Abstract

The present invention includes a first data processing device (node I) coupled to a first private network and to a firewall server (FWA). Firewall server FWA is in turn coupled to a public network, such as the Internet. A second data processing device (node J) is coupled to a second private network which is coupled to the Internet through a firewall server (FWB). Node I provides a data packet including IP data and a destination address for the intended receiving node J to firewall FWA. Firewall FWA is provided with a secret value a, and a public value –a mod p. Similarly, firewall FWB is provided with a secret value b and a public value –b mod p. The firewall FWA obtains a Diffie-Hellman (DH) certificate for firewall FWB and determines the public value –b mod p from the DH certificate. Firewall FWA then computes the value of –ab mod p, and derives a key Kab from the value –ab mod p. A transient key Kp is randomly generated and is used to encrypt the data packet to be transmitted by firewall FWA to firewall FWB. The encrypted data packet is then encapsulated in a transmission packet by the firewall FWA. The transmission packet includes an unencrypted destination address for the firewall FWB. Firewall FWA then sends the transmission packet to firewall FWB over the Internet. Upon receipt of the transmission packet from firewall FWA, firewall FWB obtains a DH certificate for firewall FWA, and determines the public value of –a mod p from the DH certificate. Firewall FWB computes the value of –ab mod p, and derives the key Kab. Firewall B utilizes the key Kab to decrypt the transient key Kp, and using the decrypted transient key Kp, firewall FWB decrypts the encrypted data packet received from FWA, thereby resulting in the recovery of the original data sent by node I in unencrypted form to the firewall FWA. The firewall FWB then transmits the decrypted data packet to the receiving node J over the second private network.

Other References

• Whitfield Diffie, "The First Ten Years of Public-Key Cryptography", (Proceedings of the IEEE, vol. 76, No. 5, May 1988)
• Paul Fahn, "Answers to Frequently Asked Questions About Today's Cryptography", (RSA Laboratories, 1992)
• "Part I: Message Encryption and Authentication Procedures", (Privacy Enhancement for Internet Electronic Mail, J. Linn (Network Working Group), Feb., 1993
• "Part II: Certificate-Based Key Management", (Privacy Enhancement for Internet Electronic Mail, S. Kent (Network Working Group), Feb., 1993
• "Part III: Algorithms, Modes, and Identifiers", (Privacy Enhancement for Internet Electronic Mail), D. Balenson (Network Working Group), Feb., 1993
• "Part IV: Key Certification and Related Services" (Privacy Enhancement for Internet Electronic Mail), B. Kaliski (Network Working Group), Feb., 1993
• Whitfield Diffie, Paul C. Van Oorschoot and Michael J. Wiener, "Authentication and Authenticated Key Exchanges" (Designs, Codes and Cryptography, 2-107-125 (1992), Kluwer Academic Publishers)
• "The MD5 Message-Digest Algorithm"; MIT Laboratory for Computer Science and RSA Data Security, Inc. (1992), R. Rivest (Network Working Group)
• RSA Data Security, Inc. Technology Bulletin, copy undate