Cryptographically secure network

US 20020019932A1
Filed: 10/15/2001
Published: 02/14/2002
Est. Priority Date: 06/10/1999
Status: Abandoned Application

First Claim

Patent Images

1. A computer-implemented method for creating a cryptographically secure network between at least two access systems, the method comprising a switch system performing the steps of:

associating each of a plurality of access systems with a public key from a private-public key pair associated with said access system;

in response to a request from a first access system to transmit data to a second access system;

authenticating the first access system using the public key associated with the first access system;

forming a first cryptographically secure network connection between the authenticated first access system and the switch system;

accepting data from the authenticated first access system via the first cryptographically secure network connection;

authenticating the second access system using the public key associated with the second access system;

forming a second cryptographically secure network connection between the authenticated second access system and the switch system; and

transmitting the data to the authenticated second access system via the second cryptographically secure network connection.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and computer-readable medium for securely transmitting data (400) between at least two access systems (300, 320) via a switch system (310). Through the use encryption keys and the switch system (310) acting a central switch, any two access systems are able to securely transmit data (400) between them. The present invention can be implemented by means of an application proxy (1000), a secure connection enabled application, or application program interfaces.

144 Citations

View as Search Results

53 Claims

1. A computer-implemented method for creating a cryptographically secure network between at least two access systems, the method comprising a switch system performing the steps of:
- associating each of a plurality of access systems with a public key from a private-public key pair associated with said access system;
  
  in response to a request from a first access system to transmit data to a second access system;
  
  authenticating the first access system using the public key associated with the first access system;
  
  forming a first cryptographically secure network connection between the authenticated first access system and the switch system;
  
  accepting data from the authenticated first access system via the first cryptographically secure network connection;
  
  authenticating the second access system using the public key associated with the second access system;
  
  forming a second cryptographically secure network connection between the authenticated second access system and the switch system; and
  
  transmitting the data to the authenticated second access system via the second cryptographically secure network connection.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53)
- - 2. The method of claim 1 wherein the switch system issues to an access system the access system'"'"'s private-pubic key pair.
  - 3. The method of claim 1 wherein the switch system comprises a plurality of nodes securely networked together.
  - 4. The method of claim 2 wherein the first and second access systems connect to the switch system via different nodes.
  - 5. The method of claim 1 further comprising the switch system performing the step of:
    - using a switch system private key, in conjunction with an access system using a corresponding switch system public key, to authenticate the switch system to the access system.
  - 6. The method of claim 1 wherein the first and second cryptographically secure connections are each implemented by encrypting the data at a layer selected from the group comprising an application layer, a presentation layer, and a session layer of the Open Systems Interconnection reference model.
  - 7. The method of claim 6 wherein the first and second cryptographically secure network connections are each formed using at least one encryption key from a group comprising a symmetric key, an asymmetric key, and a symmetric session key encrypted with an asymmetric key.
  - 8. The method of claim 1 wherein the data is encrypted with at least one encryption key for which the switch system does not have access to the encryption key'"'"'s corresponding decryption key.
  - 9. The method of claim 1 wherein the data comprises at least one from the group comprising:
    - a digest of at least a portion of the data; and
      
      a digital signature of the first access system.
  - 10. The method of claim 1 further comprising the switch system performing the step of storing at least one of the group comprising the data, a digest of at least a portion of the data, and a digital signature.
  - 11. The method of claim 10 further comprising the switch system performing the step of time-stamping at least one of the group comprising the data, a digest of at least a portion of the data, and a digital signature of the first access system.
  - 12. The method of claim 1 wherein the switch system interfaces with an application which utilizes the data exchanged between the first and second access systems.
  - 13. The method of claim 1 wherein at least one of the first and second access systems connects to the switch system via an application proxy.
  - 14. The method of claim 13 wherein the application proxy processes data initiated from an access system and data intended for the access system based upon predefined policies.
  - 15. The method of claim 14 wherein the policies for the application proxy are set by the access system.
  - 17. The system of claim 16 wherein the key module is further adapted to perform the step of:
    - issuing a private-public key pair to an access system.
  - 18. The system of claim 16 wherein the authentication module is further adapted to perform the step of:
    - using a switch system private key, in conjunction with an access system using a corresponding switch system public key, to authenticate the switch system to the access system.
  - 19. The system of claim 16 wherein the cryptographically secure network connection is implemented by encrypting the data at a layer selected from the group comprising an application layer, a presentation layer, and a session layer of the Open Systems Interconnection reference model.
  - 20. The system of claim 19 wherein the cryptographically secure network connections are formed using at least one encryption key from the group comprising a symmetric key, an asymmetric key, and a symmetric session key encrypted with an asymmetric key.
  - 21. The system of claim 16 wherein the data is encrypted with at least one encryption key for which the switch system does not have access to the encryption key'"'"'s corresponding decryption key.
  - 22. The system of claim 16 wherein the node further comprises:
    - a computer-readable medium for storing at least one of the group comprising the data, a digest of at least a portion of the data, and a digital signature of an access system.
  - 23. The system of claim 16 wherein the node further comprises:
    - a tracking module for time-stamping and storing at least one of the group comprising the data, a digest of at least a portion of the data, and a digital signature of an access system.
  - 24. The system of claim 16 wherein the node further comprises:
    - an interface module for interfacing with a network application to provide a service in conjunction with the data transferred via the switch system.
  - 25. The system of claim 16 further comprising a plurality of nodes securely networked together.
  - 26. The system of claim 16 further comprising:
    - an application proxy for processing the data initiated from an access system and data intended for the access system based upon predefined policies.
  - 28. The system of claim 27 wherein the key module is further adapted to perform the step of:
    - generating a private-public key pair for the user.
  - 29. The system of claim 27 wherein the authentication module is further adapted to perform the step of:
    - using a switch system public key, in conjunction with the switch system using a corresponding switch system private key, to authenticate the switch system to the access system.
  - 30. The system of claim 27 wherein the cryptographically secure network connection is implemented by encrypting the data at a layer selected from the group comprising an application layer, a presentation layer, and a session layer of the Open Systems Interconnect reference model.
  - 31. The system of claim 30 wherein the cryptographically secure network connections are formed using at least one encryption key from the group comprising a symmetric key, an asymmetric key, and a symmetric session key encrypted with an asymmetric key.
  - 32. The system of claim 27 wherein the data is encrypted with at least one encryption key for which the switch system does not have access to the encryption key'"'"'s corresponding decryption key.
  - 33. The system of claim 27 wherein the secure network connection module is further adapted for generating at least one of the group comprising a digest of at least a portion of the data and a digital signature of the access system.
  - 34. The system of claim 27 wherein the access system is implemented in a secure-network-connection application proxy.
  - 35. The system of claim 34 wherein the secure-network-connection application proxy is accessed by more than one client system.
  - 36. The system of claim 34 wherein the secure-network-connection application proxy processes data initiated from a client system and data intended for the client system based upon predefined policies.
  - 37. The system of claim 27 wherein the access system is implemented in a secure-network-connection enabled application.
  - 38. The system of claim 27 wherein the access system is implemented through a set of application program interfaces.
  - 40. The computer readable medium of claim 39 wherein the switch system issues to an access system the access system'"'"'s private-pubic key pair.
  - 41. The computer readable medium of claim 39 wherein the switch system comprises a plurality of nodes securely networked together.
  - 42. The computer readable medium of claim 41 wherein the first and second access systems connect to the switch system via different nodes.
  - 43. The computer readable medium of claim 39 farther comprising program code adapted to perform the step of:
    - using a switch system private key, in conjunction with an access system using a corresponding switch system public key, to authenticate the switch system to the access system.
  - 44. The computer readable medium of claim 39 wherein the first and second cryptographically secure connections are each implemented by encrypting the data at a layer selected from the group comprising an application layer, a presentation layer, and a session layer of the Open Systems Interconnection reference model.
  - 45. The computer readable medium of claim 44 wherein the first and second cryptographically secure network connections are each formed using at least one encryption key from the group comprising a symmetric key, an asymmetric key, and a symmetric session key encrypted with an asymmetric key.
  - 46. The computer readable medium of claim 39 wherein the data is encrypted with at least one encryption key for which the switch system does not have access to the encryption key'"'"'s corresponding decryption key.
  - 47. The computer readable medium of claim 39 wherein the data further comprises at least one from the group comprising:
    - a digest of at least a portion of the data; and
      
      a digital signature of the first access system.
  - 48. The computer readable medium of claim 39 further comprising program code adapted to perform the step of:
    - storing at least one of the group comprising the data, a digest of at least a portion of the data, and a digital signature.
  - 49. The computer readable medium of claim 48 further comprising program code adapted to perform the step of:
    - time-stamping at least one of the group comprising the data, a digest of at least a portion of the data, and a digital signature of the first access system.
  - 50. The computer readable medium of claim 39 wherein the switch system interfaces with an application which utilizes the data exchanged between the first and second access Systems.
  - 51. The computer readable medium of claim 39 wherein at least one of the first and second access systems connects to the switch system via an application proxy.
  - 52. The computer readable medium of claim 51 wherein the application proxy processes data initiated from an access system and data intended for the access system based upon predefined policies.
  - 53. The computer readable medium of claim 52 wherein the policies for the application proxy are set by the access system.

16. A switch system for establishing a secure network connection between at least two access systems, the switch system comprising:
- at least one node comprising;
  
  a key module for associating each access system with a public key from a private-public key pair associated with said access system;
  
  an authentication module, coupled to the key manager module, for using an access system'"'"'s public key, in conjunction with the access system using its private key, to authenticate the access system; and
  
  a secure network module, coupled to the authentication module, for establishing a cryptographically secure network connection between the switch system and an authenticated access system, whereby data is received from a first access system via a first secure connection and transmitted to a second access system via a second secure connection.

27. An access system for establishing a cryptographically secure connection to a switch system, the access system comprising:
- a key module for accessing a private-public key pair of a user of the access system;
  
  an authentication module, coupled to the key module, for authenticating to the switch system using the private-public key pair; and
  
  a secure network connection module, coupled to the authentication module, for establishing a cryptographically secure connection between the switch system and the access system, wherein data is transmitted to and received data from the switch system via the cryptographically secure connection.

39. In a computer-readable medium, a computer program product for creating a cryptographically secure network between at least two access systems, the computer-readable medium comprising program code adapted to perform the steps of:
- associating each of a plurality of access systems with a public key from a private-public key pair associated with said access system;
  
  in response to a request from a first access system to transmit data to a second access system;
  
  authenticating the first access system using the public key associated with the first access system;
  
  forming a first cryptographically secure network connection between the authenticated first access system and the switch system;
  
  accepting data from the authenticated first access system via the first cryptographically secure network connection;
  
  authenticating the second access system using the public key associated with the second access system;
  
  forming a second cryptographically secure network connection between the authenticated second access system and the switch system; and
  
  transmitting the data to the authenticated second access system via the second cryptographically secure network connection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Message Secure Corp. (BAE Systems Plc)
Original Assignee
Message Secure Corp. (BAE Systems Plc)
Inventors
Kitson, Mark E., Toh, Eng-Whatt, Teo, Kok-Hoon, Yip, See-Wai, Wong, Chee-Hong

Application Number

US09/978,113
Publication Number

US 20020019932A1
Time in Patent Office

Days
Field of Search
US Class Current

713/155
CPC Class Codes

G06F 2211/008   Public Key, Asymmetric Key,...

H04L 2209/56   Financial cryptography, e.g...

H04L 63/0442   wherein the sending and rec...

H04L 63/0464   using hop-by-hop encryption...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04L 63/12   Applying verification of th...

H04L 9/0894   Escrow, recovery or storing...

Cryptographically secure network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

144 Citations

53 Claims

Specification

Solutions

Use Cases

Quick Links

Cryptographically secure network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

144 Citations

53 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links