Flexible ethernet encryption systems and methods
US-2017171163-A1 · Jun 15, 2017 · US
Encrypted and authenticated data frame
US10182039B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10182039-B2 |
| Application number | US-201615015548-A |
| Country | US |
| Kind code | B2 |
| Filing date | Feb 4, 2016 |
| Priority date | Feb 4, 2016 |
| Publication date | Jan 15, 2019 |
| Grant date | Jan 15, 2019 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
At a source network device, data is compiled into a plurality of data blocks for transmission in a data frame over a network to a destination network device. The plurality of data blocks are arranged into a plurality of data block groups such that each data block group comprises a predetermined number of data blocks. Encryption information is generated for each of the plurality of data blocks groups. The encryption information identifies an encryption key for each of the plurality of data block groups. Overhead data configured to allow the destination network device to align and decode the data frame is generated. The data frame is transmitted from the source network device to the destination network device such that the encryption information for each of the plurality of data block groups is transmitted consecutively with a respective data block group, and a portion of the overhead data is transmitted prior to each consecutive transmission of encryption information with a data block group.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: compiling, at a source network device, data into a plurality of data blocks for transmission in a data frame over a network to a destination network device; arranging the plurality of data blocks into a plurality of data block groups comprising a first data block group, a second data block group, a third data block group and a fourth data block group, wherein each data block group comprises a predetermined number of data blocks; generating encryption information for each of the first data block group, the second data block group, the third data block group and the fourth data block group, wherein the encryption information identifies an encryption key for each of the first data block group, the second data block group, the third data block group and the fourth data block group; generating overhead data for the data frame, wherein the overhead data is configured to allow the destination network device to align and decode the data frame; and transmitting the data frame from the source network device to the destination network device, wherein transmitting the data frame comprises: transmitting a first portion of the overhead data, followed by the encryption information for the first data block group, followed by the first data block group; transmitting a second portion of the overhead data after the first data block group, followed by encryption information for the second data block group, followed by the second data block group; transmitting a third portion of the overhead data after the second data block group, followed by encryption information for the third data block group, followed by the third data block group; and transmitting a fourth portion of the overhead data after the third data block group, followed by encryption information for the fourth data block group, followed by the fourth data block group. 2. The method of claim 1 , wherein arranging the plurality of data blocks into the plurality of data block groups comprises: arranging 20460 data blocks in the first data block group; arranging 20460 data blocks in the second data block group; arranging 20460 data blocks in the third data block group; and arranging 20480 data blocks in the fourth data block group. 3. The method of claim 1 , further comprising generating an authentication code for each of the plurality of data block groups. 4. The method of claim 3 , wherein generating the authentication code for each of the plurality of data block groups comprises generating a plurality of authentication codes for each of the plurality of data block groups, wherein each of the plurality of authentication codes authenticates a subset of data blocks within a data block group, wherein transmitting comprises transmitting each of the plurality of authentication codes consecutively with the subset of data blocks the authentication code is configured to authenticate within the plurality of data block groups. 5. The method of claim 4 , wherein generating the plurality of authentication codes comprises generating an authentication code for 2 n data blocks, wherein n is an integer greater than 0. 6. The method of claim 4 , wherein generating the plurality of authentication codes comprises generating a plurality of integrity check values. 7. The method of claim 1 , wherein generating encryption information for each of the plurality of data blocks groups comprises generating a security parameter index, a sequence number and an initialization vector for each of the plurality of data block groups. 8. The method of claim 1 , wherein the encryption information for each of the plurality of data blocks groups identifies a different encryption key. 9. The method of claim 1 , wherein transmitting the data frame comprises arranging the plurality of data blocks into a frame formatted according to the Flex Ethernet Implementation Agreement (FlexE) of the Optical Internetworking Forum. 10. An apparatus comprising: a network interface configured to send and receive data over a network; and a processor, wherein the processor is configured to: compile data into a plurality of data blocks for transmission in a data frame over the network to a destination network device; arrange the plurality of data blocks into a plurality of data block groups comprising a first data block group, a second data block group, a third data block group and a fourth data block group, wherein each data block group comprises a predetermined number of data blocks; generate encryption information for each of the first data block group, the second data block group, the third data block group and the fourth data block group, wherein the encryption information identifies an encryption key for each of the first data block group, the second data block group, the third data block group and the fourth data block group; generate overhead data for the data frame, wherein the overhead data is configured to allow the destination network device to align and decode the data frame; and transmit, via the network interface, the data frame to the destination network device, wherein the processor is configured to transmit the data frame by: transmitting a first portion of the overhead data, followed by the encryption information for the first data block group, followed by the first data block group; transmitting a second portion of the overhead data after the first data block group, followed by encryption information for the second data block, followed by the second data block group; transmitting a third portion of the overhead data after the second data block group, followed by encryption information for the third data block group, followed by the third data block group; and transmitting a fourth portion of the overhead data after the third data block group, followed by encryption information for the fourth data block group, followed by the fourth data block group. 11. The apparatus of claim 10 , wherein the processor is further configured to generate an authentication code for each of the plurality of data block groups. 12. The apparatus of claim 11 , wherein the processor is configured to generate the authentication code for each of the plurality of data block groups by generating a plurality of authentication codes for each of the plurality of data block groups, wherein each of the plurality of authentication codes authenticates a subset of data blocks within a data block group, and wherein the processor is configured to transmit the data frame by transmitting each of the plurality of authentication codes consecutively with the subset of data blocks the authentication code is configured to authenticate within the plurality of data block groups. 13. The apparatus of claim 11 , wherein the processor is configured to generate the plurality of authentication codes by generating a plurality of integrity check values. 14. The apparatus of claim 10 , wherein the processor is configured to arrange the plurality of data blocks into a frame formatted according to the Flex Ethernet Implementation Agreement (FlexE) of the Optical Internetworking Forum. 15. The apparatus of claim 11 , wherein the processor is configured to arrange the plurality of data blocks into the plurality of data block groups by: arranging 20460 data blocks in the first data block group; arranging 20460 data blocks in the second data block group; arranging 20460 data blocks in the third data block group; and arranging 20480 data blocks in the fourth data block group. 16. One or more non-transitory computer readable storage media encoded with software comprising compute
Assignees
Inventors
Classifications
- H04L63/0428Primary
wherein the data content is protected, e.g. by encrypting or encapsulating the payload · CPC title
Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3 · CPC title
wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption (cryptographic mechanisms or cryptographic arrangements for public-key encryption H04L9/30) · CPC title
the source of the received data · CPC title
for providing a confidential data exchange among entities communicating through data packet networks · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10182039B2 cover?
- At a source network device, data is compiled into a plurality of data blocks for transmission in a data frame over a network to a destination network device. The plurality of data blocks are arranged into a plurality of data block groups such that each data block group comprises a predetermined number of data blocks. Encryption information is generated for each of the plurality of data blocks g…
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0428. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jan 15 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).