Method for implementing secure corporate Communication

US 20040268148A1
Filed: 06/30/2003
Published: 12/30/2004
Est. Priority Date: 06/30/2003
Status: Active Grant

First Claim

Patent Images

1. A method for implementing secure communication, comprising:

(a) receiving instructions to initiate a process for creating a secure communication link to a remote device via a publicly accessible network;

(b) determining in response to the instructions received in step (a), whether at least one local application program used to create the secure communication link is configured;

(c) initiating, based on the instructions received in step (a), a second process for accessing a database over the publicly accessible network;

(d) receiving, in response to step (c) and if the at least one local application program is not configured, configuration information for the at least one program;

(e) configuring the at least one program based upon the configuration information received in step (d); and

(i) creating the secure communication link based on the configuration.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A mobile or other device connects to a server via a publicly accessible network such as the Internet. After installation upon the device, a virtual private network (VPN) client connects to the server and downloads a VPN profile. In one embodiment the device creates public/private key pairs and requests enrollment of a digital certificate. In another embodiment a digital certificate and public/private key pairs are provided. The device also receives a digital certificate from the server and verifies the server certificate by requesting the user to supply a portion of a fingerprint for the certificate. The invention further includes an automatic content updating (ACU) client that downloads a user profile for the VPN, requests certificate enrollment, and updates the VPN client and other applications when new content is available. A security service manager (SSM) server includes, or is in communication with, a Web server, multiple databases, an enrollment gateway and an internal certification authority (CA). A VPN policy manager application creates and manages VPN profiles and/or policies and communicates with the SSM server. The SSM server, which may reside on an enterprise intranet, may further communicate with one or more external CAs.

395 Citations

48 Claims

1. A method for implementing secure communication, comprising:
- (a) receiving instructions to initiate a process for creating a secure communication link to a remote device via a publicly accessible network;
  
  (b) determining in response to the instructions received in step (a), whether at least one local application program used to create the secure communication link is configured;
  
  (c) initiating, based on the instructions received in step (a), a second process for accessing a database over the publicly accessible network;
  
  (d) receiving, in response to step (c) and if the at least one local application program is not configured, configuration information for the at least one program;
  
  (e) configuring the at least one program based upon the configuration information received in step (d); and
  
  (i) creating the secure communication link based on the configuration.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 29, 40)
- - 2. The method of claim 1, wherein:
    - the secure communication link is a VPN connection, and the information received in step (d) comprises at least one of a public/private key pair and a certificate.
  - 3. The method of claim 1, further comprising:
    - (g) determining whether an update to the at least one application program is available;
      
      (h) receiving the update; and
      
      (i) implementing the update.
  - 4. The method of claim 1, wherein:
    - the secure communication link is a VPN connection, step (b) comprises determining if a client certificate is present, step (c) comprises, if a client certificate is not present, requesting enrollment of a client certificate, and step (d) comprises receiving a client certificate.
  - 5. The method of claim 1, wherein step (d) comprises receiving a generic VPN policy without PKI data, and further comprising:
    - (g) generating PKI data and a corresponding certificate enrollment request;
      
      (h) sending the certificate enrollment request to the remote device for forwarding to an external certification authority (CA); and
      
      (i) receiving a certificate.
  - 6. The method of claim 4, wherein the received client certificate is enrolled, in cooperation with an internal corporate certification authority, with an external certification authority.
  - 7. The method of claim 1, wherein step (c) comprises initiating an automatic content update (ACU) application.
  - 8. The method of claim 7, wherein the ACU application contains information about application programs in addition to the at least one local application program used to create the secure communication link, and further comprising:
    - (g) determining whether an update is available for at least one of the additional application programs; and
      
      (h) receiving an update for the at least one additional application program.
  - 9. The method of claim 7, wherein the ACU application communicates with the remote device and other remote device on behalf other application programs.
  - 10. The method of claim 7, wherein the ACU application contains information about application programs in addition to the at least one local application program used to create the secure communication link, and further comprising:
    - (g) fetching from the remote device content or content metadata applicable to at least one of the additional application programs; and
      
      (h) '"'"'storing, by the at least one additional application program, the fetched content or content metadata.
  - 11. The method of claim 7, wherein the ACU application communicates using a SyncML protocol.
  - 12. The method of claim 7, further comprising:
    - (g) storing, in a configuration record for at least one application, an Internet Access Point (IAP) to be used when communicating with a remote device on behalf of the at least one application.
  - 13. The method of claim 7, wherein the ACU application communicates using a simple request-response protocol, and wherein a protocol transaction consists of a single request-response pair.
  - 14. The method of claim 7, wherein the ACU application contains information about application programs in addition to the at least one local application program used to create the secure communication link, and further comprising:
    - (g) fetching from the remote device content metadata applicable to at least one of the additional application programs;
      
      (h) comparing fetched metadata to locally stored metadata; and
      
      (i) fetching new or updated content from the remote device based upon the comparison.
  - 15. The method of claim 14, wherein the ACU application includes in fetch requests in steps (g) and (i) content identifications (IDs) required by the remote device.
  - 16. The method of claim 7, wherein the ACU application contains information about application programs in addition to the at least one local application program used to create the secure communication link, and further comprising:
    - (g) fetching, from multiple databases in the remote device, metadata about multiple types of content.
  - 17. The method of claim 7, wherein the ACU application contains information about application programs in addition to the at least one local application program used to create the secure communication link, and the ACU application transmits requests containing properties used by the remote device to filter requests.
  - 18. The method of claim 7, wherein messages generated by the ACU application and communicated to the remote device include a message identifier, a target database identifier, and a security level.
  - 19. The method of claim 18, wherein a first security level is required to receive configuration information for the at least one program and a second security level is required to receive another type of information.
  - 20. The method of claim 18, wherein at least one message generated by the ACU application includes an element indicating that a message is the last message relating to a specific task.
  - 21. The method of claim 18, wherein the ACU application requests configuration information in a single message.
  - 22. The method of claim 7 further comprising, upon receipt of a first response from the remote device:
    - (g) validating and storing a returned certificate to create a trust relationship with the remote device.
  - 23. The method of claim 22, further comprising:
    - (h) using the returned certificate to validate subsequent responses from the remote device.
  - 24. The method of claim 23, wherein:
    - the returned certificate is validated based on a hash calculated over the entire ACU message resulting in the first response from the remote device, except for a signature element of the ACU message, the hash is signed with a private key held by the remote device, and the corresponding certificate is included in the first response and is used by the recipient to verify the signature and identify and authenticate the sender.
  - 29. The device of claim 1, wherein step (d) comprises receiving a generic VPN policy without PKI data, and wherein the processor is further configured to perform steps comprising:
    - (g) generating PKI data and a corresponding certificate enrollment request;
      
      (h) sending the certificate enrollment request to the remote device for forwarding to an external certification authority (CA); and
      
      (i) receiving a certificate.
  - 40. The device of claim 7, wherein the ACU application contains information about application programs in addition to the at least one local application program used to create the secure communication link, and wherein the processor is further configured to perform steps comprising:
    - (g) fetching, from multiple databases in the remote device, metadata about multiple types of content.

25. A device for secure communication with a server via a publicly accessible network, comprising:
- an interface to a publicly accessible network; and
  
  a processor configured to perform steps comprising;
  
  (a) receiving instructions to initiate a process for creating a secure communication link to a remote device via a publicly accessible network;
  
  (b) determining, in response to the instructions received in step (a), whether at least one local application program used to create the secure communication link is configured;
  
  (c) initiating, based on the instructions received in step (a), a second process for accessing a database over the publicly accessible network;
  
  (d) receiving, in response to step (c) and if the at least one local application program is not configured, configuration information for the at least one program;
  
  (e) configuring the at least one program based, upon the configuration information received in step (d); and
  
  (f) creating the secure communication link based on the configuration.
- View Dependent Claims (26, 27, 28, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 41, 42, 43, 44, 45, 46, 47)
- - 26. The device of claim 25, wherein:
    - the secure communication link is a VPN connection, and the information received in step (d) comprises at least one of a public/private key pair and a certificate.
  - 27. The device of claim 25, wherein the processor is further configured to perform steps comprising:
    - (g) determining whether an update to the at least one application program is available;
      
      (h) receiving the update; and
      
      (i) implementing the update.
  - 28. The device of claim 25, wherein:
    - the secure communication link is a VPN connection, step (b) comprises determining if a client certificate is present, step (c) comprises, if a client certificate is not present, requesting enrollment of a client certificate, and step (d) comprises receiving a client certificate.
  - 30. The device of claim 28, wherein the received client certificate is enrolled, in cooperation with an internal corporate certification authority, with an external certification authority.
  - 31. The device of claim 25, wherein step (c) comprises initiating an automatic content update (ACU) application.
  - 32. The device of claim 31, wherein the ACU application contains information about application programs in addition to the at least one local application program used to create the secure communication link, and wherein the processor is further configured to perform steps comprising:
    - (g) determining whether an update is available for at least one of the additional application programs; and
      
      (h) receiving an update for the at least one additional application program.
  - 33. The device of claim 31, wherein the ACU application communicates with the remote device and other remote device on behalf other application programs.
  - 34. The device of claim 31, wherein the ACU application contains information about application programs in addition to the at least one local application program used to create the secure communication link, and wherein the processor is further configured to perform, steps comprising:
    - (g) fetching from the remote device content or content metadata applicable to at least one of the additional application programs; and
      
      (h) storing, by the at least one additional application program, the fetched content or content metadata.
  - 35. The device of claim 31, wherein the ACU application communicates using a SyncML protocol.
  - 36. The device of claim 31, wherein the processor is further configured to perform steps comprising:
    - (g) storing, in a configuration record for at least one application, an Internet Access Point (IAP) to be used when communicating with a remote device on behalf of the at least one application.
  - 37. The device of claim 31, wherein the ACU application communicates using a simple request-response protocol, and wherein a protocol transaction consists of a single request-response pair.
  - 38. The device of claim 31, wherein the ACU application contains information about application programs in addition to the at least one local application program used to create the secure communication link, and wherein the processor is further configured to perform steps comprising:
    - (g) fetching from the remote device content metadata applicable to at least one of the additional application programs;
      
      (h) comparing fetched metadata to locally stored metadata; and
      
      (i) fetching new or updated content from the remote device based upon the comparison.
  - 39. The device of claim 38, wherein the ACU application includes in fetch requests in steps (g) and (i) content identifications (IDs) required by the remote device.
  - 41. The device of claim 31, wherein the ACU application contains information about application programs in addition to the at least one local application program used to create the secure communication link, and the ACU application transmits requests containing properties used by the remote device to filter requests.
  - 42. The device of claim 31, wherein messages generated by the ACU application and communicated to the remote device include a message identifier, a target database identifier, and a security level.
  - 43. The device of claim 42, wherein a first security level is required to receive configuration information for the at least one program and a second security level is required to receive another type of information.
  - 44. The device of claim 42, wherein at least one message generated by the ACU application includes an element indicating that a message is the last message relating to a specific task.
  - 45. The device of claim 42, wherein the ACU application requests configuration information in a single message.
  - 46. The device of claim 31, wherein the processor is further configured to perform steps comprising, upon receipt of a first response from the remote device:
    - (g) validating and storing a returned certificate to create a trust relationship with the remote device.
  - 47. The device of claim 46, wherein the processor is further configured to perform steps comprising:
    - (h) using the returned certificate to validate subsequent responses from the remote device.

48. A server, comprising:
- an interface to a publicly accessible network; and
  
  a processor configured to perform steps comprising;
  
  (a) receiving requests from multiple users for configuration information for locally stored application programs used to create secure communication links to the server, the users being organized in a hierarchy of child, parent and grandparent groups, each group having a corresponding set of secure communication configuration data accessible by the server, each child group inheriting properties from its parent group, each parent group inheriting properties its grandparent group;
  
  (b) storing content associated with the groups, with information associated with a particular group being accessible to the particular group and to groups inheriting properties from the particular group;
  
  (b) providing configuration information to the users, the configuration information provided to each user comprising the configuration data set for each group from which the user inherits properties;
  
  (c) receiving requests from the users for content corresponding to other locally stored application programs; and
  
  (d) providing information to the users of a child group based on the groups from which the child group inherits properties.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
WSOU Investments, LLC (WSOU Holdings, LLC)
Original Assignee
Nokia, Inc. (Nokia Corporation)
Inventors
Karjala, Jari, Palojarvi, Jari

Granted Patent

US 7,448,080 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/15
CPC Class Codes

H04L 41/046   comprising network manageme...

H04L 41/0806   for initial configuration o...

H04L 41/082   the condition being updates...

H04L 41/0856   by backing up or archiving ...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 63/0272   Virtual private networks

H04L 63/0442   wherein the sending and rec...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/164   at the network layer

H04L 63/166   at the transport layer

H04L 63/168   above the transport layer

H04L 67/14   Session management for real...

Y10S 379/901   Virtual networks or virtual...

Method for implementing secure corporate Communication

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

395 Citations

48 Claims

Specification

Use Cases

Quick Links

Others

Method for implementing secure corporate Communication

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

395 Citations

48 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others