 2003-09-16 | 2009-07-14 | Cisco Technology, Inc. | Approaches for applying service policies to encrypted packets |
US20170195963A1 (en) * | 2002-05-01 | 2017-07-06 | Interdigital Technology Corporation | Method and system for optimizing power resources in wireless devices |
US10356718B2 (en) | 2002-05-06 | 2019-07-16 | Interdigital Technology Corporation | Synchronization for extending battery life |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP4964683B2 (en) * | 2007-06-18 | 2012-07-04 | 株式会社リコー | Communication apparatus and program |
WO2018213239A1 (en) | 2017-05-15 | 2018-11-22 | Polyport, Inc. | Stacked encryption |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6785811B1 (en) * | 2000-03-23 | 2004-08-31 | International Business Machines Corporation | Methods, systems and computer program products for providing multiple cryptographic functions to applications using a common library |
-
2001
- 2001-06-29 US US09/895,061 patent/US20030005279A1/en not_active Abandoned
-
2006
- 2006-04-28 US US11/413,394 patent/US7697694B2/en not_active Expired - Fee Related
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6785811B1 (en) * | 2000-03-23 | 2004-08-31 | International Business Machines Corporation | Methods, systems and computer program products for providing multiple cryptographic functions to applications using a common library |
Cited By (31)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7370352B2 (en) * | 2001-09-06 | 2008-05-06 | Intel Corporation | Techniques for storing and retrieving security information corresponding to cryptographic operations to support cryptographic processing for multiple network traffic streams |
US20030046585A1 (en) * | 2001-09-06 | 2003-03-06 | Linden Minnick | Techniques for offloading cryptographic processing for multiple network traffic streams |
US20170195963A1 (en) * | 2002-05-01 | 2017-07-06 | Interdigital Technology Corporation | Method and system for optimizing power resources in wireless devices |
US10117182B2 (en) * | 2002-05-01 | 2018-10-30 | Interdigital Technology Corporation | Communicating control messages that indicate frequency resource information to receive data |
US10813048B2 (en) | 2002-05-06 | 2020-10-20 | Interdigital Technology Corporation | Synchronization for extending battery life |
US10356718B2 (en) | 2002-05-06 | 2019-07-16 | Interdigital Technology Corporation | Synchronization for extending battery life |
US7397921B2 (en) * | 2002-07-19 | 2008-07-08 | Matsushita Electric Industrial Co., Ltd. | Receiving apparatus |
US20040059911A1 (en) * | 2002-07-19 | 2004-03-25 | Matsushita Electric Industrial Co., Ltd. | Transmission apparatus and receiving apparatus |
US7698550B2 (en) * | 2002-11-27 | 2010-04-13 | Microsoft Corporation | Native wi-fi architecture for 802.11 networks |
US20070118742A1 (en) * | 2002-11-27 | 2007-05-24 | Microsoft Corporation | Native WI-FI architecture for 802.11 networks |
US9265088B2 (en) | 2002-11-27 | 2016-02-16 | Microsoft Technology Licensing, Llc | Native Wi-Fi architecture for 802.11 networks |
US20040103278A1 (en) * | 2002-11-27 | 2004-05-27 | Microsoft Corporation | Native wi-fi architecture for 802.11 networks |
US8327135B2 (en) | 2002-11-27 | 2012-12-04 | Microsoft Corporation | Native WI-FI architecture for 802.11 networks |
US8417834B2 (en) * | 2003-09-10 | 2013-04-09 | Broadcom Corporation | Unified infrastructure over ethernet |
US20130223451A1 (en) * | 2003-09-10 | 2013-08-29 | Broadcom Corporation | Unified infrastructure over ethernet |
US20050080923A1 (en) * | 2003-09-10 | 2005-04-14 | Uri Elzur | System and method for load balancing and fail over |
US20050120141A1 (en) * | 2003-09-10 | 2005-06-02 | Zur Uri E. | Unified infrastructure over ethernet |
US9219683B2 (en) * | 2003-09-10 | 2015-12-22 | Broadcom Corporation | Unified infrastructure over ethernet |
US8285881B2 (en) | 2003-09-10 | 2012-10-09 | Broadcom Corporation | System and method for load balancing and fail over |
US7562213B1 (en) * | 2003-09-16 | 2009-07-14 | Cisco Technology, Inc. | Approaches for applying service policies to encrypted packets |
US8954751B2 (en) * | 2004-10-08 | 2015-02-10 | International Business Machines Corporation | Secure memory control parameters in table look aside buffer data fields and support memory array |
US9141558B2 (en) | 2004-10-08 | 2015-09-22 | International Business Machines Corporation | Secure memory control parameters in table look aside buffer data fields and support memory array |
US20060095793A1 (en) * | 2004-10-08 | 2006-05-04 | International Business Machines Corporation | Secure memory control parameters in table look aside buffer data fields and support memory array |
US8413224B2 (en) * | 2004-11-12 | 2013-04-02 | Sony Deutschland Gmbh | Method for data transfer in a network |
US7840798B2 (en) * | 2004-11-12 | 2010-11-23 | Sony Deutschland Gmbh | Method for data transfer in a network |
US20060123474A1 (en) * | 2004-11-12 | 2006-06-08 | Sony Deutschland Gmbh | Method for data transfer in a network |
US20110010753A1 (en) * | 2004-11-12 | 2011-01-13 | Sony Deutschland Gmbh | Method for data transfer in a network |
US8245284B2 (en) | 2006-10-05 | 2012-08-14 | Microsoft Corporation | Extensible network discovery |
US20080086760A1 (en) * | 2006-10-05 | 2008-04-10 | Microsoft Corporation | Extensible network discovery |
US20090080656A1 (en) * | 2007-09-24 | 2009-03-26 | International Business Machine Corporation | Methods and computer program products for performing cryptographic provider failover |
US8086843B2 (en) * | 2007-09-24 | 2011-12-27 | International Business Machines Corporation | Performing cryptographic provider failover |
Also Published As
Publication number | Publication date |
---|---|
US20070061565A1 (en) | 2007-03-15 |
US7697694B2 (en) | 2010-04-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7697694B2 (en) | Synchronizing the exchange of cryptography information between kernel drivers | |
US7370352B2 (en) | Techniques for storing and retrieving security information corresponding to cryptographic operations to support cryptographic processing for multiple network traffic streams | |
US4881263A (en) | Apparatus and method for secure transmission of data over an unsecure transmission channel | |
US5717756A (en) | System and method for providing masquerade protection in a computer network using hardware and timestamp-specific single use keys | |
US8700532B2 (en) | Information sharing system, computer, project managing server, and information sharing method used in them | |
US8006297B2 (en) | Method and system for combined security protocol and packet filter offload and onload | |
US6751728B1 (en) | System and method of transmitting encrypted packets through a network access point | |
US7370348B1 (en) | Technique and apparatus for processing cryptographic services of data in a network system | |
US6836795B2 (en) | Mapping connections and protocol-specific resource identifiers | |
US20080098226A1 (en) | Encryption communication system, apparatus, method, and program | |
US20100088288A1 (en) | Apparatus and Method for Resolving Security Association Database Update Coherency in High-Speed Systems Having Multiple Security Channels | |
US20080267177A1 (en) | Method and system for virtualization of packet encryption offload and onload | |
EP1531596A2 (en) | Secure dynamic credential distribution over a network | |
US6944762B1 (en) | System and method for encrypting data messages | |
US7409542B2 (en) | Security association management through the use of lookup tables | |
CN108964893B (en) | Key processing method, device, equipment and medium | |
US11411719B2 (en) | Security system and method thereof using both KMS and HSM | |
US20030172303A1 (en) | Method and system for accelerating the conversion process between encryption schemes | |
US10841840B2 (en) | Processing packets in a computer system | |
CN103379103A (en) | Linear encryption and decryption hardware implementation method | |
JP2007036389A (en) | Hand-over method of tls session information, and computer system | |
CN114553411B (en) | Distributed memory encryption device and distributed memory decryption device | |
US8670565B2 (en) | Encrypted packet communication system | |
CN1750533A (en) | Method for realizing safety coalition backup and switching | |
CN111628972A (en) | Data encryption and decryption device, method, system and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: INTEL CORPORATION, CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:VALENCI, MOSHE;MINNICK, LINDEN;REEL/FRAME:012143/0612;SIGNING DATES FROM 20010802 TO 20010830 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |