Mobile security architecture

US 20040221154A1
Filed: 05/02/2003
Published: 11/04/2004
Est. Priority Date: 05/02/2003
Status: Active Grant

First Claim

Patent Images

1. A security management and secure transport system comprising:

a security agent node group (SANG) having at least one security agent node (SAN), and a transport agent node group (TANG) having at least one transport agent node (TAN), wherein;

a security subscriber unit (SSU) communicates with the SANG over a non-secure link to establish a first session key at the SSU;

the SAN communicates with the TANG to establish the first session key at the TANG; and

the SSU communicates with the TANG over a secure link based on the first session key.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Security and mobility overlay architecture (SAMOA) includes security management and secure transport functions for fixed or mobile security subscriber units (SSUs). SSUs within SAMOA are authenticated, authorized, and provided with shared session keys by the security management function. The keys allow each SSU to communicate with the secure transport network, which provides secure connections to other SSUs. Because shared-key, rather than public-key session keys are preferably used, the problems associated with public-key certificate authorities and hierarchies are avoided. The security management function and the secure transport network can be layered efficiently on top of existing Internet protocol (IP) networks and are thus applicable to a wide range of systems that support IP, including 3G wireless, wireless LANs (e.g., 802.11x), wired LANs, and dial-up networks.

Citations

28 Claims

1. A security management and secure transport system comprising:
- a security agent node group (SANG) having at least one security agent node (SAN), and a transport agent node group (TANG) having at least one transport agent node (TAN), wherein;
  
  a security subscriber unit (SSU) communicates with the SANG over a non-secure link to establish a first session key at the SSU;
  
  the SAN communicates with the TANG to establish the first session key at the TANG; and
  
  the SSU communicates with the TANG over a secure link based on the first session key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 2. The invention of claim 1, wherein:
    - the SANG has two or more SANs that are linked to each other via a first secure protocol;
      
      the TANG has two or more TANs that are linked to each other via a second secure protocol.
  - 3. The invention of claim 2, wherein at least one of the first and second secure protocols is IPSEC.
  - 4. The invention of claim 1, wherein at least two SSUs register with the SANG to each establish at least one session key that allows each SSU to securely connect to the TANG and thereby to securely connect to each other.
  - 5. The invention of claim 1, wherein the SANG supports proxy authentication to support virtual private networks.
  - 6. The invention of claim 1, wherein the SANG supports billing for SSU communication sessions.
  - 7. The invention of claim 1, wherein the security management and secure transport system supports secure multicasting.
  - 8. The invention of claim 1, wherein the SANG conveys to the SSU a first method of processing a first shared key that is shared between the SANG and the SSU, wherein the SANG and the SSU independently implement the first method to generate, and thereby establish, based on the first shared key, local copies of the first session key.
  - 9. The invention of claim 8, wherein:
    - the SANG conveys to the TANG a second method of processing a second shared key that is shared between the SANG and the TANG, wherein the SANG and the TANG independently implement the second method to generate, based on the second shared key, local copies of the second session key; and
      
      the SANG establishes a secure communication link to the TANG based on the second session key and conveys the first session key to the TANG over the secure communication link.
  - 10. The invention of claim 8, wherein each of at least two SANs in the SANG has a copy of the first shared key associated with the SSU.
  - 11. The invention of claim 1, wherein TANG is overlaid on a wireless network.
  - 12. The invention of claim 1, wherein at least one TAN maintains at least part of a hash table to facilitate routing in the TANG, wherein the at least one TAN maintains an entry in the hash table for at least one SSU that is currently connected to the TAN.
  - 13. The invention of claim 1, wherein the SSU registers with the SANG via an initial access node (IAN).
  - 14. The invention of claim 13, wherein the SANG is adapted to approve registration of the SSU via more than one IAN at a time.
  - 15. The invention of claim 1, wherein at least one SAN comprises a server running a version of the remote authentication dial-in user services (RADIUS) protocol.
  - 16. The invention of claim 1, wherein at least one SAN in the SANG and the SSU mutually authenticate each other based on a shared key.
  - 17. The invention of claim 1, wherein the system is able to page an idle SSU.
  - 18. The invention of claim 1, wherein a home TAN in the TANG supports forwarding of packets from the home TAN to a current connection agent node (CAN) TAN using a tunneling protocol.
  - 19. The invention of claim 1, wherein the SANG directs a mobile SSU to access the TANG via a single TAN for more than one registration with the system as the mobile SSU moves between access points in the system.
  - 20. The invention of claim 1, wherein at least one TAN in the TANG supports enterprise policy lists.
  - 21. The invention of claim 1, wherein at least one of the TANG and the SANG is reachable by an full host IP layer datagram.
  - 22. The invention of claim 1, wherein the SSU initiates a connection with the system.
  - 23. The invention of claim 1, wherein links between TANs in the TANG are pre-provisioned.
  - 24. The invention of claim 1, wherein, when the TAN receives a packet that is not destined for an SSU, the TAN detunnels the message and passes it to an ordinary internet router for non-secure routing to its destination.

25. A method for security management and secure transport comprising:
- linking one or more security agent nodes (SANs) via a first secure protocol to each other into a security agent node group (SANG), and linking one or more transport agent nodes (TANs) via a second secure, protocol to each other into a transport agent node group (TANG), providing a first shared key to a first security subscriber unit (SSU), wherein the first shared key is known to the SANG, and using the first shared key to establish a first session key that allows the first SSU to securely connect to the TANG.
- View Dependent Claims (26, 27, 28)
- - 26. The invention of claim 25, wherein:
    - the SANG has two or more SANs that are linked to each other via a first secure protocol;
      
      the TANG has two or more TANs that are linked to each other via a second secure protocol;
      
      wherein at least one of the first and second secure protocols is IPSEC.
  - 27. The invention of claim 25, wherein at least two SSUs register with the SANG to each establish at least one session key that allows each SSU to securely connect to the TANG and thereby to securely connect to each other.
  - 28. The invention of claim 25, wherein at least one TAN in the TANG supports enterprise policy lists.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
WSOU Investments, LLC (WSOU Holdings, LLC)
Original Assignee
Alcatel-Lucent USA, Inc. (Nokia Corporation)
Inventors
Aggarwal, Sudhir

Granted Patent

US 7,506,370 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/151
CPC Class Codes

H04L 2209/80   Wireless

H04L 61/4511   using domain name system [DNS]

H04L 61/5014   using dynamic host configur...

H04L 61/5076   Update or notification mech...

H04L 63/0272   Virtual private networks

H04L 63/0869   for achieving mutual authen...

H04L 63/164   at the network layer

H04L 63/20   for managing network securi...

H04L 9/0827   involving distinctive inter...

H04L 9/0844   with user authentication or...

H04W 12/50   Secure pairing of devices

H04W 80/00   Wireless network protocols ...

H04W 80/04   Network layer protocols, e....

Mobile security architecture

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Mobile security architecture

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links