Abstract: A network architecture allows an intermediary to inspect an encrypted data stream on a virtual private network (VPN) in a secure and trusted manner. The endpoints establish a virtual private network by negotiating a session key used to encrypt data being exchanged between them. The endpoints know the session key, but not the intermediary. To grant the intermediary trusted access to the data stream on the VPN, one endpoint securely transfers the session key to the firewall by encrypting the session key using the intermediary's public key and then signing the encrypted session key. The intermediary authenticates the signature and decrypts the session key using its own private key. If the process yields a valid key, the intermediary is assured that the session key was sent by the endpoint and was not subsequently tampered with in route. Once the session key is transferred, the firewall can decrypt and inspect the data stream on the VPN in a manner that is transparent to the endpoints.

Abstract: A method and system for network communication efficiently transmits encrypted packets from a sending host on an external network to a receiving host on an intranet through a network access point (NAP) of the intranet. A packet to be sent by the sending host on the external network is constructed with the external network address of the NAP as the destination address of the packet. The intranet address of the receiving host is also included in the packet in the non-encrypted form and is used in the calculation of the cryptographic hash or the like that is included in the packet for authentication purposes. The encrypted packet is then routed to the NAP through the external network. When the NAP receives the packet, it strips the intranet address of the receiving host from the packet and uses that address to replace the original destination address in the packet. The NAP then forwards the modified packet to the receiving host.