Method, apparatus and system for pre-establishing secure communication channels

US 20050102514A1
Filed: 11/10/2003
Published: 05/12/2005
Est. Priority Date: 11/10/2003
Status: Abandoned Application

First Claim

Patent Images

1. A method for pre-establishing a secure communication channel comprising the steps of:

detecting one or more trigger events;

determining whether the secure communication channel will be needed in the future; and

establishing the secure communication channel before the secure communication channel is needed.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides a method, apparatus and system for pre-establishing a secure communication channel by detecting one or more trigger events (302), determining whether the secure communication channel will be needed in the future (304) and establishing the secure communication channel before the secure communication channel is needed (308-316). The secure communication channel is established by sending a SA Query (308) and determining whether the SA Query matches one or more security policies (310). If the SA Query matches the one or more security policies, the present invention determines whether the SA Query matches a SA (314). If the SA Query does not match the SA, a SA is negotiated (318) and a SA Query successful message is returned (316). This method can be implemented as a computer program embodied on a computer readable medium wherein each step is executed by one or more code segments.

Citations

50 Claims

1. A method for pre-establishing a secure communication channel comprising the steps of:
- detecting one or more trigger events;
  
  determining whether the secure communication channel will be needed in the future; and
  
  establishing the secure communication channel before the secure communication channel is needed.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method as recited in claim 1, wherein the one or more trigger events include a registration request, an attachment of a client or an expected attachment of a client.
  - 3. The method as recited in claim 1, wherein the step of determining whether the secure communication channel will be needed in the future is based on a user profile or historical data.
  - 4. The method as recited in claim 1, wherein the secure communication channel is needed whenever a control packet or payload packet is received that relates to the one or more trigger events and matches one or more security policies.
  - 5. The method as recited in claim 1, further comprising the step of storing an indication that the secure communication channel has been established.
  - 6. The method as recited in claim 1, further comprising the steps of:
    - receiving a control or payload packet;
      
      determining whether the received packet is associated with the pre-established secure communication channel; and
      
      sending the received packet using the pre-established secure communication channel whenever the received packet is associated with the pre-established secure communication channel.
  - 7. The method as recited in claim 1, wherein the step of establishing the secure communication channel comprises the steps of:
    - sending a security association query (“
      
      SA Query”
      
      ) to a packet security protocol instance, the SA Query comprising a message indicating that a security association is needed;
      
      receiving a SA Query successful message from the packet security protocol instance whenever the secure communication channel has been established; and
      
      receiving a SA Query failure message from the packet security protocol instance whenever the secure communication channel has not been set up.
  - 8. The method as recited in claim 7, wherein the packet security protocol instance is an IPsec protocol instance.
  - 9. The method as recited in claim 7, wherein the SA Query includes a set of packet selectors comprising:
    - a source address;
      
      a destination address;
      
      a protocol;
      
      a source port; and
      
      a destination port.
  - 10. The method as recited in claim 7, wherein the secure communication channel is for control packets only, payload packets only, or both control and payload packets.

11. A method for pre-establishing a secure communication channel comprising the steps of:
- receiving a security association query (“
  
  SA Query”
  
  ) from a privileged application, the SA Query comprising a message indicating that a security association is needed;
  
  determining whether the SA Query matches one or more security policies;
  
  determining whether the SA Query matches a security association whenever the SA Query matches the one or more security policies;
  
  sending a SA Negotiation Request to a key management exchange whenever the SA Query does not match the security association;
  
  sending a SA Query successful message to the privileged application indicating that the secure communication channel has been pre-established whenever the SA Query matches the security association or a negotiated SA pair is received from the key management exchange; and
  
  sending a SA Query failure message to the privileged application whenever the SA Query does not match the one or more security policies or a negotiation failure message is received from the key management exchange.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The method as recited in claim 11, wherein the privileged application is a management application.
  - 13. The method as recited in claim 11, wherein the privileged application is a packet data serving node (“
    - PDSN”
      
      ).
  - 14. The method as recited in claim 11, wherein the security policies are stored in security policies database (“
    - SPD”
      
      ).
  - 15. The method as recited in claim 11, wherein the security associations are stored in a security association database (“
    - SAD”
      
      ).
  - 16. The method as recited in claim 11, wherein the key management exchange is an Internet key exchange (“
    - IKE”
      
      ).

17. A computer program embodied on a computer readable medium for pre-establishing a secure communication channel comprising:
- a code segment for detecting one or more trigger events;
  
  a code segment for determining whether the secure communication channel will be needed in the future; and
  
  a code segment for establishing the secure communication channel before the secure communication channel is needed.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 18. The computer program as recited in claim 17, wherein the one or more trigger events include a registration request, an attachment of a client or an expected attachment of a client.
  - 19. The computer program as recited in claim 17, wherein the code segment for determining whether the secure communication channel will be needed in the future is based on a user profile or historical data.
  - 20. The computer program as recited in claim 17, wherein the secure communication channel is needed whenever a control packet or payload packet is received that relates to the one or more trigger events and matches one or more security policies.
  - 21. The computer program as recited in claim 17, further comprising a code segment for storing an indication that the secure communication channel has been established.
  - 22. The computer program as recited in claim 17, further comprising:
    - a code segment for receiving a control or payload packet;
      
      a code segment for determining whether the received packet is associated with the pre-established secure communication channel; and
      
      a code segment for sending the received packet using the pre-established secure communication channel whenever the received packet is associated with the pre-established secure communication channel.
  - 23. The computer program as recited in claim 17, wherein the code segment for establishing the secure communication channel comprises:
    - a code segment for sending a security association query (“
      
      SA Query”
      
      ) to a packet security protocol instance, the SA Query comprising a message indicating that a security association is needed;
      
      a code segment for receiving a SA Query successful message from the packet security protocol instance whenever the secure communication channel has been established; and
      
      a code segment for receiving a SA Query failure message from the packet security protocol instance whenever the secure communication channel has not been set up.
  - 24. The computer program as recited in claim 23, wherein the packet security protocol instance is an IPsec protocol instance.
  - 25. The computer program as recited in claim 23, wherein the SA Query includes a set of packet selectors comprising:
    - a source address;
      
      a destination address;
      
      a protocol;
      
      a source port; and
      
      a destination port.
  - 26. The computer program as recited in claim 23, wherein the secure communication channel is for control packets only, payload packets only, or both control and payload packets.

27. A computer program embodied on a computer readable medium for pre-establishing a secure communication channel comprising:
- a code segment for receiving a security association query (“
  
  SA Query”
  
  ) from a privileged application, the SA Query comprising a message indicating that a security association is needed;
  
  a code segment for determining whether the SA Query matches one or more security policies;
  
  a code segment for determining whether the SA Query matches a security association whenever the SA Query matches the one or more security policies;
  
  a code segment for sending a SA Negotiation Request to a key management exchange whenever the SA Query matches the security association;
  
  a code segment for sending a SA Query successful message to the privileged application indicating that the secure communication channel has been pre-established whenever the SA Query matches the security association or a negotiated SA pair is received from the key management exchange; and
  
  a code segment for sending a SA Query failure message to the privileged application whenever the SA Query does not match the one or more security policies or a negotiation failure message is received from the key management exchange.
- View Dependent Claims (28, 29, 30, 31, 32)
- - 28. The computer program as recited in claim 27, wherein the privileged application is a management application.
  - 29. The computer program as recited in claim 27, wherein the privileged application is a packet data serving node (“
    - PDSN”
      
      ).
  - 30. The computer program as recited in claim 27, wherein the security policies are stored in security policies database (“
    - SPD”
      
      ).
  - 31. The computer program as recited in claim 27, wherein the security associations are stored in a security association database (“
    - SAD”
      
      ).
  - 32. The computer program as recited in claim 27, wherein the key management exchange is an Internet key exchange (“
    - IKE”
      
      ).

33. An apparatus comprising:
- a packet processor;
  
  a packet security protocol instance operating within the packet processor; and
  
  a privileged application operating within the packet processor that detects one or more trigger events, determines whether a secure communication channel will be needed in the future and sends a message to the packet security protocol instance to establish the secure communication channel before the secure communication channel is needed.
- View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46)
- - 34. The apparatus as recited in claim 33, wherein the one or more trigger events include a registration request, an attachment of a client or an expected attachment of a client.
  - 35. The apparatus as recited in claim 33, wherein the privileged application determines whether the secure communication channel will be needed in the future based on a user profile or historical data.
  - 36. The apparatus as recited in claim 33, wherein the secure communication channel is needed whenever a control packet or payload packet is received that relates to the one or more trigger events and matches one or more security policies.
  - 37. The apparatus as recited in claim 33, wherein the privileged application stores an indication that the secure communication channel has been established.
  - 38. The apparatus as recited in claim 33, wherein the privileged application receives a control or payload packet, determines whether the received packet is associated with the pre-established secure communication channel, and sends the received packet using the pre-established secure communication channel whenever the received packet is associated with the pre-established secure communication channel.
  - 39. The apparatus as recited in claim 33, wherein the privileged application establishes the secure communication channel by sending a security association query (“
    - SA Query”
      
      ) to the packet security protocol instance, the SA Query comprising a message indicating that a security association is needed.
  - 40. The apparatus as recited in claim 33, wherein the packet security protocol instance is an IPsec protocol instance.
  - 41. The apparatus as recited in claim 33, wherein the secure communication channel is for control packets only, payload packets only, or both control and payload packets.
  - 42. The apparatus as recited in claim 33, further comprising:
    - a security policies database communicably coupled to the packet security protocol;
      
      a security association database communicably coupled to the packet security protocol;
      
      a key management daemon communicably coupled to the packet security protocol;
      
      the packet security protocol receiving a security association query (“
      
      SA Query”
      
      ) from the privileged application, the SA Query comprising a message indicating that a security association is needed, determining whether the SA Query matches one or more security policies stored in the securities policies database, determining whether the SA Query matches a security association stored in the security association database whenever the SA Query matches the one or more security policies, sending a SA Negotiation Request to the key management daemon whenever the SA Query matches the security association, sending a SA Query successful message to the privileged application indicating that the secure communication channel has been pre-established whenever the SA Query matches the security association or a negotiated SA pair is received from the key management exchange, and sending a SA Query failure message to the privileged application whenever the SA Query does not match the one or more security policies or a negotiation failure message is received from the key management exchange.
  - 43. The apparatus as recited in claim 42, wherein the privileged application is a management application.
  - 44. The apparatus as recited in claim 42, wherein the privileged application is a packet data serving node (“
    - PDSN”
      
      ).
  - 45. The apparatus as recited in claim 42, wherein the key management exchange is an Internet key exchange (“
    - IKE”
      
      ).
  - 46. The apparatus as recited in claim 42, wherein the apparatus is a gateway, router, firewall, server, communications node or switch.

47. A system comprising:
- a first network;
  
  a second network; and
  
  a packet communications device communicably coupled to the first network and the second network, the packet communications device comprising a packet processor, a packet security protocol instance operating within the packet processor, and a privileged application operating within the packet processor that detects one or more trigger events, determines whether a secure communication channel will be needed in the future and sends a message to the packet security protocol instance to establish the secure communication channel before the secure communication channel is needed.
- View Dependent Claims (48, 49, 50)
- - 48. The system as recited in claim 47, wherein the first network is the Internet and further comprising one or more computers or IP phones communicably coupled to the Internet.
  - 49. The system as recited in claim 47, wherein the second network is a local area network and further comprising one or more computers or personal data assistants communicably coupled to the local area network.
  - 50. The system as recited in claim 47, wherein the second network is an access network and further comprising one or more mobile stations communicably coupled to the access network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
Vuorinen, Tapio, Linnakangas, Tommi, Bergenwall, Thomas

Application Number

US10/705,079
Publication Number

US 20050102514A1
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

H04L 2209/80   Wireless

H04L 63/0227   Filtering policies mail mes...

H04L 63/0272   Virtual private networks

H04L 63/06   for supporting key manageme...

H04L 63/164   at the network layer

H04L 67/14   Session management for real...

H04L 67/306   User profiles

H04L 9/0844   with user authentication or...

H04W 12/0433   Key management protocols

Method, apparatus and system for pre-establishing secure communication channels

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

50 Claims

Specification

Solutions

Use Cases

Quick Links

Method, apparatus and system for pre-establishing secure communication channels

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

50 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links