Methods, devices and systems for establishing end-to-end secure connections and for securely communicating data packets

摘要

The invention provides methods, devices (102, 110, 124, 136) and communication systems (100) for establishing end-to-end secure connections and for securely communicating data packets. Such a communication system (100) comprises a first device (124, 136), an intermediate device (110) and a second device (102). The first device (124, 136) communications via a first network (120), which is based on a first transport protocol and a first transport security protocol with the intermediate device (110). The second device (102) communications via a second network, which is based on a second transport protocol and a second transport security protocol with the intermediate device (110). The intermediate device (110) modifies packets received via first network to packets suitable for communication via the second network, and vice versa. The first device (124, 136) is able to reconstruct a header of a received packet as if the packet was sent via the second network (108) and its transport and security protocols. Further, the first device (124) is able to verify, on basis of the reconstructed header, verification fields which are generated on basis of the second transport security protocol.

主权项

1. A communication system for securely communicating data packets between a first device and a second device, the communication system comprising:
a first network being based on a first transport protocol, a first device being configured to communicate via the first network with other devices, the first device being configured to apply a first transport security protocol on top of the first transport protocol, a second network being based on a second transport protocol, a second device being configured to communicate via the second network with other devices, the second device being configured to apply a second transport security protocol on top of the second transport protocol, an intermediate device configured to communicate via the first network with the first device and configured to communicate via the second network with the second device, and being configured to modify data packets received via the first network which are generated in accordance to the first transport security protocol towards data packets for communication via the second network in accordance with the second transport security protocol, and vice versa, wherein the first transport protocol or the second transport protocol is a datagram based network protocol and the other one of the first transport protocol or the second transport protocol is a reliable connection oriented transport protocol, the first device is configured to reconstruct a header of a first data packet received from the intermediate device, the header corresponds to a header of a second packet communicated by the second device to the intermediate device and was modified by the intermediate device to the first data packet, the first device is configured to verify a security verification field of a received data packet on basis of the reconstructed header of the first data packet, the verification field being generated by the second device in accordance with the second transport security protocol, wherein the first device is configured to verify the security verification field in accordance with the first transport security protocol and if this verification is unsuccessful, the header of the first data packet is reconstructed and the security verification field is verified on basis of the reconstructed header of the first data packet in accordance with the second transport security protocol.