Apple, Inc. v. Motorola, Inc. et al
Filing
97
Declaration of Carlos A. Rodriguez filed by Defendants Motorola Mobility, Inc., Motorola, Inc. re: 96 Claims Construction Initial Brief, 95 Motion Requesting Claims Construction (Attachments: # 1 Exhibit 1 - Patent No. 6,275,983, # 2 Exhibit 2 - Patent No. 5,969,705, # 3 Exhibit 3 - Patent No. 5,566,337, # 4 Exhibit 4 - Patent No. 5,455,599, # 5 Exhibit 5 - Patent No. 6,424,354, # 6 Exhibit 6 - Reissued Patent No. RE 39,486, # 7 Exhibit 7 - Patent No. 5,929,852, # 8 Exhibit 8 - Patent No. 5,946,647, # 9 Exhibit 9 - Patent No. 5,481,721, # 10 Exhibit 10 - Patent No. 6,493,002, # 11 Exhibit 11 - Patent No. 6,175,559, # 12 Exhibit 12 - Patent No. 5,490,230, # 13 Exhibit 13 - Patent No. 5,319,712, # 14 Exhibit 14 - Patent No. 5,572,193, # 15 Exhibit 15 - Excerpts from '983 Patent Prosecution History, # 16 Exhibit 16 - Excerpts from '354 Patent Prosecution History, # 17 Exhibit 17 - Excerpts from '486 Patent Prosecution History, # 18 Exhibit 18 - Excerpts from '230 Patent Prosecution History, # 19 Exhibit 19 - Apple's Infringement Contentions Claim Chart for '983 Patent, # 20 Exhibit 20 - Apple's Infringement Contentions Claim Chart for '705 Patent, # 21 Exhibit 21 - Apple's Infringement Contentions Claim Chart for '337 Patent, # 22 Exhibit 22 - Apple's Infringement Contentions Claim Chart for '599 Patent, # 23 Exhibit 23 - Apple's Infringement Contentions Claim Chart for '354 Patent, # 24 Exhibit 24 - Apple's Infringement Contentions Claim Chart for '486 Patent, # 25 Exhibit 25 - Apple's Infringement Contentions Claim Chart for '852 Patent, # 26 Exhibit 26 - Apple's Infringement Contentions Claim Chart for '647 Patent, # 27 Exhibit 27 - Apple's Infringement Contentions Claim Chart for '721 Patent, # 28 Exhibit 28 - Apple's Infringement Contentions Claim Chart for '002 Patent, # 29 Exhibit 29 - Excerpts from NeXTSTEP Object-Oriented Programming and the Objective C Language, # 30 Exhibit 30 - July 30, 2010 ITC Order Construing Terms of Asserted Claims in Inv. No. 337-TA-704, # 31 Exhibit 31 - April 4, 2011 Joint Motion to Amend Filed in ITC Inv. No. 337-TA-710, # 32 Exhibit 32 - Excerpts from '002 Patent Prosecution History, # 33 Exhibit 33 - Patent No. 5,588,105, # 34 Exhibit 34 - Patent No. 5,659,693, # 35 Exhibit 35 - Henderson & Card Article, # 36 Exhibit 36 - Patent No. 5,202,961, # 37 Exhibit 37 - Patent App. No. 08/316,237) (Hansen, Scott)
EXHIBIT 13
111111111111111111111111111111111111111111111111111111111111111111111111111
United States Patent
US005319712A
£191
[11]
Finkelstein et al.
[45]
[54]
METHOD AND APPARATUS FOR
PROVIDING CRYPI'OGRAPHIC
PROTECTION OF A DATA STREAM IN A
COMMUNICATION SYSTEM
[75]
Inventors: Louis D. Finkelstein, Wheeling;
James J. Kosmach, Palatine; Jeffrey
C. Smolinske, Hoffman Estates, all of
Ill.
[73]
Assignee:
[21]
Appl. No.: 112,780
[22] Filed:
Motorola, Inc., Schaumburg, Ill.
Systems in the Data Services Task Group on Jul. 7,
1993 at the Woodmark Hotel in Kirkland.
"Proposed RLP Header Formats" proposed by AT & T
Bell Laboratories, 1000 East Warrenville Road, Naperville, Ill. 60566-7013 which was presented to the Telecommunications Industry Association (TIA) subcommittee TR45.3.2.5 for Digital Cellular Systems in the
Data Services Task Group on Jul. 7, 1993 at the Woodmark Hotel in Kirkland.
Primary Examiner-Salvatore Cangialosi
Attorney, Agent, or Firm-Shawn B. Dempster
[57]
Aug. 26, 1993
[51]
[52]
[58]
Int. CI.s ............................................... H04L 9/28
U.S. Cl .......................................... 380/44; 380/49
Field of Search ............................. 380/25, 44, 49;
370/94.1
[56]
References Cited
U.S. PATENT DOCUMENTS
4,866,772 9/1989 Schroyer ............................... 380/25
5,099,517 2/1992 Gupta et al ........................... 380/49
5,161,193 11/1992 Lampson et al ...................... 380/49
5,235,595 8/1993 O'Dowd ........................... : 370/94.1
5,235,644 8/1993 Gupta et al. .......................... 380/49
OTHER PUBLICATIONS
"The Basics Book of OSI and Network Management"
by Motorola Codex from Addison-Wesley Publishing
Company, Inc., 1993 (First Printing Sep. 1992).
"Description of Receiver State Feedback Protocol"
proposed by AT & T Bell Laboratories, 1000 East Warrenville Road, Naperville, Ill. 60566 which was presented to the Telecommunications Industry Association
(TIA) subcommittee TR45.3.2.5 for Digital Cellular
5,319,712
Jun.7, 1994
Patent Number:
Date of Patent:
ABSTRACT
A method and apparatus for ·providing cryptographic
protection of a data stream are described in accordance
with the Open Systems Interconnection (OSI) model
for a communication system. This cryptographic protection is accomplished on the transmitting side by assigning a packet sequence number to a packet derived
from a data stream received from a network layer. Subsequently, a transmit overflow sequence number is updated as a function of the packet sequence number.
Then, prior to communicating the packet and the
packet sequence number on a physical1ayer, the packet
is encrypted as a function of the packet sequence number and the transmit overflow sequence number. On the
receiving side, the packet sequence number is extracted
from the physical layer. In addition, a receive overflow
sequence number is updated as a function of the packet
sequence number. Finally, the encrypted packet is decrypted as a function of the packet sequence number
and the receive overflow sequence number. In addition,
a transmitting and a receiving communication unit for
use in a communication system which includes cryptographic protection of a data stream is described.
18 Claims, 1 Drawing Sheet
SESSION
KEY
TX ARC BUFFER
I
I
L---------------------------~L------------------100
112
------~
LAYER 3
102
110
104
c::
r --LAYER-;
•
IJ60
r--------:1-----------------,r-----~------------ _....__ _ _....,
------,
108
LAYER 2
LAYER 2
.---15_8_
U
~
4
116
~ ~ 24 BIT OVERFLOW
~-
SESSION
KEY
11
---1-----.
ASSIGN 7-BIT ARQ
SEQUENCE NUMBER
SEQ. NUMBER.
GENERATE
ENCRYPT
MASK
I
SESSION
KEY
178
GENERATE
ENCRYPT
MASK
11
I
-.--
118
11111111111···[0]
g, 'i
11..-
128
TX ARQ BUFFER
~---..----. .
('I)
EXTRACT 7-BIT
ARQ SEQ NUMBER
SEQ. NUMBER
0
::
174
~
1-l
~
1720VERFLOW
158 -1
IIIIIIIIIII···ITDJ
RX ARQ BUFFER
II
II
--------------------~------.JL-------------------
100
FIG .1
§
II
II
II
II
II
=
f"'t-
170
166~ 1,.-176
:: ~ ~ 24 BIT OVERFLOW
11
11
~
=
n>
f"'t-
~
II
II .-----.----lL.....------.
II ~:z
v-126
•
156
II
II
II
::
{106
CONCATENATE 21 BYTE
PACKETS TO RE-CREATE
DATA STREAM
164
::
122
:z :z:
=>'if
II
11
SEGMENT DATA INTO
21 BYTE PACKETS
•
00.
-1------.J
162--...
tt2"---
LAYER 1
01
,.
(N
LAYER 1
......
\C)
,. .
--..1
......
~
1
5,319,712
2
signal, it is not optimized for use with a highly redunMETHOD AND APPARATUS FOR PROVIDING.
dant data stream typical of packetized data communicaCRYPTOGRAPHIC PROTECTION OF A DATA
tion systems. Packetized data adds an additional probSTREAM IN A COMMUNICATION SYSTEM
lem to the typical encryption process. Packets of data
5 may arrive at different times at a subscriber unit or a
FIELD OF THE INVENTION
base site communication unit because of the unreliability of the physical communication link and because of
The present invention relates to communication systhe algorithms used to compensate for this unreliability.
tems and, more particularly, to cryptographic protection within communication systems.
These "packetized" data packets merely need to be
10 reassembled in the same order in which they were creBACKGROUND OF THE INVENTION
ated. Therefore, a need exists for an encryption techMany communications systems currently use encrypnique which can alleviate the foregoing problems assotion to enhance security of the systems. As will be apciated with packetized data.
preciated by those skilled in the art, these communicaSUMMARY OF THE INVENTION
tion systems can be described according to the Open 15
Systems Interconnection (OSI) model which includes
These needs and others are substantially met through
seven layers including an application, presentation, sesthe provision of a method and apparatus for providing
sion, transport, network, link, and physical layer. The
cryptographic protection of a data stream in a commuOSI model was developed by the International Organinication system. The communication system is dezation for Standardization (ISO) and is described in 20
scribed in accordance with the Open Systems Intercon"The Basics Book of OSI and Network Management"
nection (OSI) model which includes seven layers inby Motorola Codex from Addison-Wesley Publishing
cluding an application, presentation, session, transport,
Company, Inc., 1993 (First Printing September 1992).
network, link, and physical layer. This cryptographic
Communication systems include, but are not restricted, to cellular radio telephone communication 25 protection is accomplished on the transmitting side by
assigning a packet sequence number to a packet derived
systems, personal communication systems, paging sysfrom a data stream received from a network layer. Subtems, as well as wireline and wireless data networks. By
sequently, a transmit overflow sequence number is upway of example a cellular communication system will
dated as a function of the packet sequence number.
be described below; however, it wiii be appreciated by
those skilled in the art that the encryption techniques 30 Then, prior to communicating the packet and the
packet sequence number on a physical layer, the packet
described can be readily extended to other communicais encrypted as a function of the packet sequence numtion systems without departing from the scope and spirit
ber and the transmit overflow sequence number. On the
of the present invention.
receiving side, the packet sequence number is extracted
Turning now to cellular communication systems,
these systems typically include subscriber units (such as 35 from the physical layer. In addition, a receive overflow
mobile or portable units) which communicate with a
sequence number is updated as a function of the packet
fixed network communication unit (i.e., a base site) via
sequence number. Finally, the encrypted packet is deradio frequency (RF) communication links. In cellular
crypted as a function of the packet sequence number
communication systems, the RF communication link is
and the receive overflow sequence number. In addition,
the primary target for cryptographic systems, because it 40 a transmitting and a receiving communication unit for
is the most vulnerable to unauthorized introduction
use in a communication system which includes crypto(spoofing) or extraction (eavesdropping) of informagraphic protection of a data stream is described.
tion. It is well known in the art that information in these
BRIEF DESCRIPTION OF THE DRAWINGS
communication links may be cryptographically protected by encrypting them with a pseudo-noise (PN) 45
FIG. 1 is a block diagram showing a preferred emsignal which is pseudo-random in nature. For example
bodiment communication system having cryptographic
this may be accomplished by performing an exclusiveprotection of a data stream in accordance with the presor operation of an information signal with a PN signal,
ent invention.
prior to transmission. Subsequently, the inverse operation can be performed during the receiving process. . SO
DETAILED DESCRIPTION
In addition, another encryption technique which is
Referring now to FIG. 1, a preferred embodiment
used in the authentication process is described in the
communication system 100 having cryptographic proUnited States Digital Cellular (USDC) standard
tection of a data stream in accordance with the present
(known as IS-54 and IS-55) and published by the Electronic Industries Association (EIA), 2001 Eye Street, 55 invention is shown. The communication system will be
described in the following passages according to the
N.W., Washington, D.C. 20006. The USDC encryption
OSI model. In this respect, it will be appreciated by
technique utilizes a series of specialized messages which
those skilled in the art that the transmitting portion 102
must be passed between the subscriber unit and a base
of the data link layer (i.e., Layer 2) may be located in
site communication unit of the communication system
to generate shared secret data (SSD) encryption vari- 60 either the subscriber communication unit or base site
communication unit of a cellular communication sysabies (i.e., encrypting keys known to a subscriber unit
tem. Similarly, the receiving portion 104 of the data link
and a communication unit which form a communication
layer also may be located in either the subscriber comlink) for an authentication (i.e., the SSDA key) and a
munication unit or base site communication unit. In
voice privacy function (i.e., the SSDB key).
While the USDC voice privacy encryption process, 65 addition, the direction of transmission between the
transmitting portion 102 and the receiving portion 104
which utilizes a short, non-changing PN sequence that
may be either uplink (i.e., subscriber unit to base site
is repeatedly used to encrypt each successive voice
packet, is sufficient for a typically non-redundant voice
unit) or downlink (i.e., base site unit to subscriber unit).
5,319,712
3
The preferred embodiment communication system
100 cryptographic protection scheme has been optimized for use in conjunction with a "Description of
Receiver State Feedback Protocol" proposed by
AT&T Bell Laboratories, 1000 East Warrenville Road,
Naperville, Ill. 60566-7013 which was presented to the
Telecommunications Industry Association (TIA) subcommittee TR45.3.2.5 for Digital Cellular Systems in
the Data Services Task Group on Jul. 7, 1993, at the
Woodmark Hotel in Kirkland, Wash. However, it will
be appreciated by those skilled in the art that any automatic repeat request (ARQ) scheme may be utilized in
the preferred embodiment described herein by using the
data packet sequence number (SN) plus an extension for
the data packet frame counter without departing from
the scope or spirit of the present invention. In addition,
a synchronous cipher scheme, as is used in the preferred
embodiment, can be utilized in conjunction with any
packetized data system that applies a sequence number
to each packet.
In FIG. 1, a data stream 108 which comes from Network Layer 3 110 and goes to Network Layer 3. 160
(renamed data stream 158) is transferred from the Data
Link Layer 2 transmitter portion 102 to the Data Link
Layer 2 receiver portion 104 reliably using the abovenoted Receiver State Feedback protocol on Physical
Layer 1112, 162. The data stream preferably consists of
a digitized information signal containing system control
information, short messages, graphic image information, compressed voice, textual data, and or any other
form of data which can be digitized for transfer over a
radio communication link. A pseudo-random bit generator 106, 156, respectively, is used to generate an encrypt mask and a decrypt mask for enciphering and
deciphering the data stream 108, 158, respectively. In
order to accomplish this search pseudo-random bit generator 106, 156 is re-initialized during each data frame
by using a session key and a frame number. The session
key preferably is a shared secret data (SSD) key which
was derived from a previously completed authentication process by the communication units which are
currently performing the data stream transfer. In addition, the frame number preferably is a 32 bit number
which is maintained as a side effect of the ARQ scheme.
The frame number preferably has the structure shown
in Table 1 below.
s
10
15
20
25
·
30
35
40
45
TABLE 1
Bit 31
Bits 30 thru 7
Bits 6 thru 0
Direction
0 =uplink
I= downlink
Overflow
Counter
SN
(ARQ sequence
number)
50
The upper bit indicates the direction of data stream
transfer and is used to prevent repeated use of the same
encryption mask,. once in each direction, the lower bits 55
are identical to the ARQ sequence number SN and the
middle bits are an overflow counter, incremented every
time the sequence number SN rolls over.
As can be seen in FIG. 1, the encipherment 120 is
performed (e.g., an exclusive-or operation of the packe- 60
tized data stream 126 with the encryption mask 128) on
the Layer 3 data stream 108 after it has been segmented
114 into 21 byte packets and a 7-bit long ARQ sequence
number SN has been assigned 116, but before the data
segment enters the ARQ repeat mechanism 118. When 65
SN 116 rolls over (e.g., indicated by an overflow signal
122), the 24 bit long overflow counter 124 is incremented. Each Layer 2 packetized data stream segment
4
so encrypted is then put into the ARQ transmission
buffer 118 and is transmitted to the Layer 2 receiver
portion 102 by the ARQ mechanism on Layer 1 112,
162. The Layer 2 header information (including the
sequence number) is not encrypted. Because the encryption 120 is done above the ARQ repeat mechanism,
each data segment 126 is encrypted only once no matter
how many times the ARQ mechanism 112, 118, 162, 168
requires it to be retransmitted across the data link.
On the Data Link Layer 2 receiver portion 104, the
ARQ mechanism accumulates Layer 2 frames in a receiver buffer 168. The receiver buffer 168 is used to
hold Layer 2 frames that have been received out of
sequence. Once all previous frames have been received
reliably, the 7 bit long SN is extracted 166 and the overflow counter 174 is incremented if SN has rolled over
(e.g., indicated by an overflow signal172). SN and the
overflow counter are used along with session key (i.e.,
an SSD) to generate 156 the identical pseudo-random
bit stream 178 (i.e., decrypt mask) that was used to
encrypt the Layer 2 packetized data stream segment.
Subsequently, the packetized data stream segment 178 is
sent to the decryption unit 170 where each of the segments 176 are decrypted in the correct sequence. After
each segment is decrypted, the Layer 3 data stream 158
is then reconstructed 164 from the 21 byte length packets. It should be noted that by placing the decryption
above the receiver portion 104 ARQ buffer 168, each
data frame is decrypted only once regardless of the
number of times it is transmitted across the physical
layer 112, 162 communication link.
It will be appreciated by those skilled in the art that
the preferred embodiment cryptographic protection
scheme (i.e., a synchronous cipher scheme) which is
described above is more robust than non-synchronized
encryption scheme which could be implemented in the
Network Layer 3. For example, in the case of the ARQ
scheme failing to detect a corrupted data segment, it is
probable that an incorrect number of data bytes would
be sent to Layer 3. If the encryption were performed at
Layer 3 all subsequent data packets would be decrypted
incorrectly when a single packet is lost. However in a
Layer 2 encryption, the synchronous cipher restarts the
decryption unit 170 for each data segment and only the
data segment containing the error is lost. All subsequent
data frames are decrypted correctly.
In an alternative embodiment, if no ARQ mechanism
is used, the data stream 108 can be handled by using a
similar segment structure at Layer 2 with a sequence
number SN. However, because there is no automatic
repeat, each packetized data stream segment is encrypted and then transmitted just once. In addition, the
Layer 2 receiving portion 104 expects to receive the
segments (packets) in sequence. Because the sequence
number is large, up to 63 consecutive data segments
(packets) can be lost without creating an ambiguity in
the state of the overflow counter 174 in the receiving
portion 104. It should be noted that an exchange of
acknowledge messages at call startup and following
handoffs may be required in order to unambiguously
initialize the overflow counters 124, 174.
Another concern is how to handle encryption
through a communication channel handoff in a cellular
system, the best way to handle this depends upon the
precise operation of the radio link protocol (RLP) during handoff. However, typically the sequence number
SN is reset when establishing a new data link. If that is
5
5,319,712
the way RLP operates, then the overflow counter
should be initialized to a value which is one greater than
its value before the handoff. An acknowledged exchange of messages during the handoff also may be
necessary in order to communicate the state of the over- 5
flow counters 124, 174.
The preferred embodiment of the present invention
may be summarized in reference to FIG. 1 in the following manner. In a communication system 100 having a
physical layer (Layer 1), data link layer (Layer 2), and 10
a network layer (Layer 3), a method and apparati for
providing cryptographic protection of a data stream are
shown. The cryptographic protection is provided by
segmenting 114 a data stream 108 received from the
network layer 110 into a plurality of packets. A packet 15
sequence number is assigned 116 to each packet of the
plurality of packets. In addition, each transmit overflow
sequence number is updated 124 as a function of each
packet sequence number. Further, each transmit overflow sequence number is modified 124 to indicate the 20
direction of transmission. This direction of transmission
may be an uplink transmission or a downlink transmis-.
sion. Each particular packet of the plurality of packets
is encrypted 120 as a function of a predetermined session key, the packet sequence number associated with 25
the particular packet, and the modified transmit overflow sequence number associated with the particular
packet. The encrypted plurality of packets are buffered
118 for subsequent transmission. The encrypted plurality of packets and the packet sequence number associ- 30
ated with each packet are transmitted on the physical
layer 112 and 162.
In the receiving portion 104, the encrypted plurality
of packets and the packet sequence number associated
with each packet are received from the physical layer 35
into a receiving buffer 168. Each packet sequence number is extracted 166 from the receiving buffer. In addition, the plurality of packets are organized within the
receiving buffer 168 to ensure that the plurality of packets are extracted from the receiving buffer in order by 40
sequence number. Further, a receive overflow sequence
number is updated 174 as a function of each packet
sequence number. The receive overflow sequence numbers are modified to indicate the direction of reception,
where the direction of reception is either an uplink 45
reception or a downlink reception. Subsequently, each
encrypted packet of the plurality of packets in the receiving buffer is decrypted 170 as a function of the
predetermined session key, the packet sequence number
associated with the particular packet, and the modified 50
receive overflow sequence number associated with the
particular packet. Finally, the decrypted plurality of
packets is concatenated 164 to form a received data
stream 158 which is sent to the network layer 160.
Although the invention has been described and illus- 55
trated with a certain degree of particularity, it is understood that the present disclosure of embodiments has
been made by way of example only and that numerous
changes in the arrangement and combination of parts, as
well as steps, may be resorted to by those skilled in the 60
art without departing from the spirit and scope of the
invention as claimed. For example, the communication
channel could alternatively be an electronic data bus,
computer network line, wireline, optical fiber link, satellite link, or any other type of communication channel. 65
What is claimed is:
1. In a communication system having a physical
layer, data link layer, and a network layer, a method for
6
providing cryptographic protection of a data stream,
comprising:
(a) assigning a packet sequence number to a packet
derived from a data stream received from the network layer;
(b) updating a transmit overflow sequence number as
a function of the packet sequence number;
(c) encrypting, prior to communicating the packet
and the packet sequence number on the physical
layer, the packet as a function of the packet sequence number and the transmit overflow sequence number;
(d) extracting the packet sequence number from the
physical layer;
(e) updating a receive overflow sequence number as a
function of the packet sequence number; and
(f) decrypting the encrypted packet as a function of
the packet sequence number and the receive overflow sequence number. ·
2. The method of claim 1 wherein:
(a) the step of updating the transmit overflow sequence number includes modifying each transmit
overflow sequence number to indicate the direction of transmission, the direction of transmission
being selected from the group consisting of a
uplink transmission and a downlink transmission;
and
(b) the step of updating the receive overflow sequence number includes modifying each receive
overflow sequence number to indicate the direction of reception.
3. The method of claim 1:
(a) further comprising the step of buffering the encrypted packet;
(b) further comprising the step of transmitting the
encrypted packet and the packet sequence number
associated with the packet on the physical layer;
(c) further comprising the step of receiving the encrypted packet and the packet sequence number
associated with the packet from the physical layer
into a receiving buffer; and
(d) wherein the step of extracting comprises extracting the packet sequence number from the receiving
buffer.
4. The method of claim 1 further comprising the steps
of:
(a) concatenating the decrypted packet with other
decrypted packets to form a received data stream;
and
(b) sending the received data stream to the network
layer.
5. In a communication system having a physical
layer, data link layer, and a network layer, a method for
providing cryptographic protection of a data stream,
comprising:
(a) segmenting a data stream received from the network layer into a plurality of packets;
(b) assigning a packet sequence number to each
packet of the plurality of packets;
(c) updating each transmit overflow sequence number as a function of each packet sequence number;
(d) modifying each transmit overflow sequence number to indicate the direction of transmission, the
direction of transmission being selected from the
group consisting of an uplink transmission and a
downlink transmission;
(e) encrypting each particular packet of the plurality
of packets as a function of a predetermined session
7
5,319,712
key, the packet sequence number associated with
the particular packet, and the modified transmit
overflow sequence number associated with the
particular packet;
(f) buffering the encrypted plurality of packets;
(g) transmitting the encrypted plurality of packets
and the packet sequence number associated with
each packet on the physical layer;
(h) receiving the encrypted plurality of packets and
the packet sequence number associated with each
packet from the physical layer into a receiving
buffer;
(i) extracting each packet sequence number from the
receiving buffer;
G) organizing the plurality of packets within the receiving buffer to ensure that the plurality of packets are extracted from the receiving buffer in order
by sequence number;
(k) updating a receive overflow sequence number as a
function of each packet sequence number;
(I) modifying each receive overflow sequence numher to indicate the direction of reception, the direction of reception being selected from the group
consisting of an uplink reception and a downlink
reception;
(m) decrypting each encrypted packet of the plurality
of packets in the receiving buffer as a function of
the predetermined session key, the packet sequence
number associated with the particular packet, and
the modified receive overflow sequence number
associated with the particular packet;
(n) concatenating the decrypted plurality of packets
to form a received data stream;. and
(o) sending the received data stream to the network
layer.
6. A transmitting communication unit for providing
cryptographic protection of a data stream in a communication system having a physical layer, data link layer,
and a network layer, transmitting communication unit
comprising a data link layer device having:
(a) assigning means for assigning a packet sequence
number to a packet derived from a data stream
received from the network layer;
(b) updating means, operatively coupled to the assigning means, for updating a transmit overflow
sequence number as a function of the packet sequence number; and
(c) encrypting means, operatively coupled to the
assigning means and the updating means, for encrypting, prior to communicating the packet and
the packet sequence number on the physical layer,
the packet as a function of the packet sequence
number and the transmit overflow sequence number.
7. The transmitting communication unit of claim 6
wherein the data link layer device updating means comprises means for modifying each transmit overflow
sequence number to indicate the direction of transmission, the direction of transmission being selected from
the group consisting of a uplink transmission and a
downlink transmission.
8. The transmitting communication unit of claim 6
wherein the data link layer device further comprises a
buffer means, operatively coupled to the encrypting
means, for buffering the encrypted packet and the transmitting communication unit further comprises a physical layer device, operatively coupled to the data link
layer device, having transmitting means for transmitting
S
10
15
20
25
30
35
40
45
50
55
60
65
8
the encrypted packet and the packet sequence number
associated with the packet on the physical layer.
9. The transmitting communication unit of claim 6
wherein the physical layer includes a communication
channel selected from the group consisting of an electronic data bus, computer network line, wireline, optical fiber link, satellite link, and a radio communication
link.
10. The transmitting communication unit of claim 6
wherein the communication unit is selected from the
group consisting of the subscriber communication unit
and the base site communication unit of the communication system.
11. A receiving communication unit for providing
cryptographic protection of a data stream in a communication system having a physical layer, data link layer,
and a network layer, receiving communication unit
comprising a data link layer device having:
(a) extracting means for extracting a packet sequence
number from the physical layer;
(b) updating means, operatively coupled to the extracting means, for updating a receive overflow
sequence number as a function of the packet sequence number; and
(c) decrypting means, operatively coupled to the
extracting means and the updating means, for decrypting an encrypted packet as a function of the
packet sequence number and the receive overflow
sequence number.
12. The receiving communication unit of claim 11
wherein the data link layer device updating means comprises means for modifying each receive overflow sequence number to indicate the direction of reception,
the direction of reception being selected from the group
consisting of a uplink reception and a downlink reception.
13. The receiving communication unit of claim 11
further comprising a physical layer device, operatively
coupled to the data link layer device, having a receiving
means for receiving the encrypted packet and the
packet sequence number associated with the packet into
a receiving buffer and wherein the data link layer extracting means comprises means for extracting the
packet sequence number from the receiving buffer.
14. The receiving communication unit of claim 11
wherein the physical layer includes a communication
channel selected from the group consisting of an electronic data bus, computer network line, wireline, optical fiber link, satellite link, and a radio communication
link.
15. The receiving communication unit of claim 11
wherein the communication unit is selected from the
group consisting of the subscriber communication unit
and the base site communication unit of the communication system.
16. The receiving communication unit of claim 11
wherein the data link layer device further comprises:
(a) concatenating means, operatively coupled to the
decrypting means, for concatenating the decrypted
packet with other decrypted packets to form a
received data stream; and
(b) sending means, operatively coupled to the concatenating means, for sending the received data
stream to the network layer.
17. In a communication system having a physical
layer, data link layer, and a network layer, a method for
providing cryptographic protection of a data stream,
comprising:
9
5,319,712
10
18. In a communication system having a physical
(a) assigning a packet sequence number to a packet
layer, data link layer, and a network layer, a method for
derived from a data stream received from the netproviding cryptographic protection of a data stream,
work layer;
comprising:
(b) updating a transmit overflow sequence number as 5
(a) extracting a packet sequence number from the
a function of the packet sequence number; and
physical layer;
(b) updating a receive overflow sequence number as a
(c) encrypting, prior to communicating the packet
function of the packet sequence number; and
and the packet sequence number on the physical
(c) decrypting an encrypted packet as a function of
layer, the packet as a function of the packet se- 10
the packet sequence number and the receive overquence number and the transmit overflow seflow sequence number.
quence number.
• •
• •
15
20
25
30
35
40
45
50
55
60
65
•