System and Method for Secure Message-Oriented Network Communications

US 20030202663A1
Filed: 04/29/2003
Published: 10/30/2003
Est. Priority Date: 04/30/2002
Status: Active Grant

First Claim

Patent Images

1. A method for secure message-oriented communications between nodes in a network, comprising the steps of:

deploying at least one key authority within the network;

deploying a plurality of rendezvous peers in the network having a, plurality of nodes;

establishing an open pull protocol connection between each node of the network and a single rendezvous peer; and

exchanging messages between the nodes of the network via rendezvous peers using public key infrastructure techniques.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides a message-oriented middleware solution for securely transmitting messages and files across public networks unencumbered by intervening network barriers implemented as security measures. It also provides a dynamic, dedicated, application level VPN solution that is facilitated by the message-oriented middleware. Standard encryption algorithms are used to minimize the threat of eavesdropping and an Open-Pull Protocol (OPP) that allows target nodes to pull and verify the credentials of requestors prior to the passing of any data. Messaging can be segregated into multiple and distinct missions that all share the same nodes. The security network'"'"'s architecture is built to resist and automatically recover from poor, slow, and degrading communications channels. Peers are identifiable by hardware appliance, software agent, and personally identifiable sessions. The security network provides a dynamic, private transport for sensitive data over existing non-secure networks without the overhead and limited security associated with traditional VPN solutions.

50 Citations

View as Search Results

28 Claims

1. A method for secure message-oriented communications between nodes in a network, comprising the steps of:
- deploying at least one key authority within the network;
  
  deploying a plurality of rendezvous peers in the network having a, plurality of nodes;
  
  establishing an open pull protocol connection between each node of the network and a single rendezvous peer; and
  
  exchanging messages between the nodes of the network via rendezvous peers using public key infrastructure techniques.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein the step of deploying at least one key authority comprises:
    - generating a set of public-private key pairs and a uniform resource identifier;
      
      associating the generated public-private key pair and uniform resource identifier with the at least one key authority;
      
      notifying all other known key authorities in the network about the network introduction of the at least one key authority, including the associated public-private key pair and the uniform resource identifier; and
      
      initializing the at least one key authority and making a persistent tunnel connection to all rendezvous peers in the network from the at least one rendezvous peer.
  - 3. The method of claim 2, wherein the step of generating and associating the public-private key is performed manually by a user.
  - 4. The method of claim 2, wherein the step of generating and associating the public-private key is performed automatically by another existing key authority.
  - 5. The method of claim 2, further comprising enabling an automatic exchange of public keys using an auto reciprocate feature.
  - 6. The method of claim 2, wherein a persistent tunnel connection requested by a public network user node is established by a key authority and a secure access gateway on the protected side of a firewall.
  - 7. The method of claim 2, wherein the key authorities limit user access to approved applications.
  - 8. The method of claim 1, wherein the step of deploying a plurality of rendezvous peers in the network comprises:
    - for each deploying rendezvous peer, generating and associating a uniform resource identifier, an IP address, and a list of other rendezvous peers to be used a cross-geographic message gateways, by a nearest key authority in the network;
      
      notifying all known key authorities in the network about the network introduction of the each deploying rendezvous peer, including the associated IP address and the uniform resource identifier; and
      
      initializing each deploying rendezvous peer and making a persistent tunnel connection between each rendezvous peer and a nearest key authority in the network.
  - 9. The method of claim 1, wherein the step of establishing an open pull protocol connection between each node of the network and a single rendezvous peer comprises:
    - manually updating a key authority with each associated node public key and fully qualified identification;
      
      installing an initial configuration on each node including credentials of a fully qualified uniform resource identifier, a public key, a private key, an associated key authority identification, the public key of the associated key authority, an associated upline network vulnerability scanner, a list of known rendezvous peers, and a list of subscriptions;
      
      initializing each node of the network;
      
      determining a best rendezvous peer to associate with each node from a list of known rendezvous peers;
      
      making a connection between each node and the associated best rendezvous peer and upline network vulnerability scanner;
      
      providing credentials of each node to its associated rendezvous peer;
      
      validating a key authority associated with each node, whereby the key authority associated with each node is the same as that of the node'"'"'s associated rendezvous peer;
      
      providing a two way messaging gateway by the associated rendezvous peer of each node; and
      
      requesting an update by each rendezvous peer from its associated key authority.
  - 10. The method of claim 1, wherein the step of exchanging messages between the nodes of the network comprises:
    - granting access to a first user from a second user by the first user associated key authority;
      
      making an open pull protocol connection by the first user to the first user associated rendezvous peer;
      
      making an open pull protocol connection by the second user to the second user associated rendezvous peer;
      
      requesting and receiving the first user public key by the second user;
      
      encrypting and sending a message by the second to the first user via the second user associated rendezvous peer;
      
      receiving the message by the first user associated rendezvous peer; and
      
      forwarding the message to the first user by the first user associated rendezvous peer.
  - 11. The method of claim 1, wherein the step of exchanging messages between the nodes of the network further includes exchanging messages via a secure channel, the exchanging step comprising:
    - making a open pull protocol connection to a first user associated rendezvous peer by a first user;
      
      sending a connection request for a second user to a second user associated key authority by the first user;
      
      verifying the credentials of the first user by the second user associated key authority;
      
      sending a message to a second user by the second user associated key authority to open a listener for the first user with first user'"'"'s public key;
      
      sending a message to a second user associated rendezvous peer to open a tunneled port to the second user;
      
      confirming an open tunneled port to the second user associated key authority;
      
      sending notification of a forwarded service offering to first user, including IP address port number opened, and authentication token;
      
      starting an internal listener on a loop back interface and a user application by the first user;
      
      connecting the user application to the second user associated rendezvous peer; and
      
      transferring encrypted network traffic through the established secure channel between the first user application and the second user.
  - 12. The method of claim 1, wherein the step of exchanging messages between the nodes of the network is selected from the group consisting of exchanging messages between a node and users, exchanging messages between a node and network scanners, exchanging messages between a node and rendezvous clients, exchanging messages between a node and key authorities, exchanging messages between a node and access gateways, and exchanging messages between a node and message consolidators.
  - 13. The method of claim 1, wherein the step of exchanging messages between the nodes of the network is selected from the group consisting of exchanging messages over a non-secure message channel and exchanging messages over a secure message channel.
  - 14. The method of claim 1, further comprising establishing subscriptions for specifying how matching messages are transported to requesting network nodes.
  - 15. The method of claim 14, wherein each subscription is selected from the group consisting of volatile subscriptions, permanent subscriptions, and fallback subscriptions.
  - 16. A computer-readable medium containing instructions for controlling a network to implement the method of claim 1.

17. A system for secure message-oriented communications between nodes in a network, comprising:
- means for deploying at least one key authority within the network;
  
  means for deploying a plurality of rendezvous peers in the network having a plurality of nodes;
  
  means for establishing an open pull protocol connection between each node of the network and a single rendezvous peer; and
  
  means for exchanging messages between the nodes of the network via rendezvous peers using public key infrastructure techniques.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The system of claim 17, wherein the means for establishing an open pull protocol connection and the means for exchanging messages between the nodes comprises a security network transport layer comprising a Message Warehouse Listener, Message Warehouse, Message Warehouse Manager, Subscription Manager, Subscription Cache, Relay Queue, Relay Gun, Router Daemon, Routing Queue, RVP Gun, Signature Checker, Cryptor, RVP Cache, RVP Cache Manager, Public Key storage, Key Manager, and one or more Secondary Communications Gateways.
  - 19. The system of claim 17, wherein each node in the network includes a security network transport layer for establishing an open pull protocol connection and exchanging messages between the nodes.
  - 20. The system of claim 17, wherein each network node is selected from the group consisting of a user, a network vulnerability scanner, a rendezvous peer, a security access gateway, a threat receiver, a master consolidator, and a key authority.
  - 21. The system of claim 17 wherein the network includes firewalls and cross-geographic gateways.

22. A method for secure message-oriented communications between nodes in a network, comprising the steps of:
- establishing a publish-subscribe network of peer nodes;
  
  communicating between peer nodes using key authorities as validation instruments;
  
  securely connecting all nodes of the network using open pull protocol connections to connect each node of the network to a single rendezvous peer;
  
  providing a key authority of a requestor node for validation of connection rights; and
  
  when validated, enabling secure communication of messages between a node and all other validated nodes of the network provided public keys are properly exchanged.
- View Dependent Claims (23, 24, 25, 26, 27, 28)
- - 23. The method of claim 22, wherein the key authorities automatically facilitate exchange of public keys.
  - 24. The method of claim 22, wherein the connected nodes subscribe to channels on a rendezvous peer.
  - 25. The method of claim 22, wherein all messages are passed by either a discrete or broadcast channel.
  - 26. The method of claim 22, further comprising security access gateways for limiting access to predetermined applications.
  - 27. The method of claim 22, wherein each message includes a signature of a sender and each message header includes a field for designating a message originator.
  - 28. The method of claim 27, wherein the signature must match the public key of the sender for validation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Threatguard, Inc.
Original Assignee
Threatguard, Inc.
Inventors
Hollis, Robert L., Engelbach, R. Gunnar, Taylor, Randal S.

Granted Patent

US 6,959,393 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/282
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/062   for key distribution, e.g. ...

H04L 63/083   using passwords cryptograph...

H04L 63/10   for controlling access to d...

H04L 63/166   at the transport layer

System and Method for Secure Message-Oriented Network Communications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

50 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

System and Method for Secure Message-Oriented Network Communications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

50 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links