Secure communication methods and systems

US 20060020787A1
Filed: 07/26/2004
Published: 01/26/2006
Est. Priority Date: 07/26/2004
Status: Active Grant

First Claim

Patent Images

1. A communication method comprising:

establishing respective Internet Protocol Security (IPSec) Protocol Security Associations (SAs) for a secure connection between an access system and an intermediate system and a secure connection between the intermediate system and a remote system; and

binding the IPSec SAs to establish a secure connection between the access system and the remote system.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for secure communications are provided. Secure end-to-end connections are established as separate multiple secure connections, illustratively between a first system and an intermediate system and between a second system and an intermediate system. The multiple secure connections may be bound, by binding Internet Protocol Security Protocol (IPSec) Security Associations (SAs) for the multiple connections, for example, to establish the end-to-end connection. In the event of a change in operating conditions which would normally require the entire secure connection to be re-established, only one of the multiple secure connections which form the end-to-end connection is re-established. Separation of end-to-end connections in this manner may reduce processing resource requirements and latency normally associated with re-establishing secure connections.

Citations

60 Claims

1. A communication method comprising:
- establishing respective Internet Protocol Security (IPSec) Protocol Security Associations (SAs) for a secure connection between an access system and an intermediate system and a secure connection between the intermediate system and a remote system; and
  
  binding the IPSec SAs to establish a secure connection between the access system and the remote system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein establishing comprises:
    - receiving a communication signal from the access system; and
      
      establishing the IPSec SA for the secure connection between the intermediate system and the remote system responsive to the communication signal.
  - 3. The method of claim 2, further comprising:
    - establishing the IPSec SA for the secure connection between the access system and the intermediate system after the IPSec SA for the secure connection between the intermediate system and the remote system has been established.
  - 4. The method of claim 1, wherein establishing the IPSec SA for the secure connection between the intermediate system and the remote system comprises providing an identifier associated with the access system to the remote system.
  - 5. The method of claim 1, wherein binding comprises storing a respective Security Parameter Index (SPI) identifying each of the respective IPSec SAs in a memory.
  - 6. The method of claim 1, further comprising:
    - receiving a communication signal from the remote system on the secure connection between the intermediate system and the remote system, the received communication signal comprising transmitted information;
      
      processing the received communication signal according to the IPSec SA for the secure connection between the intermediate system and the remote system to recover the transmitted information; and
      
      processing the recovered transmitted information according to the IPSec SA for the secure connection between the access system and the intermediate system to produce a communication signal for transmission to the access system on the secure connection between the access system and the intermediate system.
  - 7. The method of claim 1, further comprising:
    - receiving a communication signal from the access system on the secure connection between the access system and the intermediate system, the received communication signal comprising transmitted information;
      
      processing the received communication signal according to the IPSec SA for the secure connection between the access system and the intermediate system to recover the transmitted information; and
      
      processing the recovered transmitted information according to the IPSec SA for the secure connection between the intermediate system and the remote system to produce a communication signal for transmission to the remote system on the secure connection between the intermediate system and the remote system.
  - 8. The method of claim 1, further comprising:
    - detecting a change in operating conditions of the access system; and
      
      establishing an IPSec SA for a new secure connection between the access system and the intermediate system responsive to the detecting.
  - 9. The method of claim 1, wherein establishing the IPSec SA for the secure connection between the intermediate system and the remote system comprises establishing respective IPSec SAs for a secure connection between the intermediate system and a second intermediate system and a secure connection between the second intermediate system and the remote system and binding the IPSec SAs for the secure connections between the intermediate system and the second intermediate system and between the second intermediate system and the remote system.
  - 10. The method of claim 1, further comprising:
    - establishing an IPSec SA for a further secure connection between the intermediate system and either the remote system or a further remote system; and
      
      binding the IPSec SA for the secure connection between the access system and the intermediate system to the IPSec SA for the further secure connection.
  - 11. A computer-readable medium storing instructions which when executed perform the method of claim 1.

12. A system for establishing a secure connection between an access system and a remote system, the system comprising:
- a transceiver for communicating with the access system and the remote system; and
  
  a processor configured to establish respective Internet Protocol Security (IPSec) Protocol Security Associations (SAs) for secure connections with the access system and the remote system through the transceiver, and to bind the IPSec SAs to establish the secure connection between the access system and the remote system.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The system of claim 12, wherein the processor is further configured to receive a communication signal from the access system through the transceiver, and to establish the IPSec SA for the secure connection with the remote system responsive to the communication signal.
  - 14. The system of claim 13, wherein the processor is further configured to establish the IPSec SA for the secure connection with the access system after the IPSec SA for the secure connection with the remote system has been established.
  - 15. The system of claim 12, wherein the processor is further configured to use an identifier associated with the access system for establishing the IPSec SA for the secure connection with the remote system.
  - 16. The system of claim 12, further comprising:
    - a memory;
      
      wherein the processor binds the IPSec SAs by storing a respective Security Parameter Index (SPI) identifying each of the IPSec SAs in the memory.
  - 17. The system of claim 12, wherein the processor is further configured to:
    - process a remote system communication signal received through the transceiver from the remote system according to the IPSec SA for the secure connection with the remote system to recover remote system transmitted information in the remote system communication signal;
      
      process the recovered remote system transmitted information according to the IPSec SA for the secure connection with the access system to produce a communication signal for transmission to the access system through the transceiver;
      
      process an access system communication signal received through the transceiver from the access system according to the IPSec SA for the secure connection with the access system to recover access system transmitted information in the access system communication signal; and
      
      process the recovered access system transmitted information according to the IPSec SA for the secure connection with the remote system to produce a communication signal for transmission to the remote system through the transceiver.
  - 18. The system of claim 12, wherein the processor is further configured to detect a change in operating conditions of the access system, and to establish an IPSec SA for a new secure connection with the access system responsive to a detected change in operating conditions of the access system.
  - 19. The system of claim 12, wherein the processor comprises an IPSec client for establishing the IPSec SAs with respective IPSec clients of the access system and the remote system.
  - 20. The system of claim 12, wherein the processor is further configured to establish an IPSec SA for a further secure connection between the intermediate system and either the remote system or a further remote system through the transceiver, and to bind the IPSec SA for the secure connection between the access system and the intermediate system to the IPSec SA for the further secure connection.
  - 21. A communication system comprising:
    - an access system;
      
      a remote system; and
      
      an intermediate system comprising the system of claim 12 for establishing a secure connection between the access system and the remote system.
  - 22. The communication system of claim 21, further comprising:
    - a second intermediate system comprising the system of claim 12 for establishing a secure connection between the intermediate system and the remote system.

23. A computer-readable medium storing a data structure comprising:
- an identifier of an Internet Protocol Security (IPSec) Protocol Security Association (SA) for a secure connection between an intermediate system and an access system; and
  
  an identifier of an IPSec SA for a secure connection between the intermediate system and a remote system, wherein the IPSec SAs are bound in the memory to thereby establish a secure connection between the access system and the remote system.
- View Dependent Claims (24)
- - 24. The computer-readable medium of claim 23, wherein the data structure further comprises at least one of an identifier of the access system and an IP address of the access system.

25. A method of managing a secure connection between an access system and a remote system, the secure connection comprising a secure connection between the access system and an intermediate system and a secure connection between the intermediate system and the remote system, the method comprising:
- detecting a change in operating conditions of the access system; and
  
  establishing a new secure connection between the access system and the intermediate system responsive to the detecting, whereby the secure connection between the access system and the remote system comprises the new secure connection between the access system and the intermediate system and the secure connection between the intermediate system and the remote system.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 26. The method of claim 25, wherein detecting comprises detecting a change in an address of the access system.
  - 27. The method of claim 26, wherein the address of the access system comprises an Internet Protocol (IP) address.
  - 28. The method of claim 26, wherein detecting a change in an address of the access system comprises receiving an address change notification.
  - 29. The method of claim 25, wherein the secure connection between the access system and the intermediate system comprises a connection through a first communication network, and wherein detecting comprises determining that a handoff of the connection from the first communication network to a second communication network is imminent.
  - 30. The method of claim 29, wherein determining that a handoff is imminent comprises at least one of:
    - receiving a trigger for the handoff and determining a characteristic of a communication signal received from the access system on the secure connection between the access system and the intermediate system.
  - 31. The method of claim 25, wherein establishing a new secure connection comprises negotiating security parameters between the access system and the intermediate system.
  - 32. The method of claim 25, wherein the secure connection between the access system and the intermediate system is established by negotiating security parameters to be used between endpoint addresses, the endpoint addresses comprising an address of the intermediate system and an address of the access system, wherein the change in operating conditions comprises a change in the address of the access system to a new access system address, and wherein establishing a new secure connection comprises updating the endpoint address of the access system to the new access system address.
  - 33. The method of claim 25, wherein the secure connection between the access system and the intermediate system and the secure connection between the intermediate system and the remote system have respective Internet Protocol Security (IPSec) Protocol Security Associations (SAs).
  - 34. The method of claim 25, wherein the secure connection between the intermediate system and the remote system comprises a secure connection between the intermediate system and a second intermediate system and a secure connection between the second intermediate system and the remote system, the method further comprising:
    - detecting a change in operating conditions of the remote system; and
      
      establishing a new secure connection between the second intermediate system and the remote system responsive to the detecting, whereby the secure connection between the intermediate system and the remote system comprises the secure connection between the intermediate system and the second intermediate system and the new secure connection between the second intermediate system and the remote system.
  - 35. The method of claim 25, wherein the secure connection between the access system and the remote system comprises one of a plurality of secure connections between the access system and at least one remote system including the remote system, the plurality of secure connections comprising the secure connection between the access system and the intermediate system and respective secure connections between the intermediate system and the at least one remote system.
  - 36. A computer-readable medium storing instructions which when executed perform the method of claim 25.

37. An intermediate system for managing a secure connection between an access system and a remote system, the secure connection comprising a secure connection between the access system and the intermediate system and a secure connection between the intermediate system and the remote system, the intermediate system comprising:
- a transceiver for communicating with the access system and the remote system; and
  
  a processor configured to detect a change in operating conditions of the access system, and to establish a new secure connection between the access system and the intermediate system through the transceiver responsive to a detected change in operating conditions of the access system, whereby the secure connection between the access system and the remote system comprises the new secure connection between the access system and the intermediate system and the secure connection between the intermediate system and the remote system.
- View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48)
- - 38. The system of claim 37, wherein the change in operating conditions of the access system comprises a change in an address of the access system.
  - 39. The system of claim 38, wherein the address of the access system comprises an Internet Protocol (IP) address.
  - 40. The system of claim 38, wherein the processor is configured to detect a change in an address of the access system based on an address change notification received through the transceiver.
  - 41. The system of claim 37, wherein the secure connection between the access system and the intermediate system comprises a connection through a first communication network, and wherein the processor is configured to detect a change in operating conditions of the access system based on a determination that a handoff of the connection from the first communication network to a second communication network is imminent.
  - 42. The system of claim 41, wherein the determination that a handoff is imminent is made based on at least one of:
    - a trigger for the handoff and a characteristic of a communication signal received from the access system through the transceiver.
  - 43. The system of claim 37, wherein the processor is configured to establish a new secure connection by negotiating security parameters for the new secure connection with the access system.
  - 44. The system of claim 37, wherein the secure connection between the access system and the intermediate system is established by negotiating security parameters to be used between endpoint addresses, the endpoint addresses comprising an address of the intermediate system and an address of the access system, wherein the change in operating conditions comprises a change in the address of the access system to a new access system address, and wherein the processor is configured to establish a new secure connection by updating the endpoint address of the access system to the new access system address.
  - 45. The system of claim 44, further comprising:
    - a memory storing an identifier of the security parameters and the endpoint addresses, wherein the processor is configured to update the endpoint address of the access system by storing in the memory the new access system address.
  - 46. The system of claim 37, wherein the secure connection between the access system and the intermediate system and the secure connection between the intermediate system and the remote system have respective Internet Protocol Security (IPSec) Protocol Security Associations (SAs), and wherein the processor comprises an IPSec client for establishing the new secure connection with an IPSec client of the access system.
  - 47. The system of claim 37, wherein the secure connection between the access system and the remote system comprises one of a plurality of secure connections between the access system and at least one remote system including the remote system, the plurality of secure connections comprising the secure connection between the access system and the intermediate system and respective secure connections between the intermediate system and the at least one remote system.
  - 48. A communication system comprising:
    - an access system;
      
      a remote system;
      
      an intermediate system comprising the system of claim 37 for establishing a secure connection between the access system and the remote system by establishing respective secure connections between the access system and the intermediate system and between the intermediate system and the remote system; and
      
      a second intermediate system comprising the system of claim 37 for establishing the secure connection between the intermediate system and the remote system by establishing respective secure connections between the intermediate system and the second intermediate system and between the second intermediate system and the remote system.

49. A method of managing a secure connection between a first system and a second system, the secure connection comprising a first secure connection between the first system and an intermediate system and a second secure connection between the intermediate system and the second system, the method comprising:
- detecting a change in operating conditions of the first system or the second system;
  
  establishing a new secure connection between the first system and the intermediate system responsive to detecting a change in the operating conditions of the first system, whereby the secure connection between the first system and the second system comprises the new secure connection between the first system and the intermediate system and the second secure connection; and
  
  establishing a new secure connection between the intermediate system and the second system responsive to detecting a change in the operating conditions of the second system, whereby the secure connection between the first system and the second system comprises the first secure connection and the new secure connection between the intermediate system and the second system.
- View Dependent Claims (50, 51, 52, 53, 54)
- - 50. The method of claim 49, wherein detecting comprises detecting a change in different respective operating conditions for the first system and the second system.
  - 51. The method of claim 49, wherein at least one of the first system and the second system comprises a mobile communication device, and wherein detecting comprises detecting a change in an Internet Protocol (IP) address of the mobile communication device.
  - 52. The method of claim 49, further comprising:
    - establishing respective Internet Protocol Security (IPSec) Protocol Security Associations (SAs) for the first secure connection and the second secure connection; and
      
      binding the IPSec SAs to establish the secure connection between the first system and the second system.
  - 53. The method of claim 49, wherein the respective IPSec SAs are associated with endpoint addresses, the endpoint addresses for the IPSec SA for the first secure connection comprising an address of the intermediate system and an address of the first system and the endpoint addresses for the IPSec SA for the second secure connection comprising the address of the intermediate system and an address of the second system, wherein the change in operating conditions comprises a change in the address of the first system or the second system to a new address, wherein establishing the new secure connection between the first system and the intermediate system comprises updating the endpoint address of the first system to the new address for the IPSec SA for the first secure connection, and wherein establishing the new secure connection between the intermediate system and the second system comprises updating the endpoint address of the second system to the new address for the IPSec SA for the second secure connection.
  - 54. A computer-readable medium storing instruction which when executed perform the method of claim 49.

55. An intermediate system for managing a secure connection between a first system and a second system, the secure connection comprising a first secure connection between the first system and the intermediate system and a second secure connection between the intermediate system and the second system, the intermediate system comprising:
- a transceiver for communicating with the first system and the second system; and
  
  a processor configured to detect a change in operating conditions of the first system or the second system, wherein the processor is further configured to;
  
  establish a new secure connection between the first system and the intermediate system responsive to detecting a change in the operating conditions of the first system, whereby the secure connection between the first system and the second system comprises the new secure connection between the first system and the intermediate system and the second secure connection; and
  
  establish a new secure connection between the intermediate system and the second system responsive to detecting a change in the operating conditions of the second system, whereby the secure connection between the first system and the second system comprises the first secure connection and the new secure connection between the intermediate system and the second system.
- View Dependent Claims (56, 57, 58)
- - 56. The system of claim 55, wherein the processor is configured to detect a change in different respective operating conditions for the first system and the second system.
  - 57. The system of claim 55, wherein at least one of the first system and the second system comprises a mobile communication device, and wherein the processor is configured to detect a change in an Internet Protocol (IP) address of the mobile communication device.
  - 58. The system of claim 55, wherein the processor is further configured to establish respective Internet Protocol Security (IPSec) Protocol Security Associations (SAs) for the first secure connection and the second secure connection, the respective IPSec SAs being associated with endpoint addresses, the endpoint addresses for the IPSec SA for the first secure connection comprising an address of the intermediate system and an address of the first system and the endpoint addresses for the IPSec SA for the second secure connection comprising the address of the intermediate system and an address of the second system, to bind the IPSec SAs to establish the secure connection between the first system and the second system, to detect the change in operating conditions by detecting a change in the address of the first system or the second system to a new address, to establish the new secure connection between the first system and the intermediate system by updating the endpoint address of the first system to the new address for the IPSec SA for the first secure connection, and to establish the new secure connection between the intermediate system and the second system by updating the endpoint address of the second system to the new address for the IPSec SA for the second secure connection.

59. A method of managing a secure connection between a first system and a second system, the secure connection comprising a first secure connection between the first system and a first intermediate system, a second secure connection between the first intermediate system and a second intermediate system, and a third secure connection between the second intermediate system and the second system, the method comprising:
- detecting a change in operating conditions of the first system or the second system;
  
  establishing a new secure connection between the first system and the first intermediate system responsive to detecting a change in the operating conditions of the first system, whereby the secure connection between the first system and the second system comprises the new secure connection between the first system and the first intermediate system, the second secure connection, and the third secure connection; and
  
  establishing a new secure connection between the second intermediate system and the second system responsive to detecting a change in the operating conditions of the second system, whereby the secure connection between the first system and the second system comprises the first secure connection, the second secure connection, and the new secure connection between the second intermediate system and the second system.

60. A communication system comprising:
- first and second intermediate systems for managing a secure connection between a first system and a second system, the secure connection comprising a first secure connection between the first system and the first intermediate system, a second secure connection between the first intermediate system and the second intermediate system, and a third secure connection between the second intermediate system and the second system, the first intermediate system comprising;
  
  a transceiver for communicating with the first system and the second intermediate system; and
  
  a processor configured to;
  
  detect a change in operating conditions of the first system; and
  
  establish a new secure connection between the first system and the first intermediate system responsive to detecting a change in the operating conditions of the first system, whereby the secure connection between the first system and the second system comprises the new secure connection between the first system and the first intermediate system, the second secure connection, and the third secure connection, and the second intermediate system comprising;
  
  a transceiver for communicating with the first intermediate system and the second system; and
  
  a processor configured to;
  
  detect a change in operating conditions of the second system; and
  
  establish a new secure connection between the second intermediate system and the second system responsive to detecting a change in the operating conditions of the second system, whereby the secure connection between the first system and the second system comprises the first secure connection, the second secure connection, and the new secure connection between the second intermediate system and the second system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Corporation
Original Assignee
Alcatel-Lucent SA (Nokia Corporation)
Inventors
Gariador, Frederic, Robison, Andrew, Choyi, Vinod

Granted Patent

US 7,676,838 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/165
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/164   at the network layer

H04L 63/20   for managing network securi...

H04L 67/14   Session management for real...

H04L 69/329   in the application layer [O...

H04W 12/03   Protecting confidentiality,...

H04W 80/04   Network layer protocols, e....

Secure communication methods and systems

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

60 Claims

Specification

Solutions

Use Cases

Quick Links

Secure communication methods and systems

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

60 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links