| CPC H04L 9/0819 (2013.01) [G06F 13/102 (2013.01); H04L 9/0825 (2013.01); H04L 9/0827 (2013.01); H04L 9/0866 (2013.01); H04L 9/0894 (2013.01); H04L 9/14 (2013.01); H04L 9/3268 (2013.01); H04L 49/901 (2013.01); H04L 63/0272 (2013.01); H04L 63/0428 (2013.01); H04L 63/0485 (2013.01); H04L 63/164 (2013.01)] | 18 Claims |
|
1. A secure computer system comprising:
a computer including:
a computer processor;
a memory controller coupled to the computer processor;
computer memory coupled to the computer processor and the memory controller;
a computer peripheral device interface coupled to the computer processor and to the computer memory;
a computer encryption engine coupled to the computer memory, the memory controller and the computer peripheral device interface; and
computer non-transitory storage for programs to execute from computer memory on the computer processor,
wherein the computer processor and the memory controller are configured to provide secure memory areas within the computer memory, encrypted memory areas within the secure memory areas, and session encryption key secure storage for encryption keys used for QUIC communications between a local program and a remote program over a network within the secure memory areas;
wherein the computer processor is configured to execute programs from secure memory areas;
wherein the computer non-transitory storage includes a local program to be executed from a secure memory area, wherein the local program is configured to operate with data stored in an encrypted memory area within the secure memory area, wherein the local program is configured for communicating data contained in the encrypted memory area to a remote computer over a network according to a QUIC protocol; and
a network interface controller (NIC) for connection to the computer and the network, the NIC including:
a NIC peripheral device interface for connection to the computer;
a network interface for connection to the network;
a NIC processor coupled to the NIC peripheral device interface and the network interface;
NIC memory coupled to the NIC processor, the NIC peripheral device interface and the network interface, the NIC memory including:
session encryption key secure storage for encryption keys used for the communications between the local program and the remote program over the network; and
secure buffer storage of holding communication data in transit;
NIC non-transitory storage for programs to execute from the NIC memory on the NIC processor, the NIC non-transitory storage including a NIC QUIC program for use with the communications between the local program and the remote program; and
a NIC encryption engine coupled to the NIC peripheral device interface, the network interface, the session encryption key secure storage, and the secure buffer storage to encrypt and decrypt communication packets over the network interface using keys stored in the session encryption key secure storage, wherein the NIC encryption engine is configured to encrypt data packets leaving the NIC through the network interface and decrypt data packets entering the NIC through the network interface;
wherein the computer peripheral device interface and the NIC peripheral device interface are configured to provide a secure peripheral device communication path between the local program and the NIC;
wherein the local program and the NIC QUIC program are configured to securely exchange session encryption keys over the secure peripheral device communication path,
wherein the local program is configured to provide a local session primary encryption key to the NIC QUIC program,
wherein at least one of the NIC QUIC program and the local program is configured to develop a connection ID (CID) and a derived session encryption key using the local session primary encryption key and at least one field contained in the packets being exchanged,
wherein, when the NIC QUIC program is configured to develop the CID and derived session encryption key, the NIC QUIC program is configured to provide the CID and derived session encryption key to the local program,
where the local program is configured to interact with the remote program to exchange CIDs and derived session encryption keys with the remote program,
wherein the local program is configured for the local program to provide a received remote CID and received remote derived session encryption key to the NIC QUIC program,
wherein, when the local program is configured to develop the CID, the local program is configured for the local program to provide the CID to the NIC QUIC program,
wherein the NIC QUIC program is configured to provide the received remote derived session encryption key to the NIC encryption engine to allow the NIC encryption engine to encrypt packets being transmitted to the remote program with the received remote derived session encryption key,
wherein the NIC QUIC program is configured to provide the local session primary encryption key to the NIC encryption engine to allow the NIC encryption engine to decrypt packets being received from the remote program,
wherein the NIC encryption engine and the network interface develop an ingress derived session encryption key based on the local session primary encryption key and at least one field contained in packets received from the remote program, and
wherein the NIC encryption engine uses the ingress derived session encryption key to decrypt packets received from the remote program.
|