FIELD OF INVENTION
[0001] The present subject matter relates to encryption of data
packets, and particularly but not exclusively, to selective encryption of data
packets.
10 BACKGROUND
[0002] Generally a communication network may include a collection of
computing devices and other hardware components interconnected together,
to share and exchange resources and information. The information may be
shared in the form of data packets. Typically, a communication network
15 provides a communication path in any network, facilitating exchange of data.
Generally, this communication path includes a series of interlinked resources,
such as routers, switches, and physical wires. To facilitate exchange of data
between the computing devices, multiple protocols are implemented in the
upper layer of communication network. Further, in order to secure the data
20 being exchanged, network providers typically employ various methods, such
as encrypting data packets used to transmit the data over the communication
networks.
SUMMARY
[0003] This summary is provided to introduce concepts related to
25 selective encryption of data packets in a communication network. This
summary is not intended to identify essential features of the claimed subject
matter nor is it intended for use in determining or limiting the scope of the
claimed subject matter.
[0004] In one implementation, an encryption system for selective
30 encryption of data packets is described. The encryption system includes a
processor and an analysis module coupled to the processor. The analysis
3
module 5 analyzes, at a lower level layer of a communication protocol, data
packets to be transmitted to another device using the communication
protocol, to determine if the data packets have been encrypted at an upper
level layer of the communication protocol. The analysis module further
determines whether the data packets have to be encrypted at the lower level
10 layer based at least on the analyzing.
[0005] In another implementation, a method for selective encryption of
data packets is described. The method includes obtaining, by a network
device, data packets to be transmitted to a user device using a predetermined
communication protocol. The method further includes analyzing the data
15 packets by the network device, at a lower level layer of the communication
protocol, to determine if the data packets have been encrypted at an upper
level layer of the communication protocol. Further, the method includes
determining, by the network device, whether the data packets have to be
encrypted at the lower level layer based at least on the analyzing. The
20 method further includes transmitting, by the network device, the data packets
to the user device based on the determining.
[0006] In another implementation, a method for selective encryption of
data packets is described. The method includes transmitting a connection
establishment request by a user device to a network device. The connection
25 establishment request is transmitted for establishing a connection with an
associated network entity using a predetermined communication protocol.
The method further includes receiving, by the user device, a perform
encryption message from the network device indicating whether the data
packets to be transmitted to the network entity will be encrypted at an upper
30 level layer of the communication protocol. Further, the method includes
determining, by the user device, whether the data packets have to be
encrypted at a lower level layer of the communication protocol, based at least
4
on 5 the perform encryption message. The method further includes
transmitting, by the user device, the data packets to the network entity based
on the determining.
[0007] In another implementation, a non-transitory computer-readable
medium having embodied thereon a computer program for executing a
10 method of selective encryption of data packets is described. The method
includes obtaining, by a network device, data packets to be transmitted to a
user device using a predetermined communication protocol. The method
further includes analyzing the data packets by the network device, at a lower
level layer of the communication protocol, to determine if the data packets
15 have been encrypted at an upper level layer of the communication protocol.
Further, the method includes determining, by the network device, whether the
data packets have to be encrypted at the lower level layer based at least on
the analyzing. The method further includes transmitting, by the network
device, the data packets to the user device based on the determining.
20 BRIEF DESCRIPTION OF THE FIGURES
[0008] The detailed description is described with reference to the
accompanying figures. In the figures, the left-most digit(s) of a reference
number identifies the figure in which the reference number first appears. The
same numbers are used throughout the figures to reference like features and
25 components. Some embodiments of system and/or methods in accordance
with embodiments of the present subject matter are now described, by way of
example, and with reference to the accompanying figures, in which:
[0009] Figure 1 illustrates an exemplary communication network
environment implementing a communication system for selective encryption
30 of data packets, according to an embodiment of the present subject matter;
5
[0010] Figure 2 illustrates components 5 mponents of an encryption system of the
communication system for selective encryption of data packets, according to
an embodiment of the present subject matter.
[0011] Figure 3 illustrates a method of selective encryption of data
packets, in accordance with an embodiment of the present subject matter.
10 [0012] Figure 4 illustrates a method of selective encryption of data
packets, in accordance with an embodiment of the present subject matter.
[0013] In the present document, the word "exemplary" is used herein to
mean "serving as an example, instance, or illustration." Any embodiment or
implementation of the present subject matter described herein as "exemplary"
15 is not necessarily to be construed as preferred or advantageous over other
embodiments.
[0014] It should be appreciated by those skilled in the art that any block
diagrams herein represent conceptual views of illustrative systems
embodying the principles of the present subject matter. Similarly, it will be
20 appreciated that any flow charts, flow diagrams, state transition diagrams,
pseudo code, and the like represent various processes which may be
substantially represented in computer readable medium and so executed by a
computer or processor, whether or not such computer or processor is
explicitly shown.
25 DESCRIPTION OF EMBODIMENTS
[0015] Systems and methods for selective encryption of data packets are
described. Typically, in a communication network, data is exchanged in the
form of data packets between a user device and one or more network
entities, such as an application server. For instance, in a downlink, data is
30 transmitted in the form of data packets by the network entities. The data
6
packets traverse through a channel, in the 5 form transmitted signals, and are
received, as received signals, by the user device. Similarly, in an uplink, data
is transmitted, in the form of data packets, by the user device. The data
packets traverse through a channel, in the form transmitted signals, and are
received, as received signals, by the network entity. The communication
10 networks may further employ one or more network devices to facilitate the
data transmission between the network entities. Examples of the network
devices include, but are not limited to, base stations, such as NodeB and
eNodeB; a Radio Network Controller (RNC); and gateways. The user devices
that can implement the described method(s) include, but are not limited to,
15 mobile phones, hand-held devices, laptops or other portable computers,
personal digital assistants (PDAs), notebooks, tablets, and the like.
[0016] Examples of the communication networks may include, but are
not limited to, General Packet Radio Service (GPRS), Enhanced Voice-Data
Optimized (EVDO), Enhanced Data rates for GSM Evolution (EDGE)
20 network, Universal Mobile Telecommunications System (UMTS) network,
Long Term Evolution (LTE) network, and Institute of Electrical and Electronics
Engineers' (IEEE) 802.11 standard (Wi-Fi network). Typically, communication
networks work on distinct communication protocols where the communication
protocols define the rules and data formats for data packet transmission in
25 the communication network. Communication protocol may be further
explained as a set of procedures to be followed for data transmission through
the communication network. For instance, an Open Systems Interconnection
(OSI) model defines a networking framework for implementing
communication protocols in seven layers. The seven layers are, application
30 layer (layer 7), presentation layer (layer 6), session layer (layer 5), transport
layer (layer 4), network layer (layer 3), data link layer (layer 2), and physical
layer (layer 1). Further, the layers are typically divided in two broad
7
categories: lower level layers and upper 5 per level layers. For instance, the
application layer, the presentation layer, the session layer, the transport layer,
and the network layer form the upper level layers, while the data link layer
and the physical layer are part of the lower level layers. The lower level
layer’s working is namely dependent on underneath physical medium,
10 whereas the upper level layer’s working remains transparent with respect to
the lower level layers.
[0017] During data transmission in an OSI network model based
communication network, at a transmitting node, say a network device, data
packets are passed from one layer to the next, starting at the application
15 layer, and proceeding to the physical layer. At the receiving node, say, the
user device, the data packets are passed from the physical layer and finally
received by the application layer.
[0018] Further, in order to secure the data, the data packets are
typically encrypted before being transmitted over the communication network.
20 For instance, a lower level layer, such as the data link layer typically encrypts
the data packets before being passed on to the physical layer for
transmission. Although, encrypting the data packets facilitates in ensuring
data security, however, encrypting all the data packets at the lower level layer
may result in improper utilization or wastage of resources at the lower level
25 layers. For instance, various applications and services rendered by a service
provider may employ data packet encryption at one or more upper layers,
such as the application layer, transport layer, and the network layer in order
to ensure data security. In such cases, the data packets when received by the
lower level layer may already be encrypted and thus be safe for transmission.
30 Encrypting such data packets may result in loss of resources utilized in
encrypting the data packets. For instance, encrypting each data packet
before transmission may utilize additional power for encryption related
8
computations, thus affecting battery life, 5 especially, for the user devices,
owing to their short battery run times. Further, encrypting each data packet
before transmission may increase the latency, both at communication device
and at the network devices, which may thus affect the network device’s
capacity, thereby, resulting in possible transmission delays. Additionally,
10 computational load in network device directly affects system capacity owing
to which the service providers may either increase the network device’s
capacity or implement additional network devices, thus increasing the
implementation costs for the service provider.
[0019] A conventional technique employed by the service providers to
15 optimize the resources used for the encryption involves employing policies in
which a user’s data packets are either always encrypted or never encrypted.
In said technique, the decision to either encrypt all the data packets or not
encrypt any data packets is taken irrespective of whether the data packets
have been encrypted at the upper layers based on, for example, user
20 categories and network types. Examples of the network types include circuit
switched domain and packet domain. In said case, the network providers may
choose to encrypt, for all the users, the data packets of one network type
while choosing not to encrypt for other network types. The user categories
may be created based on type of connections, i.e., post-paid and pre-paid;
25 connection subscription period, i.e., whether the subscription has been for
greater or lesser than some predetermined time period; and average billing
amount. The service providers may thus choose to encrypt the data packets
for providing a better Quality of Service (QoS) for valuable users or
customers. The above approach may although facilitate the service provider
30 in substantially saving the resources, the approach may, however, create a
great risk of data security for customers whose data has not been encrypted.
Alternatively, the service providers may encrypt all data for all customers,
9
such an approach may, however, require 5 re additional resources which may
result in certain losses for the service providers.
[0020] According to an implementation of the present subject matter,
system(s) and method(s) for selective encryption of data pacts are described.
The systems and the methods can be implemented for securely exchanging
10 data in the form of data packets between a user device and one or more
network devices in a communication network. Examples of the network
devices include, but are not limited to, base stations, such as eNodeB, a
Radio Network Controller (RNC), Wi-Fi-access points, and gateways. The
system(s) and method(s) facilitate in employing a policy of selective
15 encryption in which all data packets are analyzed at a lower level layer, say,
the data link layer or the physical layer to identify the data packets that have
been encrypted at an upper level layer. The data packets that have not been
encrypted before are encrypted at the lower level layer before being
transmitted, while the data packets that have been previously encrypted are
20 transmitted as it is. Encrypting, at the lower level layer, the data packets that
have not been encrypted at an upper level layer facilitates in providing data
security to all data packets of the users, thus improving the QoS provided by
a service provider. Further, not encrypting, at the lower level layer, the data
packets that have already been encrypted at the upper level layers facilitates
25 in reducing transmission time and helps in resource optimization as
transmitting devices do not need to perform the encryption related
computations for all the data packets.
[0021] For instance, in a downlink communication, where the data
packets are transmitted by the network device to the user device, the network
30 device may initially obtain the data packets to be transmitted to the user
device using a predetermined communication protocol. The communication
protocol may be based on, for example, OSI model. Subsequently, at a lower
10
level layer of the communication protocol, 5 ocol, the data packets are analyzed to
determine if the data packets have been encrypted at an upper level layer of
the communication protocol. Examples of the lower level layer include the
data link layer and the physical layer, while examples of the upper level layer
include the application layer, the transport layer, and the network layer.
10 [0022] Based on the analysis, a determination may be made as to
whether the data packets have to be encrypted or not. For instance, in case
the data packets have been encrypted at the upper level layer a decision may
be taken to not encrypt the data packets. In case the data packets have not
been encrypted at the upper level layer a decision may be taken to encrypt
15 the data packets at the lower level layer. The data packets may be
subsequently transmitted to the user device based on the determining.
[0023] Further, in case of an uplink communication, the user device
may either undergo a similar procedure or request the network device to
determine whether the encryption needs to be performed. For instance, in
20 order to transmit data packets associated with an application, say, an email
exchange server, the user device may transmit a connection establishment
request to the network device for establishing a connection with an
associated network entity using the predetermined communication protocol.
Based on the connection establishment request and encryption information
25 regarding the application, obtained from the network entity, the network
device may determine if the data packets have been encrypted at an upper
level layer of the communication protocol. Subsequently, a perform
encryption message may be transmitted to user device indicating whether the
data packets have been encrypted at an upper level layer of the
30 communication protocol.
[0024] The system(s) and method(s) of the present subject matter thus
facilitate in achieving selective encryption of data packets. The present
11
subject matter facilitates in optimizing resources 5 ces used for encryption without
compromising on data security of the customers. Since the encryption may
not always be performed at the lower level layers, resource consumption at
the lower level layers may thus be controlled. The service providers may thus
achieve a high level of QoS with better resource utilization. The user may
10 thus experience better QoS. Further, the selective encryption may result in
decrease in computational load and in turn better battery life of the user
device of the user. Further the present subject matter, improves the
encryption control granularity for the service providers as the service provider
may now have capability for controlling encryption for individual traffic flow for
15 each user as compared to conventional controlling granularity for controlling
encryption at user level.
[0025] It should be noted that the description and figures merely
illustrate the principles of the present subject matter. It will thus be
appreciated that those skilled in the art will be able to devise various
20 arrangements that, although not explicitly described or shown herein, embody
the principles of the present subject matter and are included within its spirit
and scope. Furthermore, all examples recited herein are principally intended
expressly to be for pedagogical purposes to aid the reader in understanding
the principles of the present subject matter and the concepts contributed by
25 the inventor(s) to furthering the art, and are to be construed as being without
limitation to such specifically recited examples and conditions. Moreover, all
statements herein reciting principles, aspects, and embodiments of the
present subject matter, as well as specific examples thereof, are intended to
encompass equivalents thereof.
30 [0026] It will also be appreciated by those skilled in the art that the
words during, while, and when as used herein are not exact terms that mean
an action takes place instantly upon an initiating action but that there may be
12
some 5 small but reasonable delay, such as a propagation delay, between the
initial action and the reaction that is initiated by the initial action. Additionally,
the words “connected” and “coupled” are used throughout for clarity of the
description and can include either a direct connection or an indirect
connection.
10 [0027] The manner in which the systems and the methods of the
present subject matter may be implemented has been explained in details
with respect to the Figures 1 to 4. While aspects of described system(s) and
method(s) of the present subject matter can be implemented in any number
of different computing systems, environments, and/or configurations, the
15 embodiments are described in the context of the following system(s).
[0028] Figure 1 illustrates an exemplary communication network
environment implementing a communication system 100 for selective
encryption of data packets, according to an embodiment of the present
subject matter. The communication system 100 includes one or more user
20 devices 102-1, 102-2, 102-3,…., 102-N communicating with each other over a
communication network 104. The user devices 102-1, 102-2, 102-3,…, 102-N
are hereinafter collectively referred to as user devices 102 and individually
referred to as user device 102. The user devices 102 are used by different
users to communicate with each other through the communication network
25 104. The user devices 102 also interact with various network entities, such as
one or more network devices 106-1, 106-2,…., 106-N and an application
server 108. The network devices 106-1, 106-2,…., 106-N are hereinafter
collectively referred to as network devices 106 and individually referred to as
network device 106. The user devices 102 may interact with the various
30 network entities, for example, to avail various communication services or to
communicate with other user devices 102. For instance, the user devices 102
may interact with the application server 108 to avail services, such as audio
13
and 5 video downloading/streaming, voice communications, video
communications, and conference communications provided by network
providers. The application server 108 may host and execute the services for
the user devices 102.
[0029] The communication network 104 may be a wireless or a wired
10 network, or a combination thereof. The communication network 104 can be a
collection of individual networks, interconnected with each other and
functioning as a single large network (e.g., the internet or an intranet).
Examples of such individual networks include, but are not limited to, General
Packet Radio Service (GPRS), Enhanced Voice-Data Optimized (EVDO),
15 Enhanced Data rates for GSM Evolution (EDGE) network, Universal Mobile
Telecommunications System (UMTS) network, Long Term Evolution (LTE)
network, and Institute of Electrical and Electronics Engineers' (IEEE) 802.11
standard (Wi-Fi network). Depending on the technology, the communication
network 104 includes various network devices 106, such as gateways,
20 routers, controllers. The network devices 106 may be implemented as a base
station, a controller, a gateway, or a router. For instance, the network device
106 may be implemented as an eNodeB or a Serving gateway or a Packet
Data Network (PDN) gateway in case of the communication network 104
being an LTE network. For example, the network device 106-1 may be
25 implemented as the eNodeB, while the network device 106-2 may be
implemented as the PDN gateway. Further, the network device 106 may be
implemented as a Radio Network Controller (RNC) or a Serving GPRS
support node (SGSN) or a Gateway GPRS support node (GGSN) in case of
the communication network 104 being an UMTS network. For example, the
30 network device 106-1 may be implemented as the RNC, while the network
device 106-2 may be implemented as the SGSN.
14
[0030] Examples of the user devices 102 include, 5 ude, but are not limited to,
smart phones, mobile phones, PDA, tablets, hand-held devices, laptops,
wireless adapter, and network computers. Each of the user devices 102
works on a communication protocol as defined by the communication network
104 to which the user devices 102 are communicatively coupled. The
10 communication protocols may be explained as a set of procedures to be
followed for data transmission through the communication network 104. In
other words, communication protocols define the rules and data formats for
data packet transmission in the communication network 104. For instance, an
Open systems Interconnection (OSI) model defines a networking framework
15 for implementing communication protocols in seven layers. The seven layers
are, application layer (layer 7), presentation layer (layer 6), session layer
(layer 5), transport layer (layer 4), network layer (layer 3), data link layer
(layer 2), and physical layer (layer 1). The OSI model acts as a framework
that may be used for defining communication protocols for different
20 communication networks. For instance, the communication protocol for the
LTE network defines a seven layered structure based on the OSI model. In
LTE the upper level layers, i.e., the application layer, the presentation layer,
the session layer, the transport layer, and the network layer are implemented
in a manner as defined by the OSI model. While, the lower level layers, i.e.,
25 the data link layer and the physical layer are modified in the LTE
implementation. The data link layer in the LTE may further include sub-layers,
such as Packet Data Convergence Protocol sub-layer (PDCP - layer2.1),
Radio Link Control layer (RLC – layer2.2), and MAC layer (layer2.3). Further,
the physical layer implements Orthogonal frequency-division multiplexing
30 (OFDM) and Single Carrier Frequency Division Multiple Access (SC-FDMA)
based technology to provide service to the data link layer in downlink and
uplink respectively.
15
[0031] Data packets 5 ts transmitted through the communication network
104 are typically generated at the application layer and passed from one layer
to the next up to the physical layer for being transmitted. For instance, the
application server 108 may generate the data packets at the application layer
and pass on to the network device 106 for being transmitted to the user
10 device 102 at the physical layer. Although the description related to the upper
level layer and the lower level layers has been provided with respect to
different entities, however, it will be understood that each entity, such as the
application server 108, the network device 106, and the user device 102
implements the complete protocol stack, i.e., the seven layers.
15 [0032] According to an embodiment of the present subject matter, a
policy of selective encryption is implemented for securely exchanging data
packets between the user device 102 and the application server 108, via, the
network devices 106. In said embodiment, the data packets that have been
encrypted at an upper level layer, say, the application layer, the transport
20 layer, or the network layer are transmitted without a further encryption at a
lower level layer, say, the data link layer or the physical layer. While, the data
packets that have not been encrypted at any upper level layer may be
encrypted at the lower level layer before being transmitted.
[0033] In one implementation, the analysis for determining whether the
25 data packets have been encrypted at the upper level layer or not is performed
at the user device 102 and the network device 106 for an uplink
communication and a downlink communication, respectively. For instance, in
case of the downlink communication, the data packets generated by the
application server 108 for being transmitted to the user device 102 are
30 analyzed at the lower level layer by the network device 106. While, in case of
the uplink communication, the data packets generated at an upper level layer
16
of 5 the user device 102, for being transmitted to the application server 108, are
analyzed at the lower level layer by the user device 102.
[0034] In accordance to the said embodiment, the network device 106
and the user device 102 may include a communication module and an
analysis module for implementing the selective encryption of the data
10 packets. For instance, the network device 106 may include a communication
module 110-1 and an analysis module 112-1, while the user device 102-1
may include a communication module 110-2 and an analysis module 112-2.
The communication module 110-1 and the communication module 110-2 may
be collectively referred to as the communication modules 110 and individually
15 referred to as the communication module 110. The analysis module 112-1
and the analysis module 112-2 may be collectively referred to as the analysis
modules 112 and individually referred to as the analysis module 112. Further,
each of the user devices 102 may have the communication module 110 and
the analysis module 112. Although, Figure 1 has been described with respect
20 to the network device 106, it would be understood that the method of
selective encryption may be implemented at the user devices 102 also.
Further, although the communication module 110-1 and the analysis module
112-1 have been shown as a part of a single network device 106, the
communication module 110-1 and the analysis module 112-1, however, may
25 be implemented on separate network devices 106. For instance, the analysis
module 112-1 may be implemented by the PDN gateway, say, the network
device 106-2, while the communication module 110-1 may be implemented
as the eNodeB, say, the network device 106-1. However, for the sake of
brevity, and not as a limitation, the description is provided with respect to the
30 communication module 110-1 and the analysis module 112-1 being provided
on a single network device 106.
17
[0035] 5 In operation, during a downlink operation, for instance, where
the application server 108 is transmitting some data to the user device 102,
the application server 108 may initially generate the data packets. As will be
understood by a person skilled in the art, the application server 108 typically
generates the data packets using the upper level layer protocols, such as the
10 application layer protocol and subsequently transmits the data packets to the
user devices 102 using one or more network devices, such as the network
device 106. The network device 106 may subsequently process the data
packets using the lower level layer protocols, such as the physical layer
protocol for transmitting the data packets to the user devices 102. For
15 instance, in the UMTS network, the application server 108 may transmit the
data packets to a gateway general packet radio service support node
(GGSN). The GGSN may transmit the data packets to a serving GSN
(SGSN), which may transmit the data packets to the RNC. The RNC may
further transmit the data packets to a NodeB, which may eventually transmit
20 the data packets to the user device 102. As will be understood, the method
for selective encryption of data packets may be implemented by any of the
above described network devices 106 having capability of analyzing data
packets at the upper level layers.
[0036] Upon receiving the data packets, the analysis module 112-1 of
25 the network device 106 may analyze the data packets, at the lower level layer
of the communication protocol. The analysis module 112-1 may determine if
the data packets have been encrypted at an upper level layer of the
communication protocol. For instance, the analysis module 112-1 may
determine whether the data packets have been encrypted at any one of the
30 application layer, the transport layer, and the network layer at the application
server 108. In case the analysis module 112-1 determines that the data
packets have been encrypted at the upper level layer, a decision may be
18
taken 5 to not encrypt the data packets. In case the data packets have not been
encrypted at the upper level layer, the analysis module 112-1 may encrypt the
data packets at the lower level layer. Further, in case of the data packets not
being encrypted at the upper level layer, the analysis module 112-1 may
further determine whether the data packets have to be encrypted or not
10 based on one or more encryption policies defined by the network provider.
[0037] The data packets thus ascertained by the analysis module 112-
1 for being encrypted based on the encryption policy may be subsequently
encrypted by the network device 106 using any of the known techniques of
encryption. Further, the communication module 110-1 transmits the data
15 packets to the user device 102.
[0038] Further, in case of an uplink communication, the user device
102 too may implement the method of selective encryption of data packets
before transmitting the data packets to the application server 108 via the
network devices, such as the network device 106. In one embodiment, the
20 user device 102 may undergo a similar procedure of analyzing the data
packets at the lower level layer and transmitting the data packets based at
least on the analysis. In such a case, the analysis module 112-2 of the user
device 102 may perform the analysis to determine if the data packets have
been encrypted at the upper level layer. Further, in case the data packets
25 have not been encrypted, the analysis module 112-2 may perform the
determination based on the encryption policy to ascertain if the data packets
have to be encrypted. The communication module 110-2 of the user device
102 may subsequently transmit the data packets.
[0039] In another embodiment, the user device 102 may request the
30 network device 106 to determine whether the encryption needs to be
performed. For instance, in order to exchange data packets with the
application server 108, say, a banking server, the communication module
19
110-5 2 of the user device 102 may transmit a connection establishment
request to the network device 106 for establishing a connection with the
application server 108 using the predetermined communication protocol. The
analysis module 112-1 of the network device 106 may subsequently obtain
encryption information regarding the application, such as a communication
10 channel to be used for data exchange, from the application server 108. Based
on the connection establishment request and the encryption information, the
analysis module 112-1 may determine if the data packets will be encrypted at
an upper level layer of the communication protocol. For instance, in case the
encryption information indicates that a secure channel, such as a Transport
15 Layer Security (TLS) will be used by the user device 102 and the application
server 108 to communicate or that the application server 108 has
communicated a Hypertext Transfer Protocol (HTTP) Strict Transport Security
(HSTS) policy to the user device 102 for the communication. Subsequently,
the communication module 110-2 may transmit a perform encryption
20 message to the user device 102 indicating whether the data packets will be
encrypted at an upper level layer of the communication protocol or not. The
user device 102 may subsequently determine whether the data packets have
to be encrypted at the lower level layer or not, based on the perform
encryption message and the encryption policy.
25 [0040] Figure 2 illustrates components of an encryption system 202 of
the communication system 100 for selective encryption of data packets,
according to an embodiment of the present subject matter. In one
implementation, the encryption system 202 may be implemented as a single
network device 106, say, an eNodeB to perform the selective encryption of
30 data packets during a downlink communication, i.e., while transmitting data
from the application server 108 to the user device 102. In another
implementation, the encryption system 202 may be implemented across
20
different network devices 106, say, 5 an eNodeB and a PDN gateway to
perform the selective encryption of data packets during the downlink
communication. In yet another implementation, the encryption system 202
may be implemented as the user device 102 to perform the selective
encryption of data packets during an uplink communication. i.e., while
10 transmitting data from the user device 102 to the application server 108, via
the network device 106.
[0041] In one implementation, the encryption system 202 includes one
or more processor(s) 204, I/O interface(s) 206, and memory 208 coupled to
the processor 204. Further, in the implementation where the encryption
15 system 202 may be implemented across different network devices 106, each
of the network device 106 may include the processor(s) 204, the I/O
interface(s) 206, and the memory 208.
[0042] The processor(s) 204 can be a single processing unit or a
number of units, all of which could include multiple computing units. The
20 processor(s) 204 may be implemented as one or more microprocessors,
microcomputers, microcontrollers, digital signal processors, central
processing units, state machines, logic circuitries, and/or any devices that
manipulate signals based on operational instructions. Among other
capabilities, the processor 204 is configured to fetch and execute computer25
readable instructions and data stored in the memory 208.
[0043] The I/O interface(s) 206 may include a variety of software and
hardware interface(s), for example, interface(s) for peripheral device(s), such
as a keyboard, a mouse, a display unit, an external memory, and a printer.
Further, the I/O interface(s) 206 may enable the encryption system 202 to
30 communicate with other devices, such as web servers and external
databases. The I/O interface(s) 206 can facilitate multiple communications
within a wide variety of networks and protocol types, including wired
21
networks, for example, local area network 5 (LAN), cable, etc., and wireless
networks, such as Wireless LAN (WLAN), cellular, or satellite. For the
purpose, the I/O interface(s) 206 may include one or more ports for
connecting a number of computing systems with one another or to a network.
[0044] The memory 208 may include any non-transitory computer10
readable medium known in the art including, for example, volatile memory,
such as static random access memory (SRAM) and dynamic random access
memory (DRAM), and/or non-volatile memory, such as read only memory
(ROM), erasable programmable ROM, flash memories, hard disks, optical
disks, and magnetic tapes. In one implementation, the encryption system 202
15 also includes modules 210 and data 212.
[0045] The modules 210, amongst other things, include routines,
programs, objects, components, data structures, etc., which perform
particular tasks or implement data types. The modules 210 may also be
implemented as, signal processor(s), state machine(s), logic circuitries,
20 and/or any other device or component that manipulate signals based on
operational instructions.
[0046] Further, the modules 210 can be implemented in hardware,
instructions executed by a processing unit, or by a combination thereof. The
processing unit can comprise a computer, a processor, such as the processor
25 204, a state machine, a logic array or any other suitable devices capable of
processing instructions. The processing unit can be a general-purpose
processor which executes instructions to cause the general-purpose
processor to perform the tasks or, the processing unit can be dedicated to
perform the functions.
30 [0047] In another aspect of the present subject matter, the modules
210 may be machine-readable instructions which, when executed by a
22
processor/processing unit, perform any of the described functionalities. 5 alities. The
machine-readable instructions may be stored on an electronic memory
device, hard disk, optical disk or other machine-readable storage medium or
non-transitory medium. In one implementation, the machine-readable
instructions can be also be downloaded to the storage medium via a network
10 connection.
[0048] In one implementation, the modules 210 include a
communication module 214, an analysis module 216, an encryption module
218, and other module(s) 220. The other modules 220 may include programs
or coded instructions that supplement applications and functions of the
15 encryption system 202. The data 212 serves, amongst other things, as a
repository for storing data processed, received, and generated by one or
more of the modules 210. The data 212 includes communication data 222,
analysis data 224, encryption data 226, and other data 228. The other data
228 includes data generated as a result of the execution of one or more
20 modules in the modules 210.
[0049] As previously described, in one implementation, the encryption
system 202 may be implemented over one or more network devices 106,
while in another implementation the encryption system 202 may be
implemented as the user device 102. When implemented as the network
25 device 106, the communication module 214 and the analysis module 216
may implement the functionalities similar to the functionalities of the
communication module 110-1 and the analysis module 112-1. When
implemented as the user device 102, the communication module 214 and the
analysis module 216 may implement the functionalities similar to the
30 functionalities of the communication module 110-2 and the analysis module
112-2. Further, in case of the encryption system 202 being implemented
across different network devices 106, the analysis module 216, and the
23
analysis 5 is data 224 may be provided in a first network device 106-2, say, the
PDN gateway, while the communication module 214, the encryption module
218, the communication data 222, and the encryption data 226 may be
provided in a second network device 106-2, say, the eNodeB.
[0050] In operation, the communication module 214 may initially obtain
10 the data packets that have to be transmitted to another device using a
predetermined communication protocol. The other device, as will be
understood, may be the user device 102 in case of the encryption system 202
being the network devices 106; while the other device, as will be understood,
may be the network device 106 in case of the encryption system 202 being
15 the user device 102. Further, as previously described, the communication
protocol may be, for example, the OSI model.
[0051] Further, in case of the encryption system 202 being the network
device 106, the data packets may be generated by a network entity, such as
the application server 108 and obtained by the communication module 214
20 either directly or through other intermediate network devices. In case of the
encryption system 202 being the user device 102, the data packets may be
generated by a packet generation module (not shown in the figure), part of
the other modules 220, and obtained by the communication module 214 from
the other data 228.
25 [0052] Upon obtaining the data packets, the communication module
214 may save the data packets in the communication data 222 for further
processing and transmission by the encryption system 202 using the lower
level layer protocols. Subsequently, at the lower level layer of the
communication protocol, the data packets are analyzed by the analysis
30 module 216 to determine if the data packets have been encrypted at an upper
level layer of the communication protocol. In one implementation, the analysis
module 216 may analyze the data packets using a process of deep packet
24
inspection. As will be 5 understood, deep packet inspection, also known as
complete packet inspection and information extraction (IX) is a process of
data packet filtering that examines data part and header of a data packet at
an inspection point, such as a gateway.
[0053] In one implementation, the analysis module 216 may perform
10 the deep packet inspection to determine if the data packets have been
encrypted at any of the application layer, the transport layer, and the network
layer. The analysis module 216 may initially analyze the data packets to
determine if the data packets have been encrypted at the network layer
based on one or more predefined parameters. The one or more parameters
15 may define, for example, value of different headers of the data packets and
port numbers used by the upper level layers. For instance, the analysis
module 216 may perform the deep packet inspection to ascertain if an
Internet Protocol (IP) header corresponding to the data packets has a value
equal to 0x33, indicating an authentication header. In case the analysis
20 module 216 ascertains that the IP header corresponding to the data packets
indicates the authentication header, the analysis module 216 may determine
the data packets to have been encrypted at the upper level layer. The
analysis module 216 in such a case may take a decision to not encrypt the
data packets and subsequently save the data packets in the analysis data
25 224 for being transmitted to the communication module 214.
[0054] In case the analysis module 216 ascertains that the data
packets have not been encrypted at the network layer, the analysis module
216 may analyze the data packets to determine if the data packets have been
encrypted at the transport layer based on the predefined parameters. For
30 instance, the analysis module 216 may perform the deep packet inspection to
obtain a port number, either a destination port or a source port, provided in a
transport header, for example, a TCP header, an UDP header, aStream
25
Control Transmission Protocol (SCTP) 5 P) header, and the like corresponding to
the data packets. The analysis module 216 may then ascertain if the port
number is equal to a predetermined port number, such as port 443. As will be
understood, the port 443 has been defined as a default port to be used when
a device is using HTTP/ Transport Layer Security (TLS) protocol over a
10 TCP/IP channel. Thus, an application using the port number 443 (source or
destination) may be determined to be using an encrypted connection using
TLS/Secure Sockets Layer (SSL).
[0055] In case the analysis module 216 ascertains that the port number
is equal to the predetermined port number, the analysis module 216 may
15 determine that the data packets have already been encrypted at the upper
level layer. The analysis module 216 in such a case may take a decision to
not encrypt the data packets and subsequently save the data packets in the
analysis data 224 for being transmitted to the communication module 214.
[0056] If the analysis module 216 ascertains that the data packets
20 have not been encrypted at the transport layer, the analysis module 216 may
analyze the data packets to determine if the data packets have been
encrypted at the application layer based on the predefined parameters. In one
implementation, the analysis by the analysis module 216 may vary based on
a security or encryption protocol used by the application layer. As will be
25 understood, the application layer may use any of a plurality of security or
encryption protocols for encrypting the data packets. The analysis module
216 may thus analyze the data packets for all the security or encryption
protocols. In case it is identified that the data packets have been encrypted
using one of the security or encryption protocols, the analysis module 216
30 may stop the analysis and determine the data packets to be encrypted. For
instance, in order to determine if the data packets have been encrypted at the
application layer using the TLS protocol, the analysis module 216 may
26
perform 5 the deep packet inspection to ascertain whether a network
connection value is equal to “upgrade”. In case the network connection value
is equal to “upgrade”, the analysis module 216 may ascertain if a protocol
upgrade value is equal to transport layer security version 1.0. If the analysis
module 216 determines both the conditions to be true, it may be determined
10 that the data packets have been encrypted at the application layer. The
analysis module 216 in such a case may take a decision to not encrypt the
data packets and subsequently save the data packets in the analysis data
224 for being transmitted to the communication module 214. In case the
analysis module 216 determines that either of the conditions is not true, the
15 analysis module 216 may determine that the data packets have not been
encrypted using TLS protocol. The analysis module 216 may subsequently
proceed with analyzing whether the data packets have been encrypted using
any other encryption protocol, such as the HSTS protocol.
[0057] In order to determine if the data packets have been encrypted at
20 the application layer using the HSTS protocol, the analysis module 216 may
perform the deep packet inspection to ascertain if a value of Strict Transport
Security header (STSH) field is equal to a predetermined string, say, “stricttransport-
security”. In case the value of the STSH field is equal to the string,
the analysis module 216 may determine that the data packets have been
25 encrypted at the application layer. The analysis module 216 in such a case
may take a decision to not encrypt the data packets and subsequently save
the data packets in the analysis data 224 for being transmitted to the
communication module 214.
[0058] In case, upon analyzing the data packets with respect to all
30 encryption protocols the analysis module 216 determines that the data
packets have not been encrypted at the upper level layer, a decision may be
taken to encrypt the data packets at the lower level layer, say, the data link
27
layer. 5 In one embodiment, the analysis module 216 may further determine
whether the data packets have to be encrypted or not. As previously
described, the analysis module 216 may determine whether the data packets
have to be encrypted or not based on the one or more encryption policies
defined by the network provider. In one implementation, the encryption policy
10 may categorize the data packets into sensitive data, such as voice call data,
video call data, and Domain Name System (DNS) query data; and nonsensitive
data, such as background traffic data, File Transfer Protocol (FTP)
data, and music/video streaming data.
[0059] Based on the encryption policy, the analysis module 216 may
15 thus determine to encrypt the data packets corresponding to the sensitive
data. The data packets thus identified for being encrypted based on the
encryption policy may be subsequently encrypted. The analysis module 216
may save the above selected data packets in the analysis data 224 for being
encrypted. Further, the data packets that are identified as being safe for
20 transmission without any encryption may too be saved by the analysis
module 216 in the analysis data 224 for being transmitted by the
communication module 214.
[0060] Further, the data packets that are ascertained to require
encryption based on the above described determinations are encrypted by
25 the encryption module 218 using any of the known techniques of encryption.
The data packets thus encrypted may be saved in the encryption data 226.
The communication module 214 may subsequently transmit the data packets
over the communication network 104, for instance, to the user device 102.
Further, in one embodiment the analysis to determine whether the data
30 packets have been encrypted at the upper layers may be performed once for
a session. For instance, the encryption system 202 may analyze the data
packets at the beginning of a communication session and implement the
28
decision of either encryption or not encrypting 5 pting for all data packets of the
communication session. The encryption system 202 may implement the
above embodiment as typically a common protocol is used for data packets
associated with a single communication session. Performing the analysis just
once facilitates in reducing in computations performed by the encryption
10 system 202 thus optimizing computational resources of the network devices
106 and the user devices 102 implementing the encryption system 202.
[0061] Figures 3 and 4 illustrate methods 300 and 400, respectively, of
selective encryption of data packets, in accordance with an embodiment of
the present subject matter. The order in which the methods are described is
15 not intended to be construed as a limitation, and any number of the described
method blocks can be combined in any order to implement the methods 300
and 400 or any alternative methods. Additionally, individual blocks may be
deleted from the methods without departing from the spirit and scope of the
subject matter described herein. Furthermore, the method(s) can be
20 implemented in any suitable hardware, software, firmware, or combination
thereof.
[0062] The method(s) may be described in the general context of
computer executable instructions. Generally, computer executable
instructions can include routines, programs, objects, components, data
25 structures, procedures, modules, functions, etc., that perform particular
functions or implement particular abstract data types. The methods may also
be practiced in a distributed computing environment where functions are
performed by remote processing devices that are linked through a
communications network. In a distributed computing environment, computer
30 executable instructions may be located in both local and remote computer
storage media, including memory storage devices.
29
[0063] A person skilled in the art will readily 5 recognize that steps of the
method(s) can be performed by programmed computers. Herein, some
embodiments are also intended to cover program storage devices, for
example, digital data storage media, which are machine or computer
readable and encode machine-executable or computer-executable programs
10 of instructions, where said instructions perform some or all of the steps of the
described method. The program storage devices may be, for example, digital
memories, magnetic storage media, such as a magnetic disks and magnetic
tapes, hard drives, or optically readable digital data storage media. The
embodiments are also intended to cover both communication network and
15 communication devices configured to perform said steps of the exemplary
method(s).
[0064] Figure 3 illustrates the method 300 of selective encryption of
data packets, in accordance with an embodiment of the present subject
matter.
20 [0065] At block 302, a data packet is obtained by an encryption system
for being transmitted to a device. In one implementation, the data packet may
be obtained, by a network device for being transmitted to a user device using
a predetermined communication protocol. In another implementation, the data
packet may be obtained, by a user device for being transmitted to a network
25 entity, via a network device using a predetermined communication protocol.
[0066] At block 304, it is determined whether the data packet has been
encrypted at a network layer. For example, if the analysis module 216
determines that the conditions defined for deep packet inspection at the
network layer are met, (‘Yes’ path from block 304). In such case, the data
30 packet may be transmitted without any further encryption at a lower level
layer, such as a data link layer and physical layer (block 306). If in case it is
30
determined 5 that the data packet has not been encrypted at the network layer
(‘No’ path from block 304), the data packet is further analyzed at block 308.
[0067] At block 308, it is determined whether the data packet has been
encrypted at a transport layer. For example, if the analysis module 216
determines that the conditions defined for deep packet inspection at the
10 transport layer are met, (‘Yes’ path from block 308). In such case, the data
packet may be transmitted without any further encryption at the lower level
layer (block 306). If in case it is determined that the data packet has not been
encrypted at the transport layer (‘No’ path from block 308), the data packet is
further analyzed at block 310.
15 [0068] At block 310, it is determined whether the data packet has been
encrypted at an application layer. For example, if the analysis module 216
determines that the conditions defined for deep packet inspection at the
application layer are met, (‘Yes’ path from block 310). In such case, the data
packet may be transmitted without any further encryption at the lower level
20 layer (block 306). If in case it is determined that the data packet has not been
encrypted at the application layer (‘No’ path from block 310), the data packet
is processed at block 312.
[0069] At block 312, it is determined whether the data packet has to be
encrypted or not. For example, the data packet is analyzed by the analysis
25 module 216 based on encryption policies to determine if the data packet
contains any sensitive data and thus has to be encrypted at the lower level
layer, (‘Yes’ path from block 312). In such case, the data packet may be
encrypted by the encryption module 218 to obtain an encrypted data packet
for being transmitted by the communication module 214 (block 314). If in case
30 it is determined that the data packet may be transmitted without any further
encryption (‘No’ path from block 312), the data packet is transmitted to the
other device at the block 306.
31
[5 0070] Figure 4 illustrates the method 400 of selective encryption of
data packets, in accordance with an embodiment of the present subject
matter.
[0071] At block 402, a connection establishment request is transmitted,
by a user device, to a network device for establishing a connection with an
10 associated network entity using a predetermined communication protocol. For
example, the user device 102 may transmit the connection establishment
request to the network device 106 for establishing a connection with the
application server 108.
[0072] At block 404, a perform encryption message is received by the
15 user device. In one example, the user device may receive the perform
encryption message from the network device in response to the connection
establishment request. The perform encryption message may indicate
whether the data packets that will be transmitted to the network entity will be
encrypted at an upper level layer of the communication protocol.
20 [0073] At block 406, it is determined whether the data packets have to
be encrypted or not. For example, in case the perform encryption message
indicates that the data packets will not be encrypted at the upper level layer
and thus have to be encrypted at a lower level layer, such as a data link layer
and physical layer, (‘Yes’ path from block 406). In such case, the data packets
25 may be encrypted by the encryption module 218 to obtain encrypted data
packets for being transmitted by the communication module 110 (block 408).
If in case it is determined that the data packet may be transmitted without any
further encryption at the lower level layer, (‘No’ path from block 406), the data
packets are transmitted at the block 410.
30 [0074] Although embodiments for the present subject matter have
been described in a language specific to structural features and/or method(s),
32
it 5 is to be understood that the subject matter is not necessarily limited to the
specific features or method(s) described. Rather, the specific features and
methods are disclosed as exemplary embodiments of the present subject
matter.
33

I/We claim:
1. An encryption system (202) for selective encryption of data packets, the
encryption system (202) comprising:
a processor (204); and
an analysis module (216) coupled to the processor (204) to,
10 analyze, at a lower level layer of a communication protocol, data
packets to be transmitted to a device using the communication
protocol, to determine if the data packets have been encrypted at an
upper level layer of the communication protocol; and
determine whether the data packets have to be encrypted in
15 lower layer based at least on the analyzing.
2. The encryption system (202) as claimed in claim 1, wherein the analysis
module (216) is further to,
determine if the data packets have been encrypted at a network layer
based on one or more predefined parameters;
20 ascertain, for the data packets not been encrypted at the network
layer, if the data packets have been encrypted at a transport layer based on
the one or more predefined parameters; and
determine, for the data packets not been encrypted at the transport
layer, if the data packets have been encrypted at an application layer based
25 on the one or more predefined parameters.
3. The encryption system (202) as claimed in claim 2, wherein the analysis
module (216) is further to:
ascertain if an Internet Protocol header corresponding to the data
packets has a value equal to 0x33, indicating an authentication header; and
30 determine the data packets to have been encrypted at the network
layer for the value being equal to 0x33.
34
4. The encryption system (202) as claimed 5 med in claim 2, wherein the analysis
module (216) is further to:
obtain a port number provided in an transport header corresponding to
the data packets;
ascertain if the port number is equal to a predetermined port number;
10 and
determine the data packets to be encrypted at the transport layer for
the port number being equal to the predetermined port number.
5. The encryption system (202) as claimed in claim 2, wherein the analysis
module (216) is further to:
15 ascertain if a value of Strict Transport Security header (STSH) field is
equal to a string “strict-transport-security”; and
determine the data packets to have been encrypted at the application
layer for the STSH field being equal to the string.
6. The encryption system (202) as claimed in claim 2, wherein the analysis
20 module (216) is further to ascertain whether:
a network connection value is equal to upgrade; and
a protocol upgrade value is equal to transport layer security version 1.0
to determine if the data packets have been encrypted at the application layer.
7. The encryption system (202) as claimed in claim 1, wherein the encryption
25 system (202) further comprises:
an encryption module (218) coupled to processor (204), the encryption
module (218) is to encrypt the data packets before being transmitted, for the
data packets not been encrypted at the upper layer; and
a communication module (214) coupled to the processor (204) to
30 transmit the data packets to the device.
8. A method for selective encryption of data packets, the method comprising:
35
obtaining, 5 by a network device (106), data packets to be transmitted to
a user device (102) using a predetermined communication protocol;
at a lower level layer of the predetermined communication protocol,
analyzing the data packets, by the network device (106), to determine if the
data packets have been encrypted at an upper level layer of the
10 predetermined communication protocol;
determining, by the network device (106), whether the data packets
have to be encrypted at the lower level layer based at least on the analyzing;
and
transmitting, by the network device (106), the data packets to the user
15 device (102) based on the determining.
9. The method as claimed in claim 8, wherein the transmitting further
comprising, for the data packets not been encrypted at the upper level layer,
encrypting the data packets before being transmitted.
10. The method as claimed in claim 8, wherein the determining further
20 comprising ascertaining whether the data packets have to be encrypted
based on one or more encryption policies.
11. The method as claimed in claim 8, wherein the analyzing the data packets
further comprising:
determining if the data packets have been encrypted at a network layer
25 based on one or more predefined parameters;
ascertaining, for the data packets not been encrypted at the network
layer, if the data packets have been encrypted at a transport layer based on
the one or more predefined parameters; and
determining, for the data packets not been encrypted at the transport
30 layer, if the data packets have been encrypted at an application layer based
on the one or more predefined parameters.
36
12. 5 A method for selective encryption of data packets, the method
comprising:
transmitting, by a user device (102), a connection establishment
request to a network device (106) for establishing a connection with an
associated network entity using a predetermined communication protocol;
10 receiving, by the user device (102), a perform encryption message
from the network device (106) indicating whether the data packets to be
transmitted to the network entity will be encrypted at an upper level layer of
the predetermined communication protocol;
at a lower level layer of the predetermined communication protocol,
15 determining, by the user device (102), whether the data packets have to be
encrypted based at least on the perform encryption message; and
transmitting, by the user device (102), the data packets to the network
entity based on the determining.
13. The method as claimed in claim 12, wherein the transmitting further
20 comprising, for the data packets not been encrypted at the upper level layer,
encrypting the data packets before being transmitted.
14. The method as claimed in claim 12, wherein the determining further
comprising ascertaining whether the data packets have to be encrypted
based on one or more encryption policies.
25 15. A non-transitory computer-readable medium having embodied thereon a
computer program for executing a method of selective encryption of data
packets, the method comprising:
obtaining, by a network device (106), data packets to be transmitted to
a user device (102) using a predetermined communication protocol;
30 at a lower level layer of the predetermined communication protocol,
analyzing the data packets, by the network device (106), to determine if the
37
data packets 5 ts have been encrypted at an upper level layer of the
predetermined communication protocol;
determining, by the network device (106), whether the data packets
have to be encrypted at a lower level layer based at least on the analyzing;
and
10 transmitting, by the network device (106), the data packets to the user
device (102) based on the determining.