Abstract: A system and method for efficient matching regular expression patterns across multiple packets. A deep packet inspection system can be embodied in a switch ASIC using a flow tracker and a signature matching engine. The flow tracker can be positioned in an ingress portion of the switch ASIC at a location where packets in a bi-direction flow can be observed and recorded. The flow tracker generates a signature match request that is forwarded to a signature matching engine in an auxiliary pipeline. The signature matching engine is enabled to perform cross-packet signature matching using signature matching state machines and reports the signature matching results to the flow tracker using a response packet that is sent to the ingress pipeline.

Abstract: A system and method for efficient matching regular expression patterns across multiple packets. A deep packet inspection system can be embodied in a switch ASIC using a flow tracker and a signature matching engine. The flow tracker can be positioned in an ingress portion of the switch ASIC at a location where packets in a bi-direction flow can be observed and recorded. The flow tracker generates a signature match request that is forwarded to a signature matching engine in an auxiliary pipeline. The signature matching engine is enabled to perform cross-packet signature matching using signature matching state machines and reports the signature matching results to the flow tracker using a response packet that is sent to the ingress pipeline.

Abstract: Methods and systems are disclosed for providing secured data transmission and for managing cryptographic keys. One embodiment of the invention provides secure key management when separate devices are used for generating and utilizing the keys. One embodiment of the invention provides secure storage of keys stored in an unsecured database. One embodiment of the invention provides key security in conjunction with high speed decryption and encryption, without degrading the performance of the data network.

Abstract: Methods and associated systems provide secured data transmission over a data network. A security device provides security processing in the data path of a packet network. The device may include at least one network interface to send packets to and receive packets from a data network and at least one cryptographic engine for performing encryption, decryption and/or authentication operations. The device may be configured as an in-line security processor that processes packets that pass through the device as the packets are routed to/from the data network.

Abstract: Provided is an architecture for a cryptography accelerator chip that allows significant performance improvements over previous prior art designs. In various embodiments, the architecture enables parallel processing of packets through a plurality of cryptography engines and includes a classification engine configured to efficiently process encryption/decryption of data packets. Cryptography acceleration chips in accordance may be incorporated on network line cards or service modules and used in applications as diverse as connecting a single computer to a WAN, to large corporate networks, to networks servicing wide geographic areas (e.g., cities). The present invention provides improved performance over the prior art designs, with much reduced local memory requirements, in some cases requiring no additional external memory. In some embodiments, the present invention enables sustained full duplex Gigabit rate security processing of IPSec protocol data packets.

Abstract: Methods and systems are disclosed for providing secured data transmission and for managing cryptographic keys. One embodiment of the invention provides secure key management when separate devices are used for generating and utilizing the keys. One embodiment of the invention provides secure storage of keys stored in an unsecured database. One embodiment of the invention provides key security in conjunction with high speed decryption and encryption, without degrading the performance of the data network.

Abstract: Methods and systems are disclosed for providing secured data transmission and for managing cryptographic keys. One embodiment of the invention provides secure key management when separate devices are used for generating and utilizing the keys. One embodiment of the invention provides secure storage of keys stored in an unsecured database. One embodiment of the invention provides key security in conjunction with high speed decryption and encryption, without degrading the performance of the data network.

Abstract: Methods and associated systems provide secured data transmission over a data network. A security device provides security processing in the data path of a packet network. The device may include at least one network interface to send packets to and receive packets from a data network and at least one cryptographic engine for performing encryption, decryption and/or authentication operations. The device may be configured as an in-line security processor that processes packets that pass through the device as the packets are routed to/from the data network.

Abstract: Provided is an architecture for a cryptography accelerator chip that allows significant performance improvements over previous prior art designs. In various embodiments, the architecture enables parallel processing of packets through a plurality of cryptography engines and includes a classification engine configured to efficiently process encryption/decryption of data packets. Cryptography acceleration chips in accordance may be incorporated on network line cards or service modules and used in applications as diverse as connecting a single computer to a WAN, to large corporate networks, to networks servicing wide geographic areas (e.g., cities). The present invention provides improved performance over the prior art designs, with much reduced local memory requirements, in some cases requiring no additional external memory. In some embodiments, the present invention enables sustained full duplex Gigabit rate security processing of IPSec protocol data packets.

Abstract: Methods and associated systems provide secured data transmission over a data network. A security device provides security processing in the data path of a packet network. The device may include at least one network interface to send packets to and receive packets from a data network and at least one cryptographic engine for performing encryption, decryption and/or authentication operations. The device may be configured as an in-line security processor that processes packets that pass through the device as the packets are routed to/from the data network.

Abstract: Methods and associated systems provide secured data transmission over a data network. A security device provides security processing in the data path of a packet network. The device may include at least one network interface to send packets to and receive packets from a data network and at least one cryptographic engine for performing encryption, decryption and/or authentication operations. The device may be configured as an in-line security processor that processes packets that pass through the device as the packets are routed to/from the data network.

Abstract: Methods and systems are disclosed for providing secured data transmission and for managing cryptographic keys. One embodiment of the invention provides secure key management when separate devices are used for generating and utilizing the keys. One embodiment of the invention provides secure storage of keys stored in an unsecured database. One embodiment of the invention provides key security in conjunction with high speed decryption and encryption, without degrading the performance of the data network.

Abstract: Provided is an architecture for a cryptography accelerator chip that allows significant performance improvements over previous prior art designs. In various embodiments, the architecture enables parallel processing of packets through a plurality of cryptography engines and includes a classification engine configured to efficiently process encryption/decryption of data packets. Cryptography acceleration chips in accordance may be incorporated on network line cards or service modules and used in applications as diverse as connecting a single computer to a WAN, to large corporate networks, to networks servicing wide geographic areas (e.g., cities). The present invention provides improved performance over the prior art designs, with much reduced local memory requirements, in some cases requiring no additional external memory. In some embodiments, the present invention enables sustained full duplex Gigabit rate security processing of IPSec protocol data packets.

Abstract: Provided is an architecture for a cryptography accelerator chip that allows significant performance improvements over previous prior art designs. In various embodiments, the architecture enables parallel processing of packets through a plurality of cryptography engines and includes a classification engine configured to efficiently process encryption/decryption of data packets. Cryptography acceleration chips in accordance may be incorporated on network line cards or service modules and used in applications as diverse as connecting a single computer to a WAN, to large corporate networks, to networks servicing wide geographic areas (e.g., cities). The present invention provides improved performance over the prior art designs, with much reduced local memory requirements, in some cases requiring no additional external memory. In some embodiments, the present invention enables sustained full duplex Gigabit rate security processing of IPSec protocol data packets.

Abstract: Apparatus for protecting the confidentiality of a user's password during a remote login authentication exchange between a user node and a directory service node of a distributed, public key cryptography system includes a specialized server application functioning as an intermediary agent for the login procedure. The login agent has responsibility for approving the user's login attempt and distributing a private key to the user. However, the login agent is not trusted with the user's password and is therefore a "semi-trusted" node. In another aspect of the invention, a login protocol enables remote authentication of the user password without transmitting the password over the network.

Abstract: Apparatus for protecting the confidentiality of a user's password during a remote login authentication exchange between a user node and a directory service node of a distributed, public key cryptography system includes a specialized server application functioning as an intermediary agent for the login procedure. The login agent has responsibility for approving the user's login attempt and distributing a private key to the user. However, the login agent is not trusted with the user's password and is therefore a "semi-trusted" node. In another aspect of the invention, a login protocol enables remote authentication of the user password without transmitting the password over the network.

Abstract: A decryption method, and associated cryptographic processor, for performing in-line decryption of information frames received from a communication network through a first in-line processing stage. As an information packet is streamed into the cryptographic processor, a determination is made to an acceptable level of probability whether the packet contains data that should be decrypted. The decision whether or not decrypt is made by analyzing the incoming packet header, recognizing a limited number of packet formats, and further parsing the packet to locate any encrypted data and to make sure that the packet is not a segment of a larger message. Falsely decrypted packets are looped back through the cryptographic processor, to regenerate the data that was falsely decrypted. Decryption and encryption are performed in such a manner that a false decryption is completely reversible without loss of data.

Abstract: A method and related cryptographic processing apparatus for handling information packets that are to be cryptographically processed prior to transmission onto a communication network, or that are to be locally cryptographically processed and looped back to a node processor. A special cryptographic preamble is included in each information packet that is to be subject to cryptographic processing. The cryptographic preamble contains an offset value pointing to the starting location of information that is to be processed, and completely defines the type of cryptographic processing to be performed. The cryptographic processor can then perform the processing as specified in the preamble without regard to a specific protocol. If the packet is to be transmitted onto the network, the preamble is stripped from the packet after cryptographic processing, so that the formats of packets transmitted onto the network will be unaffected by the preamble.