05416842 is referenced by 471 patents and cites 1 patents.

The present invention includes a first data processing device (node I) coupled to a first private network and to a firewall server (FWA). Firewall server FWA is in turn coupled to a public network, such as the Internet. A second data processing device (node J) is coupled to a second private network which is coupled to the Internet through a firewall server (FWB). Node I provides a data packet including IP data and a destination address for the intended receiving node J to firewall FWA. Firewall FWA is provided with a secret value a, and a public value .varies..sup.a mod p. Similarly, firewall FWB is provided with a secret value b and a public value .varies..sup.b mod p. The firewall FWA obtains a Diffie-Hellman (DH) certificate for firewall FWB and determines the public value .varies..sup.b mod p from the DH certificate. Firewall FWA then computes the value of .varies..sup.ab mod p, and derives a key K.sub.ab from the value .varies..sup.ab mod p. A transient key K.sub.p is randomly generated and is used to encrypt the data packet to be transmitted by firewall FWA to firewall FWB. The encrypted data packet is then encapsulated in a transmission packet by the firewall FWA. The transmission packet includes an unencrypted destination address for the firewall FWB. Firewall FWA then sends the transmission packet to firewall FWB over the Internet. Upon receipt of the transmission packet from firewall FWA, firewall FWB obtains a DH certificate for firewall FWA, and determines the public value of .varies..sup.a mod p from the DH certificate. Firewall FWB computes the value of .varies..sup.ab mod p, and derives the key K.sub.ab. Firewall B utilizes the key K.sub.ab to decrypt the transient key K.sub.p, and using the decrypted transient key K.sub.p, firewall FWB decrypts the encrypted data packet received from FWA, thereby resulting in the recovery of the original data sent by node I in unencrypted form to the firewall FWA. The firewall FWB then transmits the decrypted data packet to the receiving node J over the second private network.

Method and apparatus for key-management scheme for use with internet protocols at site firewalls
Application Number
Publication Number
Application Date
June 10, 1994
Publication Date
May 16, 1995
Ashar Aziz
Irell & Manella
Sun Microsystems
H04L 9/00
H04L 9/08
H04L 9/30
View Original Source