(19)
(11)EP 3 289 747 B1

(12)EUROPEAN PATENT SPECIFICATION

(45)Mention of the grant of the patent:
01.07.2020 Bulletin 2020/27

(21)Application number: 15722111.0

(22)Date of filing:  28.04.2015
(51)International Patent Classification (IPC): 
H04L 29/06(2006.01)
H04L 29/08(2006.01)
H04L 12/801(2013.01)
(86)International application number:
PCT/EP2015/059252
(87)International publication number:
WO 2016/173635 (03.11.2016 Gazette  2016/44)

(54)

METHOD AND SYSTEM FOR MANAGING COMMUNICATIONS IN A SYSTEM COMPRISING A RECEIVER ENTITY, A SENDER ENTITY, AND A NETWORK ENTITY

VERFAHREN UND SYSTEM ZUR VERWALTUNG VON KOMMUNIKATION IN EINEM SYSTEM MIT EINER EMPFÄNGEREINHEIT, EINER SENDEREINHEIT UND NETZWERKEINHEIT

PROCÉDÉ ET SYSTÈME POUR GÉRER DES COMMUNICATIONS DANS UN SYSTÈME COMPRENANT UNE ENTITÉ RÉCEPTRICE, UNE ENTITÉ ÉMETTRICE ET UNE ENTITÉ RÉSEAU


(84)Designated Contracting States:
AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

(43)Date of publication of application:
07.03.2018 Bulletin 2018/10

(73)Proprietor: Telefonaktiebolaget LM Ericsson (publ)
164 83 Stockholm (SE)

(72)Inventors:
  • NÁDAS, Szilveszter
    H-1097 Budapest (HU)
  • MIHÁLY, Attila
    H-2120 Dunakeszi (HU)

(74)Representative: Zacco Sweden AB 
P.O. Box 5581
114 85 Stockholm
114 85 Stockholm (SE)


(56)References cited: : 
WO-A1-2008/015379
US-A1- 2010 135 287
US-A1- 2004 006 602
  
      
    Note: Within nine months from the publication of the mention of the grant of the European patent, any person may give notice to the European Patent Office of opposition to the European patent granted. Notice of opposition shall be filed in a written reasoned statement. It shall not be deemed to have been filed until the opposition fee has been paid. (Art. 99(1) European Patent Convention).


    Description

    Technical field



    [0001] The present invention relates in general to managing communications in a system, more specifically to managing communications in a system comprising a sender entity, a receiver entity, and a network entity. More in detail, the present invention relates to a system, a method for managing communications, a sender entity, a receiver entity, a network entity, a program and a signal.

    Background



    [0002] There are currently a few trends in networking. One relates to the privacy of communication. Accelerated by the recent pervasive monitoring attempts revealed, more and more traffic is sent end-to-end encrypted. One relevant example is the recently finalized HTTP2.0 protocol (second major version of the Hypertext Transfer Protocol) in IETF (Internet Engineering Task Force), which assumes de facto encryption using TLS (Transport Layer Security) over TCP (Transmission Control Protocol). Similarly, the recently proposed next-generation transport protocol for web by Google, QUIC (Quick UDP Internet Connections), also assumes end-to-end encryption.

    [0003] Document WO 2008/0153379 A1 discloses a user application which requests a download service from a server using a user defined priority index and API (application programmers interface) which builds data from the user application into data packets for transmission. The API retrieves the appropriate user defined priority index for the application, constructs the request packet and sends it to the server. The server builds packets containing the download data and associates them with the user defined priority index from the request and forwards the requested download to the router. The router prioritizes the packets according to their user defined priority index.

    [0004] Another change relates to the multiplexing of traffic. In the case of best-effort handling at the bottleneck, traffic multiplexing between the same endpoints allows for resource sharing that is more aligned with the QoE-needs (QoE stands for Quality of Experience) of the different streams sharing the same connection. This is why HTTP2.0 also uses the multiplexing paradigm. Similarly, QUIC is also based on the multiplexing paradigm. Another example is WebRTC which multiplexes audio, video streams and potential file transfers onto the same UDP connection. WebRTC is a free, open project that provides browsers and mobile applications with Real-Time Communications (RTC) capabilities via simple APIs.

    [0005] A typical network architecture comprises the presence of network entities, of which later described middleboxes are an example, which are interposed between the nodes. Middleboxes are used for a number of reasons, including implementing acceptable use policies, maintaining regulatory compliance, thwarting attacks, censoring or monitoring users, expanding address space, limiting or balancing resources.

    [0006] In an all-encrypted, multiplexed world some communication to network middleboxes will still be needed. Middleboxes could have different roles. For example, they may act as Policy Decision Points: they may select domain specific QoS (Quality of Service) solution of flows/packets based on traffic identification, flow states and/or packet handling information. Traditionally in case of broadband traffic DPI/SPI (Deep Packet Inspection/Shallow Packet Inspection) boxes perform this role, but DPI/ SPI (Deep Packet Inspection/ Shallow Packet Inspection) methods are hardly applicable for encrypted and multiplexed traffic. Signaling based solutions have not gained acceptance due to deployment complexity. They may provide information about the network path, e.g. maximum achievable bitrate, minimum delay, etc. to aid path selection, i.e. to help end-point decide which access to use. They may send advisory messages to applications to help adaptation. Examples for such advisory messages are to provide an initial congestion window or advise up/down-stepping the QoE level in case of adaptive media, based on the congestion status of the network. They may provide transport protocol enhancement in several layers. They may optimize FEC (Forward Error Correction) and retransmission. In general, middleboxes may apply specific treatments to the packets when forwarding those packets to the network nodes, noting that packet treatment includes, but is not limited to, any notorious packet treatment as described for instance in RFC 2474, RFC4221, RFC2598, RFC3260.

    [0007] All the above roles and functions require some kind of meta-information exchange between the end-points and middleboxes, mostly about traffic characteristics information. Such meta-information refers to information that enables the middlebox to apply a specific treatment to the packet, as also later explained in more detail.

    [0008] The present invention relates to meta-information reveal by the traffic sender using for instance the same connection, i.e., in-band meta-information reveal by sender. This is a feasible and advantageous, and sometimes unique alternative to other signaling methods. For example, in case of traffic multiplexing, the information revealed may change from packet to packet in a connection. For example, if the endpoints request different traffic treatment for the voice traffic, video traffic and data traffic for a WebRTC connection, then it should be possible for the middlebox to identify the packets belonging to the different streams. This requires some kind of additional packet markings to the middlebox, because the set of five different values that comprise a Transmission Control Protocol/Internet Protocol (TCP/IP) connection (5-tuple) is the same for all the packets.

    [0009] In some cases, even for a single stream per connection the information to reveal may change from packet to packet, which would require frequent signaling updates if not solved by meta-information including for instance some type of packet markings. In the case of SVC (Scalable Video Coding) videos, for example, the QoS treatment desired may differ depending on which QoS layer a given packet carries.

    [0010] Another advantage of in-band meta-information reveal is that is always on-path, i.e., the information is attached to the traffic. That is, no problems may arise e.g., due to rerouting (due to e.g., hand-overs) or multi-path delivery.

    [0011] There are existing methods for in-band meta-information reveal, e.g., by marking the DiffServ Codepoints (DSCP, RFC4594) in the IP packet headers (DiffServ or differentiated services is a computer networking architecture that specifies a simple, scalable and coarse-grained mechanism for classifying and managing network traffic and providing QoS on modern IP networks). However, DiffServ markings are un-encrypted and their usage has been limited to a single-domain, because of the fact that these fields may be easily modified across network domains.

    [0012] There are different methods to send end-to-end encrypted data between two endpoints. With reference to Figure 7, the commonly accepted methods use three different pieces of information for encoding: the information to encode 710 (showed as "plain text" in the figure); the encryption key(s) 730; an initialization vector 720 (IV). By means of an encoding algorithm 700, the encoded or cyphered information 740 is obtained.

    [0013] An initialization vector is a nonce used for data encryption. In this context, "nonce" stands for "number used once" or "number once". The initialization vector, used only once in any session or connection, prevents repetition of sequences in encrypted text. Identifying such repetitions can help an attacker break a cipher. The initialization vectors or related algorithms and random numbers may be exchanged between the parties during security context setup, but there are algorithms for which the nonce must be unique, but predictability of the initialization vector is acceptable, and may therefore be a simple counter e.g., some unique packet sequence numbers may be used as initialization vector.

    [0014] The decryption of the encrypted end-to-end data is then the opposite process using some keys and the same initialization vector, shown in Figure 8. Accordingly, the encoded or cyphered text 710, the IV 820 and the key(s) 830 are used for the decoding (or deciphering) algorithm 800 in order to obtain the deciphered information 840 corresponding to the information 740 of Figure 7.

    [0015] It further becomes desirable applying encryption to the meta-information, as this enhances security. For instance, such encryption reduces the risk that the treatment of packets is altered by network nodes that, by getting knowledge of the meta-information, may apply them differently and/or to other packets such that the packets forwarding may not anymore be as intended or desired. Within this context, it has been found that merely encrypting the meta-information at the sender may not be free from problems. It thus becomes necessary finding a suitable way for safely handling meta-information, and to avoid prior art problems related to the handling of meta-information. It is thus an object to provide an improved handling of meta-information.

    Summary



    [0016] The object is achieved by the subject-matter of the independent claims. Advantageous embodiments are defined in the dependent claims. Further examples are provided for facilitating the understanding of the invention.

    [0017] According to a first aspect of the invention, it is provided a system comprising a sender entity, a receiver entity, and a network entity interposed between the sender entity and the receiver entity, wherein: the receiver entity is configured to send a connection request to the sender entity, and to further send to the sender entity at least one encrypted meta-information for said connection; the sender entity is configured to insert the at least one encrypted meta-information into at least one packet of said connection; the network entity is configured to decrypt the at least one meta-information and to process the at least one packet on the basis of the decrypted at least one meta-information.

    [0018] According to a second aspect of the invention, it is provided a method for managing communications in a system comprising a sender entity, a receiver entity, and a network entity interposed between the sender entity and the receiver entity, the method comprising the steps of: causing sending, from the receiver entity to the sender entity, of a connection request and of at least one encrypted meta-information for said connection; causing, at the sender entity, inserting the at least one encrypted meta-information into at least one packet of said connection; causing, at the network entity, decrypting the at least one meta-information and causing processing of the at least one packet on the basis of the decrypted at least one meta-information.

    [0019] According to a third aspect of the invention, it is provided a receiver entity in a system comprising a sender entity, said receiver entity, and a network entity interposed between the sender entity and the receiver entity, said receiver entity comprising: sending means configured to send a connection request to the sender entity, and to further send to the sender entity at least one encrypted meta-information for said connection, wherein the meta-information is decryptable by the network entity, and wherein the sender entity is capable of handling the meta-information only in encrypted form.

    [0020] According to a fourth aspect of the invention, it is provided a sender entity in a system comprising said sender entity, a receiver entity, and a network entity, said sender entity comprising: inserting means configured to insert at least one encrypted meta-information received from the receiver entity into at least one packet of said connection, wherein the sender entity is capable of handling the meta-information only in encrypted form.

    [0021] According to a fifth aspect of the invention, it is provided network entity in a system comprising a sender entity, a receiver entity, and said network entity interposed between the sender entity and the receiver entity, said network entity comprising: decrypting means configured to decrypt at least one meta-information included in a packet of a connection established between the sender entity and the receiver entity; processing means configured to process the at least one packet on the basis of the decrypted at least one meta-information.

    [0022] According to a sixth aspect of the invention, it is provided a program for managing communications in a system comprising a sender entity, a receiver entity, and a network entity, the program configured to execute, when said program is executed on a computer, all the steps according to the method according to the second aspect.

    [0023] According to a seventh aspect of the invention, it is provided a signal suitable for carrying a packet of a connection established between a sender entity and a receiver entity, the packet including an encrypted meta-information encrypted by the receiver entity and decryptable by a network entity.

    Brief description of the drawings



    [0024] 

    Figure 1 illustrates a system according to a first embodiment of the present invention.

    Figure 2 illustrates a flow chart of a method according to a second embodiment of the present invention.

    Figure 3 illustrates a receiver entity according to a third embodiment of the present invention.

    Figure 4 illustrates a sender entity according to a fourth embodiment of the present invention.

    Figure 5 illustrates a network entity according to a fifth embodiment of the present invention.

    Figure 6 illustrates a signal according to a seventh embodiment of the present invention.

    Figure 7 illustrates an example of a typical message encoding in the server using a nonce.

    Figure 8 illustrates an example of a message decoding in the receiver.

    Figure 9 illustrates an example of a reference scenario.

    Figure 10 illustrates an example sequence diagram illustrating traffic meta-information reveal from the sender when the receiver has an agreement with the operator/ISP (Internet Service Provider) and the sender is trusted.

    Figure 11 illustrates an example sequence diagram illustrating the proposed solution for encryption of TCID (Traffic Characteristics Identifier) for an untrusted sender.

    Figure 12 illustrates examples of variants for sending the encrypted meta-data (TCID) in case of end-to-end encryption: as part of the non-encrypted header (upper figure) or part of the encrypted header (lower figure).

    Figure 13 illustrates an example of a computer suitable for executing a program according to the invention.


    Detailed description



    [0025] In relation to the encryption of meta-information, there are some important recognitions and observations to note. Firstly, in many cases the meta-information should also be encrypted in order not to reveal it to non-authorized party. For example, a request for a specific domain treatment would reveal the QoS structure used by the ISPs in their networks and could motivate others try to get a specific service they are not entitled to, and by this imposing a big demand on the operator policy for filtering out such attempts.

    [0026] One solution could lie in encrypting at the sender side: the encryption may use some non-repetitive information from the packet header as nonce, e.g., a sequence number. This may however lead to problems in that the sender may wrongly associate an encrypted meta-information to a packet for which the meta-information was not intended. Thus, to obviate such issue, the encryption may be done at the receiver. However, if the receiver is to send the meta-information to the middlebox through the sender then the receiver does not know about the structure of the packet, so it cannot make use of this information when encrypting the meta-information. Using pre-agreed nonces between the receiver and middlebox for encryption is regarded as suboptimal solution because of the large number of potential connections.

    [0027] Secondly, the meta-information should use a different encryption from the encryption of the end-to-end communication, since the information is targeting a different entity (the middlebox) so it should be decryptable by the middlebox. Most advantageous is to use a common key for encryption of meta-information by which both the middlebox and the receiver will be able to decrypt (and/or encrypt) the meta-information. The latter is beneficial in order to provide a means to the receiver to verify if the correct meta-information was transferred (it may break the connection if that is not fulfilled).

    [0028] However, also when encrypting at the receiver, there could be a problem in that an encrypted meta-information may be inserted into a packet for which that meta-information was not intended or desired. In other words, there is a problem in that the packets may not be forwarded according to the intended meta-information. As explained below, it is suggested to encrypt the meta-information at the receiver, however the encryption of the meta-information is made for a specific connection established between the sender and the receiver. The middlebox (but not the sender) is capable of decrypting the meta-information. The sender is requested to insert the encrypted meta-information (received from the receiver) into the packet, handling it in encrypted form. In case the sender would wrongly insert the encrypted meta-information into a packet for a different connection (e.g. a connection of another receiver or another connection of the same receiver), the middlebox would not be able to decrypt the meta-information, or would be able to detect that there was a problem at the sender side. In this case, for instance: the middlebox may discard the packet and the receiver may request the packet again; the middlebox may notify the receiver about the detection of a problem at the sender so that the receiver may act accordingly, for example it may send a new request. This is the consequence of the meta-information being encrypted for the specific connection. Accordingly, the middlebox can react to the detection of the wrongly inserted meta-information (e.g. by dropping the packet, notifying the receiver and/or sender and/or administrator device, etc.).

    [0029] The present invention shall now be described in conjunction with specific embodiments by making reference to the drawings. It is however noted that these specific embodiments as well as the illustrative figures serve to provide the skilled person with a better understanding of the invention but are not intended to restrict in any way the scope of the invention which is defined by the independent claims.

    [0030] A system according to a first embodiment of the present invention will now be described with reference to Figure 1. The system according to the first embodiment comprises a sender entity (120), a receiver entity (110), and a network entity (130). For example, the receiver entity may be a client terminal or a server. It may be the entity that receives some payload for which it requires a specific treatment along the network path. Typical examples of a receiver entity being a client are: MBB (Mobile Broadband) subscribers downloading files, browsing the Web, watching YouTube videos, etc. Typical examples of a receiver entity being a server are: a server requesting a service from another service for its internal processing, or a server requesting a server for generating another service to be provided to another server or user, etc. The sender entity may be a server providing services to terminals or to other servers. It may be the entity that sends the traffic, e.g., a YouTube server. The network entity (also referred herein in some examples as middlebox) is interposed between the sender entity and the receiver entity, namely the entity along the network path that may perform other tasks than just layer-3 packet routing. It may inspect the packets for the meta-information that is inserted in the packet header by the sender entity and perform the actions needed for the specific network domain treatment that is needed. Examples of network entities or middleboxes are: Policy Decision Points, DPI/SPI boxes, edge routers, etc.

    [0031] The receiver entity (110) is configured to send a connection request to the sender entity (120). For example, the receiver entity may request specific data to be sent by the sender entity. The receiver entity (110) is configured to further send to the sender entity (120) at least one encrypted meta-information for said connection (noting that the request and the encrypted meta-information could be send together or separately, physically and/or logically, and any combination thereof). In one example, said meta-information may be a marker which indicates a specific treatment of the requested data along the network path. Such meta-information is decryptable by the network entity and the sender entity is capable of handling the meta-information only in encrypted form. In other words, the sender is normally (i.e. for a non-malicious server) not capable of decrypting the meta-information. The connection represents a physical or logical communication link connecting two physical or logical points in the network. An example of a connection is a TCP/IP or a UDP connection. However, the connection of the invention is not limited thereto, and may also refer to a flow within a known connection; for instance, in case a link between nodes comprises multiplexed flows, the connection here referred to may be one or more of those multiplexed flows. Furthermore, a connection and its properties (or parameters) as herein used may also refer to a session and its corresponding properties (or parameters), as in fact a session also characterizes the communication between two entities like the sender entity and receiver entity herein discussed. Thus, the encryption for the connection also comprises an encryption for the session in that the encryption is based on parameters of the session. Non-limiting examples of sessions are: HTTP (Hypertext Transfer Protocol) sessions, SIP (Session Initiation Protocol) sessions, telnet sessions. Moreover, meta-information refers to information that enables the network entity to apply a specific treatment to the packet. The meta-information being encrypted for the connection refers to the fact that the meta-information has been encrypted for that specific connection, e.g. it is encrypted such that it is a connection-unique encryption or such that it is not easily repeatable; in other words, it can be an absolute-unique encryption or an encryption which is unique for a given set of parameters (e.g. unique for a given time window, for a given set of receiver addresses, etc). In case the connection comprises multiplexed flows, the connection specific encryption may be represented by a flow specific encryption (e.g. some parameters of the flow will render the encryption a connection-specific encryption).

    [0032] The sender entity (120) is configured to insert the at least one encrypted meta-information into at least one packet of said connection. An example of packet according to the present invention is shown in Figure 6, which illustrates a signal for carrying a packet of a connection established between the sender entity and the receiver entity. The packet may contain a header, which may include an encrypted part (encrypted header) and/or an un-encrypted part (un-encrypted header), and a payload, namely the data requested by the receiver. The payload may be encrypted and may be decryptable by the receiver entity only, or by both the receiver and the network entity.

    [0033] The meta-information (in Figure 6 exemplified by a marker) might be inserted in the header (either in the encrypted header or in the un-encrypted header), it may be attached at the head or at the tail of the packet, or it may be inserted in any position of the header or payload, or interposed between header and payload. What is relevant is that the encrypted meta-information (exemplified in Figure 6 by the encrypted marker) is inserted into the packet, regardless of how this is achieved.

    [0034] The network entity (130) is configured to decrypt the at least one meta-information and to process the at least one packet on the basis of the decrypted at least one meta-information. To process the packet refers to apply, to the at least one packet on the basis of the decrypted at least one meta-information, a packet forwarding treatment when processing the forwarding or relaying of the packet on the network. The packet forwarding treatment includes policing, shaping, possible remarking (i.e. changing the marker with another one, or changing its value), queuing treatment, or scheduling treatment. The treatment includes also discarding the same packet, when in the forwarding processing this is determined in view of the meta-information and possibly other conditions like network congestion, node congestion, or choosing one path instead of others on the basis of the meta-information (e.g. a path characterized by one of a given latency, throughput, reliability). In other words, the treatment includes any packet treatment as known in the art, see e.g. the FCSs also referred to above as illustrative examples.

    [0035] As a result, even in case a malfunctioning at the sender would cause the encrypted meta-information to be associated to the wrong packet, the middlebox can detect such situation (since the metadata encryption would not be for the connection to which it is associated) and react as appropriate.

    [0036] For illustrative purposes, two exemplary cases are noted. An important case is when the data from sender entity to receiver entity is end-to-end encrypted (as in the example diagrams shown in Figures 10 and 11, which will be discussed in the following). In that case, as shown in Figure 11, the encrypted meta-data may be sent to the network entity as part of the un-encrypted packet header or as part of the encrypted packet header (some of the packet header information may also be encrypted for security reason). The former case does not pose severe issues. However, in the latter case, care should be taken not to encrypt the meta-information (in the figure, exemplified by TCID Traffic Characteristics Identifier) by using the end-to-end credentials, because in that case the information becomes unavailable for the network entity. The simplest way to achieve this is to perform the end-to-end encryption first by the sender entity by omitting the field carrying the TCID value and then inserting the field with the TCID encrypted with the receiver entity-network entity credentials from the receiver entity. The network entity may thus decrypt the TCID (only) and the receiver entity removed the field with TCID before decrypting the remaining part with the end-to-end credentials. With this regard, the TCID represents an example of the meta-information, more specifically the TCID value may correspond to a priority to be given to the packet, a latency level required by the packet, etc. By the way, one could also name the TCID as MIID (Meta-Information ID).

    [0037] According to an optional implementation of the first embodiment, the encryption is based on parameters characterizing said connection. Such parameters may be, for example, a unique connection or session specific information from the packet headers, five-tuple of the connection, i.e., source and destination IP addresses, source and destination ports and used transport protocol, any other property of the connection that is non-repetitive, or any combinations of the above, as also explained later. The parameters characterising the connection may be parameters characterizing a flow (e.g. a multiplexed flow) comprised in said connection.

    [0038] According to a further optional implementation of the first embodiment, the receiver entity (110) is configured to encrypt said at least one meta-information on the basis of an initialization value and a key. As also explained above, the initialization value, or initialization vector, is a nonce, namely a number used once, and may change for every request. It is used together with the key in order to encrypt and decrypt the meta-information. It is calculated using a rule. The rule for calculating the initialization value and the key are known at both receiver and network entity (but not at the sender, which can handle the marker only in its encrypted state). The rule (and/or the key(s)) may be exchanged before the connection setup, or periodically; however, it is also possible that the rule is configured once, e.g. by an administrator. Exchanging the rule may prolong the connection setup time somewhat but may be favourable if connection information to be used for the initialization value generation would be hard to infer otherwise.

    [0039] As noted above, there may be multiple meta-information to be revealed for the same connection. In that case, as many initialization vectors are needed as many different parameters to be encrypted, it may be advantageous to prevent repetition of sequences in the encrypted traffic. One solution for this scenario is that the receiver increases an additional sequence number for each new meta-information value, which is added besides the encrypted meta-information and both are sent as "new" meta-info to the network entity through the sender entity. Thus the network entity could use this sequence number together with the generated initialization value by the pre-negotiated rule to have a different initialization value for each different meta-information parameter.

    [0040] According to a further optional implementation of the first embodiment, the network entity (130) is configured to decrypt the meta-information on the basis of an initialization value and a key. Such initialization vector is generated by the network entity using the rule known also by the receiver entity. As said above, such rule may be exchanged before connection setup or periodically, or may be fixed by the administrator.

    [0041] According to a further optional implementation of the first embodiment, the initialization value is determined on the basis of the parameters characterizing said connection (and/or a flow multiplexed in the connection).

    [0042] More specifically, the initialization value may be determined on the basis of parameters which characterize the connection by utilizing a generation rule. Such generation rule may be a mathematical function or an algorithm.

    [0043] According to a further optional implementation of the first embodiment, the key is determined on the basis of the parameters characterizing said connection.

    [0044] According to a further optional implementation of the first embodiment, the parameters characterizing said connection comprise one or a combination of connection identifiers, fields comprised in a header, or a non-repetitive property of the connection. The simplest case may be to use a unique connection or session specific information from the packet headers. For example, in the case of QUIC communication, the connection identifier (CID) may be the one to use as initialization value for encrypting a connection-specific meta-information. In another example, five-tuple of the connection, i.e., source and destination IP addresses, source and destination ports and used transport protocol may be used. Further, any other property of the connection that is non-repetitive. Moreover, any combinations of the above may be used.

    [0045] Next, a method according to a second embodiment of the present invention will be described with reference to Figure 2. The considerations made above also apply to the present embodiment, and are therefore omitted. The method according to the second embodiment is for managing communications in a system (100) comprising a sender entity (120), a receiver entity (110), and a network entity (130). The method comprises a step of causing sending (S210), from the receiver entity (110) to the sender entity (120), of a connection request and of at least one encrypted meta-information for said connection.

    [0046] Here, the action of causing refers to a unit or software element within the receiver entity that causes the sending (e.g. a processor or software module instructing the sending); it may also or alternatively refer to an external element or device causing (e.g. in the sense of triggering) the sending by the receiver entity (e.g. a management device, a data center, a tenant, an administrator, instructing or initiating the sending).

    [0047] The method further comprises the step of causing, at the sender entity (120), inserting (S220) the at least one encrypted meta-information into at least one packet of said connection.

    [0048] The method further comprises the step of causing, at the network entity (130), decrypting (S230) the at least one meta-information and causing processing (S240) of the at least one packet on the basis of the decrypted at least one meta-information.

    [0049] According to an optional implementation of the second embodiment, the encryption is based on parameters characterizing said connection.

    [0050] According to a further optional implementation of the second embodiment, the at least one encrypted meta-information is obtained by performing encryption of said at least one meta-information on the basis of an initialization value and a key.

    [0051] According to a further optional implementation of the second embodiment, the method further comprises the step of causing, at the network entity (130), the decryption of the meta-information on the basis of an initialization value and a key.

    [0052] According to a further optional implementation of the second embodiment, the initialization value is determined on the basis of the parameters characterizing said connection.

    [0053] According to a further optional implementation of the second embodiment, the key is determined on the basis of the parameters characterizing said connection.

    [0054] According to a further optional implementation of the second embodiment, the parameters characterizing said connection comprise one or a combination of connection identifiers, fields comprised in a header, or a non-repetitive property of the connection.

    [0055] Further, an example of the second embodiment will be described with reference to Figures 10 and 11. The proposed method is shown in Figure 11 and is compared with a state-of-art solution shown in Figure 10.

    [0056] At step 1 in Figures 10 and 11, a receiver wants to send encrypted meta-information to the network in order that no un-authorized 3rd party can infer the meta-information. For this reason a security association is established with the middlebox to exchange the security credentials as needed (Figure 10 does not show the exchange of security credentials, but this information may be included also in the exchange of information depicted in figure 10).

    [0057] At step 2 of Figures 10 and 11, the security association is used to exchange the semantics of the meta-information (i.e., what encodings-denoted by TCID- to use for a certain treatment, as well as the common key to encrypt it. In the non-trusted case (Figure 11), also the rules for generating the IV for the connection-specific TCID encryption are exchanged.

    [0058] At step 3 of Figures 10 and 11, the connection is established between the sender and receiver. Data on this connection is going to undergo a specific treatment by the network. It is noted that figure 11 shows a session setup, which represents an example of a connection setup (as in fact, within the present discussion and as above explained, a session characterizes the communication between two points in the same way as a connection characterizes a communication between two points). It is also noted that a connection setup or a session setup message may comprise additional information to those herein described or those depicted in the figures.

    [0059] In the trusted case (Figure 10), in step 4, the desired TCID to be used for packet markings for the connection is sent to the sender together with the common key. The Server encrypts the TCID using the common key and some Initialisation Vector (IV) that is e.g., inserted in the packet structure (Step 5). The middlebox can thus decrypt TCID by using the common key, received IV and encrypted TCID. In step 6 of Figure 10, the sender may encrypt the packet (e.g. the TCID and the payload) and transmit it to the sender. The packet is forwarded by network entities through the network until it reaches the sender; the middlebox is an example of the network entity forwarding the packet and applying a treatment on the packet on the basis of the meta-information. In step 7 of Figure 10, the middlebox decrypts the packet, in particular it decrypts the TCID in order to apply the treatment corresponding to the TCID (decrypted) value so that the packet can be forwarded according to the intended treatment.

    [0060] In the untrusted case (Figure 11), encryption of TCID by the sender is not possible. Instead, it is done by the receiver, in two steps: first, it calculates the connection-specific IV based on IV generation rule (received in step 2) and session properties (step 4); then it encrypts TCID using the common key, calculated IV and plain TCID (step 5).

    [0061] The receiver then sends the encrypted TCID to the sender (step 6). The sender inserts the encrypted TCID value into the packets that are sent to the receiver (step 7) (or attaches the encrypted TCID value to the packets) in a way that the encrypted TCID is readable by middlebox. The middlebox then uses the header information and IV generation rule to reconstruct the connection-specific IV (step 8) and then it decrypts TCID by using the common key, calculated IV and TCID. The network entity may then treat the packet according to the TCID, as also above described.

    [0062] Further, a receiver entity according to a third embodiment of the present invention will be described with reference to Figure 3. The receiver entity according to the third embodiment is a receiver entity in a system (100) comprising a sender entity (120), said receiver entity (110), and a network entity (130) and comprises sending means (111) configured to send a connection request to the sender entity (120), and to further send to the sender entity (120) at least one encrypted meta-information for said connection. The meta-information is decryptable by the network entity (130) and the sender entity (120) is capable of handling the meta-information only in encrypted form. Namely, the sender does not have the means for decrypting, or the sender is not capable of decrypting.

    [0063] Further, a sender entity according to a fourth embodiment of the present invention will be described with reference to Figure 4. The sender entity according to the fourth embodiment is a sender entity (120) in a system (100) comprising said sender entity (120), a receiver entity (110), and a network entity (130), and comprises inserting means (121) configured to insert at least one encrypted meta-information received from the receiver entity (110) into at least one packet of said connection. The sender entity (120) is capable of handling the meta-information only in encrypted form.

    [0064] Further, a network entity according to a fifth embodiment of the present invention will be described with reference to Figure 5. The network entity according to the fifth embodiment is a network entity (130) in a system (100) comprising a sender entity (120), a receiver entity (110), and said network entity (130), and comprises decrypting means (131) configured to decrypt at least one meta-information included in a packet of a connection established between the sender entity (120) and the receiver entity (110); and processing means (132) configured to process the at least one packet on the basis of the decrypted at least one meta-information.

    [0065] According to an optional implementation of the fifth embodiment, the encrypted meta-information is obtained by encrypting the meta-information according to a rule known to the network entity and the receiver. Moreover, the sender entity is capable of handling the meta-information only in encrypted form. The meta-information is used at a network entity for processing the packet when deciding on forwarding it on the network, namely it is used in order to apply a specific network treatment to the packet when the packet is forwarded from the network entity to the receiver entity.

    [0066] Further, a program according to a sixth embodiment of the present invention will be described. The program according to the sixth embodiment is for managing communications in a system (100) comprising a sender entity (120), a receiver entity (110), and a network entity (130). The program is configured to execute, when said program is executed on a computer, all the steps according to the second embodiment and optionally its optional implementations. A computer suitable for executing such program is illustrated in Figure 13. Such a computer typically comprises a processor 1320 (for executing instructions), a memory 1330 (for storing instructions and/or results of the instructions and/or data for input/output), and an interface IF 1310 (e.g. for input/output).

    [0067] Further, a signal according to a seventh embodiment will now be described. The signal according to the seventh embodiment is suitable for carrying a packet of a connection established between a sender entity (110) and a receiver entity (120). The packet includes an encrypted meta-information encrypted by the receiver entity (110) and decryptable by a network entity (120). Namely, the meta-information is not decryptable by the sender and the sender can only see the meta-information in the encrypted form. The network entity configured to process the packet on the basis of the meta-information.

    [0068] According to an optional implementation of the seventh embodiment, the encrypted meta-information is inserted at the sender entity (120) and the sender entity (120) is capable of handling the meta-information only in encrypted form.

    [0069] As described above, the present invention provides a system and a method for secure in-band meta-information communication with a network entity when the traffic sender is not included in the security association (service agreement), using a common key between the traffic receiver (determining the QoS handling(s) to use for a certain connection) and the network entity the information is revealed to, and a connection-specific unique identifier used as initialization value (nonce). The meta-information may be encrypted by the receiver entity (traffic receiver) using a pre-agreed connection specific (e.g. unique, see above as to unique) identifier and sent to the sender entity (traffic sender). The pre-agreed connection-specific unique identifier may be a function of one or more of the following: a connection identifier used in the transport connection; a five-tuple of the connection, i.e., source and destination IP addresses, source and destination ports and used transport protocol; entropy bits generated for this purpose if needed; parameters of a multiplexed flow within the connection.

    [0070] The above-described invention refers to, but it is not limited to, a scenario when meta-information should be revealed to the middlebox by the receiver of the traffic but the receiver transfers this information through the Sender. It allows a connection-unique encryption and authentication for the meta-information by the receiver, where the connection is a Transmission Control Protocol/Internet Protocol (TCP/IP) connection defined by a unique five-tuple (source-destination IP address, source-destination port numbers, protocol in use).

    [0071] It provides a connection-specific (e.g. unique, see above for unique: it can be absolutely unique, or unique for a certain time range, for a certain address range, etc.) way to determine one or more initialization values used for the above-mentioned encryption and authentication that is pre-configurable between the network entity, for example a middlebox, and the receiver entity, but the pre-configuration does not refer to a specific number or set of numbers (which could represent a security threat used multiple times for the encryption), but rather the method to generate the initialization value based on information from the identifiers of the given connection. In other words, the meta-information is encrypted for or on the basis of connection specific parameters, rather than on values independent from the connection. By having the connection-specific (e.g. unique) initialization value the above advantages are achieved.

    [0072] Further, the present invention provides a simple means to encrypt meta-information to be sent to a network entity interposed between a sender and a receiver, for example a middlebox, in such a way there is no possibility for the sender entity to wrongly use meta-information (e.g. re-use the same meta-information in another connection). The invention allows the usage of generic scope meta-information by the network domains (e.g., the same TCID describing a certain desired network treatment for all potential Receivers). This simplifies the network management in the network domain.

    [0073] Moreover, the invention also offers privacy of meta-information communication, i.e., the sender is not aware of what service (TCID) is requested for a given flow to a given Receiver.

    [0074] An entity as above described may be implemented in hardware and/or software, and may be further implemented in a localized manner (e.g. on a single apparatus) or distributed manner (e.g. on multiple interconnected devices).

    [0075] The invention has been described in relation to particular embodiments and examples which are intended in all aspects to be illustrative rather than restrictive. Those skilled in the art will appreciate that many different combinations of hardware, software and firmware will be suitable for practicing the present invention.

    [0076] Moreover, the above receiver entity, sender entity, and network entity, can be equivalently exchanged by receiver, sender, and network unit.

    [0077] Where the terms like sender (sender entity), receiver (receiver entity) and network unit (network entity) are used herewith, no restriction is made regarding how distributed these units may be and regarding how gathered elements may be. That is, the constituent parts of a unit or element or entity may be distributed in different software or hardware components or devices for bringing about the intended function. A plurality of distinct elements may also be gathered for providing the intended functionalities.

    [0078] Any one of the above-referred units of an entity, or an element, or a network device, or a network node, etc. may be implemented in hardware, software, field-programmable gate array (FPGA), application-specific integrated circuit (ASICs), firmware or the like.


    Claims

    1. A system (100) comprising a sender entity (120), a receiver entity (110), and a network entity (130) interposed between the sender entity (120) and the receiver entity (110), wherein:

    the sender entity is an untrusted sender entity;

    the receiver entity and the network entity share an initialization value and a key;

    the receiver entity (110) is configured to send a connection request to the sender entity (120), to encrypt at least one meta-information on the basis the initialization value and the key, and to further send to the sender entity (120) the at least one encrypted meta-information for said connection, wherein the at least one meta-information is a marker which indicates a specific treatment of data packets sent from the sender entity via the network entity to the receiver entity for said connection;

    the sender entity (120) is configured to insert the at least one encrypted meta-information into at least one of the data packets of said connection and to send the data packets to the network entity;

    the network entity (130) is configured to decrypt the at least one encrypted meta-information based on the initialization value and the key; and to process forwarding of the data packets on the basis of the decrypted at least one meta-information.


     
    2. The system (100) according to claim 1, wherein the encryption is based on parameters characterizing said connection.
     
    3. The system according to claim 2, wherein the initialization value is determined on the basis of the parameters characterizing said connection and/or wherein the key is determined on the basis of the parameters characterizing said connection.
     
    4. The system according to any of claims 1 to 3, wherein the parameters characterizing said connection comprise one or a combination of connection identifiers fields comprised in a header, or a non-repetitive property of the connection.
     
    5. A method for managing communications in a system (100) comprising a sender entity (120), a receiver entity (110), and a network entity (130) interposed between the sender entity (120) and the receiver entity (110), wherein sender entity is an untrusted sender entity, and wherein the receiver entity and the network entity share an initialization value and a key, the method comprising the steps of:

    sending (S210), from the receiver entity (110) to the sender entity (120), a connection request and at least one encrypted meta-information for said connection, wherein the at least one encrypted meta-information is obtained by performing encryption of at least one meta-information based on the initialization value and the key and wherein the at least one meta-information is a marker which indicates a specific treatment, at the network entity, of data packets sent from the sender entity via the network entity to the receiver entity for said connection;

    inserting (S220), at the sender entity (120), the at least one encrypted meta-information into at least one of the data packets of said connection and sending the data packets to the network entity;

    decrypting (S230), at the network entity (130), the at least one encrypted meta-information based on the initialization value and the key; and

    processing forwarding (S240), by the network entity, of the data packets to the receiver entity on the basis of the decrypted at least one meta-information.


     
    6. The method of claim 5, wherein the encryption is based on parameters characterizing said connection.
     
    7. The method according to claim 5 or 6, wherein the initialization value is determined on the basis of the parameters characterizing said connection and/or wherein the key is determined on the basis of the parameters characterizing said connection.
     
    8. The method according to any of claims 5-7, wherein the parameters characterizing said connection comprise one or a combination of connection identifiers, fields comprised in a header, or a non-repetitive property of the connection.
     
    9. A receiver entity (110) configured for use in a system (100) according to any of claims 1-4, said receiver entity (110) comprising:
    sending means (111) configured to send a connection request to a sender entity (120), and to further send to the sender entity (120) at least one encrypted meta-information for said connection, wherein the at least one encrypted meta-information is obtained by performing encryption of at least one meta-information based on an initialization value and a key, wherein the meta-information is decryptable by a network entity (130), and wherein the at least one meta-information is a marker which indicates a specific treatment of data packets received from the sender entity via the network entity.
     
    10. A sender entity (120) configured for use in a system (100) according to any of claims 1-4, said sender entity (120) comprising:
    inserting means (121) configured to insert at least one encrypted meta-information received from a receiver entity (110) into at least one packet of a connection established between the sender entity (120)and the receiver entity (110), wherein the at least one encrypted meta-information is obtained by performing encryption of at least one meta-information based on an initialization value and a key, wherein the sender entity (120) is capable of handling the meta-information only in encrypted form, and wherein the at least one meta-information is a marker which indicates a specific treatment of data packets sent from the sender.
     
    11. A network entity (130) configured for use in a system (100) according to any of claims 1-4, said network entity (130) interposed between a sender entity (120) and a receiver entity (110) and comprising:

    decrypting means (131) configured to decrypt at least one encrypted meta-information, obtained by performing encryption of at least one meta-information based on an initialization value and a key and included in a packet of a connection established between the sender entity (120) and the receiver entity (110), wherein the at least one meta-information is a marker which indicates a specific treatment of data packets received from the server for sending to the receiver entity;

    processing means (132) configured to process the at least one packet on the basis of the decrypted at least one meta-information.


     


    Ansprüche

    1. System (100), das eine Senderentität (120), eine Empfängerentität (110) und eine Netzwerkentität (130), die zwischen der Senderentität (120) und der Empfängerentität (110) angeordnet sind, umfasst, wobei:

    die Senderentität eine nicht vertrauenswürdige Senderentität ist;

    die Empfängerentität und die Netzwerkentität sich einen Initialisierungswert und einen Schlüssel teilen;

    die Empfängerentität (110) für Folgendes konfiguriert ist: Senden einer Verbindungsanforderung an die Senderentität (120), Verschlüsseln von mindestens einer Metainformation auf der Basis des Initialisierungswerts und des Schlüssels und ferner Senden der mindestens einen verschlüsselten Metainformation für die Verbindung an die Senderentität (120), wobei die mindestens eine Metainformation eine Markierung ist, die eine spezifische Behandlung von Datenpaketen anzeigt, die von der Senderentität über die Netzwerkentität an die Empfängerentität für die Verbindung gesendet werden;

    die Senderentität (120) dafür konfiguriert ist, die mindestens eine verschlüsselte Metainformation in mindestens eines der Datenpakete der Verbindung einzufügen und die Datenpakete an die Netzwerkentität zu senden;

    die Netzwerkentität (130) für Folgendes konfiguriert ist: Entschlüsseln der mindestens einen verschlüsselten Metainformation basierend auf dem Initialisierungswert und dem Schlüssel und Verarbeiten der Weiterleitung der Datenpakete basierend auf der entschlüsselten mindestens einen Metainformation.


     
    2. System (100) nach Anspruch 1, wobei die Verschlüsselung auf Parametern basiert, die die Verbindung charakterisieren.
     
    3. System nach Anspruch 2, wobei der Initialisierungswert basierend auf den Parametern bestimmt wird, die die Verbindung charakterisieren und/oder wobei der Schlüssel basierend auf den Parametern bestimmt wird, die die Verbindung charakterisieren.
     
    4. System nach einem der Ansprüche 1 bis 3, wobei die Parameter, die die Verbindung charakterisieren, ein oder eine Kombination von Verbindungskennungsfeldern, die in einem Kopfdatensatz enthalten sind, oder eine sich nicht wiederholende Eigenschaft der Verbindung umfassen.
     
    5. Verfahren zum Verwalten der Kommunikation in einem System (100), das eine Senderentität (120), eine Empfängerentität (110) und eine Netzwerkentität (130), die zwischen der Senderentität (120) und der Empfängerentität (110) angeordnet sind, umfasst, wobei die Senderentität eine nicht vertrauenswürdige Senderentität ist und wobei die Empfängerentität und die Netzwerkentität einen Initialisierungswert und einen Schlüssel gemeinsam haben, wobei das Verfahren folgende Schritte umfasst:

    Senden (S210) von der Empfängerentität (110) an die Senderentität (120) eine Verbindungsanforderung und mindestens eine verschlüsselte Metainformation für die Verbindung; wobei die mindestens eine verschlüsselte Metainformation erhalten wird, indem eine Verschlüsselung von mindestens einer Metainformation basierend auf dem Initialisierungswert und dem Schlüssel durchgeführt wird, und wobei die mindestens eine Metainformation eine Markierung ist, die eine spezifische Behandlung an der Netzwerkentität von Datenpaketen anzeigt, die von der Senderentität über die Netzwerkentität an die Empfängerentität für die Verbindung gesendet werden;

    Einfügen (S220), an der Senderentität (120), der mindestens einen verschlüsselten Metainformation in mindestens eines der Datenpakete der Verbindung und Senden der Datenpakete an die Netzwerkentität;

    Entschlüsseln (S230), an der Netzwerkentität (130), der mindestens einen verschlüsselten Metainformation basierend auf dem Initialisierungswert und dem Schlüssel; und

    Verarbeiten der Weiterleitung (S240), durch die Netzwerkentität, der Datenpakete an die Empfängerentität basierend auf der entschlüsselten mindestens einen Metainformation.


     
    6. Verfahren nach Anspruch 5, wobei die Verschlüsselung auf Parametern basiert, die die Verbindung charakterisieren.
     
    7. Verfahren nach Anspruch 5 oder 6, wobei der Initialisierungswert basierend auf den Parametern bestimmt wird, die die Verbindung charakterisieren und/oder wobei der Schlüssel basierend auf den Parametern bestimmt wird, die die Verbindung charakterisieren.
     
    8. Verfahren nach einem der Ansprüche 5 bis 7, wobei die Parameter, die die Verbindung charakterisieren, ein oder eine Kombination von Verbindungskennungsfeldern, die in einem Kopfdatensatz enthalten sind, oder eine sich nicht wiederholende Eigenschaft der Verbindung umfassen.
     
    9. Empfängerentität (110), die zur Verwendung in einem System (100) gemäß einem der Ansprüche 1 bis 4 konfiguriert ist, wobei die Empfängerentität (110) Folgendes umfasst:

    ein Sendemittel (111), das dafür konfiguriert ist, eine Verbindungsanforderung an eine Senderentität (120) zu senden und ferner mindestens eine verschlüsselte Metainformation für die Verbindung an die Senderentität (120) zu senden, wobei die mindestens eine verschlüsselte Metainformation erhalten wird, indem eine Verschlüsselung von mindestens einer Metainformation basierend auf einem Initialisierungswert und einem Schlüssel durchgeführt wird, wobei die Metainformation von einer Netzwerkentität (130) entschlüsselt werden kann und wobei die mindestens eine Metainformation eine Markierung ist, die eine spezifische Behandlung von Datenpaketen anzeigt, die von der Senderentität über die Netzwerkentität empfangen wurden.


     
    10. Senderentität (120), die zur Verwendung in einem System (100) gemäß einem der Ansprüche 1 bis 4 konfiguriert ist, wobei die Senderentität (120) Folgendes umfasst:
    ein Einfügemittel (121), das dafür konfiguriert ist, mindestens eine verschlüsselte Metainformation, die von einer Empfängerentität (110) empfangen wurde, in mindestens ein Paket einer Verbindung einzufügen, die zwischen der Senderentität (120) und der Empfängerentität (110) hergestellt wurde, wobei die mindestens eine verschlüsselte Metainformation erhalten wird, indem eine Verschlüsselung von mindestens einer Metainformation basierend auf einem Initialisierungswert und einem Schlüssel durchgeführt wird, wobei die Senderentität (120) die Metainformation nur in verschlüsselter Form verarbeiten kann und wobei die mindestens eine Metainformation eine Markierung ist, die eine spezifische Behandlung von Datenpaketen anzeigt, die vom Sender gesendet wurden.
     
    11. Netzwerkentität (130), die zur Verwendung in einem System (100) gemäß einem der Ansprüche 1 bis 4 konfiguriert ist, wobei die Netzwerkentität (130) zwischen einer Senderentität (120) und einer Empfängerentität (110) angeordnet ist und Folgendes umfasst:

    ein Entschlüsselungsmittel (131), das dafür konfiguriert ist, mindestens eine verschlüsselte Metainformation zu entschlüsseln, die durch Verschlüsseln mindestens einer Metainformation basierend auf einem Initialisierungswert und einem Schlüssel erhalten wird, und die in einem Paket einer Verbindung enthalten ist, die zwischen der Senderentität (120) und der Empfängerentität (110) hergestellt wurde, wobei die mindestens eine Metainformation eine Markierung ist, die eine spezifische Behandlung von Datenpaketen anzeigt, die vom Server empfangen wurden, um sie an die Empfängerentität zu senden;

    ein Verarbeitungsmittel (132), das dafür konfiguriert ist, das mindestens eine Paket basierend auf der entschlüsselten mindestens eine Metainformation zu verarbeiten.


     


    Revendications

    1. Système (100) comprenant une entité émettrice (120), une entité réceptrice (110) et une entité réseau (130) interposée entre l'entité émettrice (120) et l'entité réceptrice (110), dans lequel :

    l'entité émettrice est une entité émettrice non fiable ;

    l'entité réceptrice et l'entité réseau partagent une valeur d'initialisation et une clé ;

    l'entité réceptrice (110) est configurée pour envoyer une demande de connexion à l'entité émettrice (120), pour crypter au moins une méta-information sur la base de la valeur d'initialisation et de la clé, et pour envoyer en outre à l'entité émettrice (120) l'au moins une méta-information cryptée pour ladite connexion, dans lequel l'au moins une méta-information est un marqueur qui indique un traitement spécifique des paquets de données envoyés depuis l'entité émettrice via l'entité réseau à l'entité réceptrice pour ladite connexion ;

    l'entité émettrice (120) est configurée pour insérer l'au moins une méta-information cryptée dans au moins l'un des paquets de données de ladite connexion et pour envoyer les paquets de données à l'entité réseau ;

    l'entité réseau (130) est configurée pour décrypter l'au moins une méta-information cryptée sur la base de la valeur d'initialisation et de la clé ; et pour traiter la transmission des paquets de données sur la base d'au moins une méta-information décryptée.


     
    2. Système (100) selon la revendication 1, dans lequel le cryptage est basé sur des paramètres caractérisant ladite connexion.
     
    3. Système selon la revendication 2, dans lequel la valeur d'initialisation est déterminée sur la base des paramètres caractérisant ladite connexion et / ou dans lequel la clé est déterminée sur la base des paramètres caractérisant ladite connexion.
     
    4. Système selon l'une quelconque des revendications 1 à 3, dans lequel les paramètres caractérisant ladite connexion comprennent un ou plusieurs parmi des identifiants de connexion, des champs compris dans un en-tête, ou une propriété non répétitive de la connexion.
     
    5. Procédé de gestion des communications dans un système (100) comprenant une entité émettrice (120), une entité réceptrice (110) et une entité réseau (130) interposée entre l'entité émettrice (120) et l'entité réceptrice (110), dans lequel l'entité émettrice est une entité émettrice non fiable, et dans lequel l'entité réceptrice et l'entité réseau partagent une valeur d'initialisation et une clé, le procédé comprenant les étapes consistant à :

    envoyer (S210), de l'entité réceptrice (110) à l'entité émettrice (120), une demande de connexion et au moins une méta-information cryptée pour ladite connexion, dans laquelle l'au moins une méta-information cryptée est obtenue en effectuant le cryptage d'au moins une méta-information sur la base de la valeur d'initialisation et de la clé et dans lequel l'au moins une méta-information est un marqueur qui indique un traitement spécifique, au niveau de l'entité réseau, des paquets de données envoyés de l'entité émettrice via l'entité réseau à l'entité réceptrice pour ladite connexion ;

    insérer (S220), au niveau de l'entité émettrice (120), l'au moins une méta-information cryptée dans au moins l'un des paquets de données de ladite connexion et envoyer les paquets de données à l'entité réseau ;

    décrypter (S230), au niveau de l'entité de réseau (130), l'au moins une méta-information cryptée sur la base de la valeur d'initialisation et de la clé ; et

    le traitement de la transmission (S240), par l'entité de réseau, des paquets de données à l'entité réceptrice sur la base d'au moins une méta-information décryptée.


     
    6. Procédé selon la revendication 5, dans lequel le cryptage est basé sur des paramètres caractérisant ladite connexion.
     
    7. Procédé selon la revendication 5 ou 6, dans lequel la valeur d'initialisation est déterminée sur la base des paramètres caractérisant ladite connexion et / ou dans lequel la clé est déterminée sur la base des paramètres caractérisant ladite connexion.
     
    8. Procédé selon l'une quelconque des revendications 5 à 7, dans lequel les paramètres caractérisant ladite connexion comprennent un ou plusieurs parmi des identifiants de connexion, des champs compris dans un en-tête, ou une propriété non répétitive de la connexion.
     
    9. Entité réceptrice (110) configurée pour être utilisée dans un système (100) selon l'une quelconque des revendications 1 à 4, ladite entité réceptrice (110) comprenant :
    un moyen d'envoi (111) configuré pour envoyer une demande de connexion à une entité émettrice (120), et pour envoyer en outre à l'entité émettrice (120) au moins une méta-information cryptée pour ladite connexion, dans laquelle l'au moins une méta-information cryptée est obtenue en effectuant le cryptage d'au moins une méta-information sur la base d'une valeur d'initialisation et d'une clé, dans laquelle les méta-informations sont décryptables par une entité réseau (130), et dans lequel l'au moins une méta-information est un marqueur qui indique un traitement spécifique des paquets de données reçus de l'entité émettrice via l'entité réseau.
     
    10. Entité émettrice (120) configurée pour être utilisée dans un système (100) selon l'une quelconque des revendications 1 à 4, ladite entité émettrice (120) comprenant :
    un moyen d'insertion (121) configuré pour insérer au moins une méta-information cryptée reçue depuis une entité réceptrice (110) dans au moins un paquet d'une connexion établie entre l'entité émettrice (120) et l'entité réceptrice (110), dans laquelle l'au moins une méta-information cryptée est obtenue en effectuant le cryptage d'au moins une méta-information sur la base d'une valeur d'initialisation et d'une clé, dans laquelle l'entité émettrice (120) est capable de gérer la méta-information uniquement sous forme cryptée, et dans laquelle l'au moins une méta-information est un marqueur qui indique un traitement spécifique des paquets de données envoyés par l'expéditeur.
     
    11. Entité réseau (130) configurée pour être utilisée dans un système (100) selon l'une quelconque des revendications 1 à 4, ladite entité réseau (130) interposée entre une entité émettrice (120) et une entité réceptrice (110) et comprenant :

    un moyen de décryptage (131) configuré pour décrypter au moins une méta-information cryptée, obtenu en effectuant le cryptage d'au moins une méta-information sur la base d'une valeur d'initialisation et d'une clé et incluse dans un paquet d'une connexion établie entre l'entité émettrice (120) et l'entité réceptrice (110), dans laquelle l'au moins une méta-information est un marqueur qui indique un traitement spécifique des paquets de données reçus du serveur pour être envoyés à l'entité réceptrice ;

    un moyen de traitement (132) configuré pour traiter l'au moins un paquet sur la base de l'au moins une méta-information décryptée.


     




    Drawing






































    Cited references

    REFERENCES CITED IN THE DESCRIPTION



    This list of references cited by the applicant is for the reader's convenience only. It does not form part of the European patent document. Even though great care has been taken in compiling the references, errors or omissions cannot be excluded and the EPO disclaims all liability in this regard.

    Patent documents cited in the description