Managing session secrets for continuous packet capture systems
US-2018278419-A1 · Sep 27, 2018 · US
Inline security key exchange
US2024340163A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2024340163-A1 |
| Application number | US-202418745443-A |
| Country | US |
| Kind code | A1 |
| Filing date | Jun 17, 2024 |
| Priority date | Oct 26, 2021 |
| Publication date | Oct 10, 2024 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Techniques are disclosed for inline security key exchanges between network devices. An example network device includes one or more processors and memory coupled to the one or more processors. The memory stores instructions that, upon execution, cause one or more processors to obtain a first payload key and obtain a path key. The instructions cause the one or more processors to encrypt a first payload of a first packet using the first payload key and insert the first payload key into first metadata of the first packet. The instructions cause the one or more processors to encrypt the first metadata using the path key and send the first packet to another network device.
First claim
Opening claim text (preview).
What is claimed is: 1 . Non-transitory computer readable storage media storing instructions, which, when executed cause one or more processors of a network device to: obtain a first payload key, the first payload key being associated with a first session; obtain a path key, wherein the path key is associated with a path between the network device and a neighboring network device; encrypt a first packet payload of a first packet using the first payload key; insert the first payload key into first metadata for the first packet; encrypt the first metadata using the path key, the first metadata including the first payload key, to generate encrypted first metadata; send the first packet including the encrypted first metadata and the first packet payload to the neighboring network device; determine that a second packet payload of a second packet is associated with the first session; based on the second packet payload being associated with the first session, encrypt the second packet payload using the first payload key; and send the second packet including second metadata to the neighboring network device, the second metadata not including the first payload key. 2 . The non-transitory computer readable storage media of claim 1 , wherein the instructions cause the one or more processors to obtain the first payload key by generating the first payload key or by receiving the first payload key. 3 . The non-transitory computer readable storage media of claim 1 , wherein the instructions further cause the one or more processors to: determine to update the first payload key; obtain a second payload key; encrypt a third packet payload of a third packet using the second payload key; insert the second payload key into third metadata of the third packet; encrypt the third metadata using the path key; and send the third packet to the neighboring network device. 4 . The non-transitory computer readable storage media of claim 1 , wherein the instructions further cause the one or more processors to: obtain a second payload key associated with a second session; encrypt a third packet payload of a third packet associated with the second session using the second payload key; insert the second payload key into third metadata of the third packet; encrypt the third metadata using the path key; and send the third packet to the neighboring network device. 5 . The non-transitory computer readable storage media of claim 1 , wherein the first payload key is further associated with a first type of service and wherein the instructions further cause the one or more processors to: obtain a second payload key associated with a second type of service; encrypt a third packet payload of a third packet associated with the second type of service using the second payload key; insert the second payload key into third metadata of the third packet; encrypt the third metadata using the path key; and send the third packet to the neighboring network device. 6 . The non-transitory computer readable storage media of claim 1 , wherein the network device comprises a session-based router. 7 . The non-transitory computer readable storage media of claim 1 , wherein the neighboring network device comprises a session-based router. 8 . Non-transitory computer readable storage media storing instructions, which, when executed cause one or more processors of a network device to: obtain a path key; receive a first packet from a neighboring network device; decrypt first metadata of the first packet using the path key; obtain a first payload key from the first metadata of the first packet, the first payload key being associated with a first session; decrypt a first packet payload of the first packet using the first payload key; receive a second packet including a second packet payload and second metadata from the neighboring network device, the second metadata not including the first payload key; determine that the second packet payload is associated with the first session based on the second metadata; and decrypt the second packet payload of the second packet using the first payload key. 9 . The non-transitory computer readable storage media of claim 8 , wherein the instructions further cause the one or more processors to: receive a third packet from the neighboring network device; decrypt third metadata of the third packet using the path key; obtain a second payload key from the third metadata of the third packet; and decrypt a third packet payload of the third packet using the second payload key. 10 . The non-transitory computer readable storage media of claim 8 , wherein the instructions further cause the one or more processors to: receive a third packet from the neighboring network device, the third packet being associated with a second session; decrypt third metadata of the third packet using the path key; obtain a second payload key from the third metadata of the third packet, the second payload key being associated with the second session; and decrypt a third packet payload of the third packet using the second payload key. 11 . The non-transitory computer readable storage media of claim 8 , wherein the first payload key is further associated with a first type of service and wherein the instructions further cause the one or more processors to: receive a third packet from the neighboring network device, the third packet being associated with a second type of service; decrypt third metadata of the third packet using the path key; obtain a second payload key from the third metadata of the third packet, the second payload key being associated with the second type of service; and decrypt a third packet payload of the third packet using the second payload key. 12 . The non-transitory computer readable storage media of claim 8 , wherein the network device comprises a session-based router. 13 . The non-transitory computer readable storage media of claim 8 , wherein the neighboring network device comprises a session-based router. 14 . A method comprising: obtaining, by one or more processors of an egress network device, a path key; receiving, by the one or more processors of the egress network device, a first packet from a neighboring network device; decrypting, by the one or more processors of the egress network device, first metadata of the first packet using the path key; obtaining, by the one or more processors of the egress network device, a first payload key from the first metadata of the first packet, the first payload key being associated with a first session; decrypting, by the one or more processors of the egress network device, a first packet payload of the first packet using the first payload key; receiving, by the one or more processors of the egress network device, a second packet including a second packet payload and second metadata from the neighboring network device, the second metadata not including the first payload key; determining, by the one or more processors of the egress network device, that the second packet payload is associated with the first session based on the second metadata; and decrypting, by the one or more processors of the egress network device, the second packet payload of the second packet using the first payload key. 15 . The method of claim 14 , further comprising: receiving, by the one or more processors of the egress network device, a third packet from the neighboring network device; decrypting, by the one or more processors of the egress network device, third metadata of the third packet using the path key; obtaining, by the
Assignees
Inventors
Classifications
- H04L63/0428Primary
wherein the data content is protected, e.g. by encrypting or encapsulating the payload · CPC title
Revocation or update of secret information, e.g. encryption key update or rekeying · CPC title
involving distinctive intermediate devices or communication paths (network architectures or network communication protocols using different networks H04L63/18) · CPC title
Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms (network architectures or network communication protocols for using time-dependent keys in a packet data network H04L63/068) · CPC title
of the user plane, e.g. user's traffic · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2024340163A1 cover?
- Techniques are disclosed for inline security key exchanges between network devices. An example network device includes one or more processors and memory coupled to the one or more processors. The memory stores instructions that, upon execution, cause one or more processors to obtain a first payload key and obtain a path key. The instructions cause the one or more processors to encrypt a first p…
- Who is the assignee on this patent?
- Juniper Networks Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0428. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Thu Oct 10 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).