Network function virtualization security and trust system

US 10,341,384 B2
Filed: 08/04/2015
Issued: 07/02/2019
Est. Priority Date: 07/12/2015
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

an authentication server to authenticate an identity of a first network device and a second network device, the first network device executed to provide a first service for a third network device, and the second network device executed to provide a second service for the third network device, wherein the first service and the second service are provided over a network to the third network device,wherein the authentication server is configured to;

initiate authentication of the identity of the first network device, the second network device, and the third network device, to create a chain of trusted devices in response to the third network device being initiated to operate using the first service and the second service before an integrity of the chain of trusted devices is verified, wherein the initiation of the authentication of the identity of the first network device and the second network device comprises a two factor authentication by the authentication server,receive an accumulated hash from the first network device, the accumulated hash sequentially built by cascading a hash sum through the second network device and the first network device,compare the accumulated hash against a predetermined hash representative of cooperative operation of the first service and the second service in the third network device,verify the integrity of the chain of trusted devices based on the comparison of the accumulated hash against the predetermined hash and by comparing monitored parameters in the third network device related to the cooperative operation of the first service and the second service with predetermined parameters of a federation of the first service and the second service, anddynamically adjust a level of the first service and the second service according to verification of the integrity of the chain of trusted devices.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network function virtualization security and trust system includes a network device that operates as a virtualized network device with virtualized services provided on the network device by network nodes included in the system. Security and trust within the system can include hardware authentication of the network nodes and the network device to obtain a level of security of the hardware provisioning the operation of the virtualized services. Security and trust can also include authentication of the services being used on the virtualized network device. Services authentication can be based on monitoring and analysis of the cooperative operation of the services in the virtualized network device. The virtualized services can be dynamically changed, added or stopped. Hardware authentication and dynamic services authentication in accordance with changes in the virtualized services can dynamically maintain a level of security across the devices and the virtualized services.

46 Citations

13 Claims

1. A system comprising:
- an authentication server to authenticate an identity of a first network device and a second network device, the first network device executed to provide a first service for a third network device, and the second network device executed to provide a second service for the third network device, wherein the first service and the second service are provided over a network to the third network device,wherein the authentication server is configured to;
  
  initiate authentication of the identity of the first network device, the second network device, and the third network device, to create a chain of trusted devices in response to the third network device being initiated to operate using the first service and the second service before an integrity of the chain of trusted devices is verified, wherein the initiation of the authentication of the identity of the first network device and the second network device comprises a two factor authentication by the authentication server,receive an accumulated hash from the first network device, the accumulated hash sequentially built by cascading a hash sum through the second network device and the first network device,compare the accumulated hash against a predetermined hash representative of cooperative operation of the first service and the second service in the third network device,verify the integrity of the chain of trusted devices based on the comparison of the accumulated hash against the predetermined hash and by comparing monitored parameters in the third network device related to the cooperative operation of the first service and the second service with predetermined parameters of a federation of the first service and the second service, anddynamically adjust a level of the first service and the second service according to verification of the integrity of the chain of trusted devices.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1, wherein the first network device and the second network device provide the first service and the second service, respectively, over the network as part of operational functionality of the third network device.
  - 3. The system of claim 1, wherein the initiation of the authentication of the identity of the first network device and the second network device comprises authentication of the first network device with the authentication server, and authentication of the second network device by the first network device.
  - 4. The system of claim 1, wherein the cooperative operation of the first service and the second service is confirmed by the authentication server based on a predetermined stored template of cooperative operation parameters.
  - 5. The system of claim 1, wherein the authentication server dynamically retrieves another predetermined stored template of cooperative operation parameters in response to a change of the first service or the second service, or addition of another service to the first network device or the second network device.

6. A method of authenticating an identity of a first network device and a second network device, the first network device executed to provide a first service for a third network device, the second network device executed to provide a second service for the third network device, the first service and the second service provided over a network to the third network device, the method comprising:
- initiating authentication of the identity of the first network device, the second network device, and the third network device, to create a chain of trusted devices in response to the third network device being initiated to operate using the first service and the second service before an integrity of the chain of trusted devices is verified, wherein the initiation of the authentication of the identity of the first network device and the second network device comprises a two factor authentication by an authentication server;
  
  receiving an accumulated hash from the first network device, the accumulated hash sequentially built by cascading a hash sum through the second network device and the first network device;
  
  comparing the accumulated hash against a predetermined hash representative of cooperative operation of the first service and the second service in the third network device;
  
  verifying the integrity of the chain of trusted devices based on the comparison of the accumulated hash against the predetermined hash and by comparing monitored parameters in the third network device related to the cooperative operation of the first service and the second service with predetermined parameters of a federation of the first service and the second service; and
  
  dynamically adjusting a level of the first service and the second service according to verification of the integrity of the chain of trusted devices.
- View Dependent Claims (7, 8, 9)
- - 7. The method of claim 6, wherein the initiation of the authentication of the identity of the first network device and the second network device comprises authentication of the first network device with the authentication server, and authentication of the second network device by the first network device.
  - 8. The method of claim 6, further comprising:
    - confirming the cooperative operation of the first service and the second service based on a predetermined stored template of cooperative operation parameters.
  - 9. The method of claim 6, further comprising:
    - dynamically retrieving another predetermined stored template of cooperative operation parameters in response to a change of the first service or the second service, or addition of another service to the first network device or the second network device.

10. A non-transitory computer readable medium storing instruction for authenticating an identity of a first network device and a second network device, the first network device executed to provide a first service for a third network device, the second network device executed to provide a second service for the third network device, the first service and the second service provided over a network to the third network device, the instructions when executed by a processor cause the processor to:
- initiate authentication of the identity of the first network device, the second network device, and the third network device, to create a chain of trusted devices in response to the third network device being initiated to operate using the first service and the second service before an integrity of the chain of trusted devices is verified, wherein the initiation of the authentication of the identity of the first network device and the second network device comprises a two factor authentication by an authentication server;
  
  receive an accumulated hash from the first network device, the accumulated hash sequentially built by cascading a hash sum through the second network device and the first network device;
  
  compare the accumulated hash against a predetermined hash representative of cooperative operation of the first service and the second service in the third network device;
  
  verify the integrity of the chain of trusted devices based on the comparison of accumulated hash against the predetermined hash and by comparing monitored parameters in the third network device related to the cooperative operation of the first service and the second service with predetermined parameters of a federation of the first service and the second service; and
  
  dynamically adjust a level of the first service and the second service according to verification of the integrity of the chain of trusted devices.
- View Dependent Claims (11, 12, 13)
- - 11. The non-transitory computer readable medium of claim 10, wherein the initiation of the authentication of the identity of the first network device and the second network device comprises authentication of the first network device with the authentication server, and authentication of the second network device by the first network device.
  - 12. The non-transitory computer readable medium of claim 10, wherein the instructions when executed by the processor further cause the processor to:
    - confirm the cooperative operation of the first service and the second service based on a predetermined stored template of cooperative operation parameters.
  - 13. The non-transitory computer readable medium of claim 10, wherein the instructions when executed by the processor further cause the processor to:
    - dynamically retrieve another predetermined stored template of cooperative operation parameters in response to a change of the first service or the second service, or addition of another service to the first network device or the second network device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Inventors
Ilyadis, Nicholas, Chen, Xuemin, Klein, Philippe, Hendel, Ariel, Siva, Kumaran David
Primary Examiner(s)
Pham, Luu T
Assistant Examiner(s)
Wilcox, James J

Application Number

US14/818,033
Publication Number

US 20170012975A1
Time in Patent Office

1,428 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0876   based on the identity of th...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Network function virtualization security and trust system

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

46 Citations

13 Claims

Specification

Use Cases

Quick Links

Others

Network function virtualization security and trust system

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

46 Citations

13 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others