Performing security functions on a message payload in a network element

US 20060123226A1
Filed: 12/07/2004
Published: 06/08/2006
Est. Priority Date: 12/07/2004
Status: Active Grant

First Claim

Patent Images

1. A method of performing security functions on a message payload in a network element, the method comprising the computer-implemented steps of:

receiving one or more data packets at a network element; and

performing, at the network element, a particular function on at least a portion of an application layer message that is contained in one or more payload portions of the one or more data packets;

wherein the particular function is one of a set of functions comprising an encryption function, a decryption function, a digest function, an authentication function, an authorization function, and an auditing function.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is disclosed for performing security functions on a message payload in a network element. According to one aspect, a network element receives one or more data packets. The network element performs a security function on at least a portion of an application layer message that is contained in one or more payload portions of the one or more data packets. According to another aspect, a network element receives a first request that is destined for a first application. The network element sends, to a second application that sent the first request, a second request for authentication information. The network element receives the authentication information and determines whether the authentication information is valid. If the authentication information is not valid, then the network element prevents the first request from being sent to the first application.

175 Citations

39 Claims

1. A method of performing security functions on a message payload in a network element, the method comprising the computer-implemented steps of:
- receiving one or more data packets at a network element; and
  
  performing, at the network element, a particular function on at least a portion of an application layer message that is contained in one or more payload portions of the one or more data packets;
  
  wherein the particular function is one of a set of functions comprising an encryption function, a decryption function, a digest function, an authentication function, an authorization function, and an auditing function.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 2. A method as recited in claim 1, further comprising:
    - determining a message classification based on information contained in the one or more packets;
      
      wherein performing the particular function comprises performing a function that is associated with the message classification.
  - 3. A method as recited in claim 2, wherein the information comprises at least one of an IP source address, an IP destination address, a TCP source port, and a TCP destination port.
  - 4. A method as recited in claim 2, wherein determining the message classification comprises determining the message classification based on contents of at least a portion of the application layer message.
  - 5. A method as recited in claim 1, wherein performing the particular function comprises performing the particular function using a cryptographic key that is associated with an application, wherein the application is one of (a) an application that sent the one or more data packets and (b) an application for which the one or more data packets are destined.
  - 6. A method as recited in claim 5, wherein the cryptographic key is stored at the network element.
  - 7. A method as recited in claim 5, wherein the cryptographic key is managed by a central console that is separate from the network element, wherein the central console distributes cryptographic keys and manages lifecycles of cryptographic keys.
  - 8. A method as recited in claim 1, wherein the one or more data packets are destined for an application that is hosted on a device other than the network element.
  - 9. A method as recited in claim 1, further comprising:
    - sending, from the network element, one or more data packets that contain at least an encrypted portion of the application layer message, wherein the one or more data packets received by the network element contained an unencrypted version of the encrypted portion.
  - 10. A method as recited in claim 1, further comprising:
    - sending, from the network element, one or more data packets that contain at least a decrypted portion of the application layer message, wherein the one or more data packets received by the network element contained an encrypted version of the decrypted portion.
  - 11. A method as recited in claim 1, wherein the network element is a network switch or router.
  - 12. A method as recited in claim 1, further comprising:
    - generating, at the network element, a digest based on the message;
      
      wherein performing the particular function comprises encrypting the digest, thereby signing the message.
  - 13. A method as recited in claim 1, further comprising:
    - generating, at the network element, a first digest based on the message; and
      
      comparing the first digest to a second digest, thereby verifying the message;
      
      wherein performing the particular function comprises decrypting the second digest.
  - 14. A method as recited in claim 1, wherein performing the particular function on at least the portion of the application layer message comprises performing the particular function on a portion of the application layer message that is located at a user-specified path in an XML document or a non-XML document.
  - 15. A method as recited in claim 1, wherein the application layer message comprises a multi-part MIME message, and further comprising handling each part of the multi-part MIME message separately and independently from each other part of the multi-part MIME message.
  - 16. A method as recited in claim 1, further comprising:
    - determining, from information contained in the one or more data packets, an identity of a sender or intended receiver of the one or more data packets;
      
      wherein performing the particular function comprises performing the function using a key that is associated with the identity.
  - 17. A method as recited in claim 1, further comprising:
    - determining a type of credential that is contained in the one or more data packets;
      
      based on the type of credential, selecting, from among a plurality of credential stores, a particular credential store that is associated with the type of credential; and
      
      comparing the credential with a credential that is stored in the particular credential store.
  - 18. A method as recited in claim 1, further comprising:
    - determining a type of credential that is contained in the one or more data packets;
      
      based on the type of credential, selecting, from among a plurality of destinations, a particular destination that is associated with the type of credential; and
      
      sending at least a portion of the application layer message toward the particular destination.
  - 19. A method as recited in claim 1, further comprising:
    - performing, at the network element, a function on a message that is a request message, a response message, an exception processing message, or a message that was not sent between a client application and a server application as a result of an event or trigger that occurred on the network element.
  - 20. A method as recited in claim 1, further comprising:
    - determining a particular content that is specified in the application layer message;
      
      determining whether the particular content satisfies a set of constraints; and
      
      in response to determining that the particular content satisfies the set of constraints, performing one or more specified actions.
  - 21. A method as recited in claim 1, further comprising:
    - looking up security information that is mapped to a username token that is specified in the application layer message; and
      
      sending the security information to a receiving application on behalf of a sending application;
      
      wherein the security information is a certificate or an assertion.
  - 22. A method as recited in claim 1, further comprising:
    - generating security information that is mapped to a username token that is specified in the application layer message; and
      
      sending the security information to a receiving application on behalf of a sending application;
      
      wherein the security information is a certificate or an assertion.
  - 23. A method as recited in claim 1, further comprising:
    - determining a first assertion that is contained in the application layer message;
      
      determining a second assertion that is contained in the application layer message, wherein the second assertion differs from the first assertion, and wherein the second assertion is an authoritative certification by a trusted authority concerning the application from which the application layer message originated;
      
      verifying the first assertion; and
      
      verifying the second assertion.
  - 24. A method as recited in claim 1, further comprising:
    - sending a challenge to an application;
      
      receiving a challenge-response that originated from the application;
      
      determining whether the challenge-response satisfies the challenge; and
      
      in response to determining that the challenge-response satisfies the challenge, performing one or more specified actions.
  - 25. A method as recited in claim 1, further comprising:
    - sending at least a portion of the application layer message using both a first application layer protocol and Secure Sockets Layer (SSL) protocol;
      
      wherein the application layer message was received at the network element using both SSL protocol and a second application layer protocol that differs from the first application layer protocol.
  - 26. A method as recited in claim 1, further comprising:
    - sending at least a portion of the application layer message using Secure Sockets Layer (SSL) protocol;
      
      wherein the application layer message was received at the network element as clear text.
  - 27. A method as recited in claim 1, further comprising:
    - sending at least a portion of the application layer message as clear text;
      
      wherein the application layer message was received at the network element using Secure Sockets Layer (SSL) protocol.

28. A method of performing an authentication function in a network element, the method comprising the computer-implemented steps of:
- receiving, at a network element, a first request that is destined for a first application that is hosted on a device other than the network element;
  
  in response to receiving the first request, sending, to a second application that sent the first request, a second request for authentication information;
  
  receiving the authentication information at the network element;
  
  determining, at the network element, whether the authentication information is valid; and
  
  in response to determining that the authentication information is not valid, preventing the first request from being sent to the first application.
- View Dependent Claims (29, 30, 31, 32)
- - 29. A method as recited in claim 28, further comprising:
    - in response to determining that the authentication information is valid, sending the first request to the first application.
  - 30. A method as recited in claim 28, wherein determining whether the authentication information is valid comprises determining whether a mapping exists between (a) a password indicated in the authentication information and (b) a user identifier indicated in the authentication information.
  - 31. A method as recited in claim 30, wherein determining whether the mapping exists comprises determining whether the mapping exists in a data repository that is external to the network element.
  - 32. A method as recited in claim 28, further comprising:
    - in response to determining that the authentication information is valid, determining a set of permissions that are associated with a user identifier indicated in the authentication information;
      
      receiving, at the network element, a third request that the second application sent;
      
      determining, at the network element, whether the third request is permitted according to the set of permissions; and
      
      in response to determining that the third request is not permitted according to the set of permissions, preventing the third request from being sent to the first application.

33. A computer-readable medium carrying one or more sequences of instructions for performing security functions on a message payload in a network element, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- receiving one or more data packets at a network element; and
  
  performing, at the network element, a particular function on at least a portion of an application layer message that is contained in one or more payload portions of the one or more data packets;
  
  wherein the particular function is one of a set of functions comprising an encryption function, a decryption function, a digest function, an authentication function, an authorization function, and an auditing function.

34. An apparatus for performing security functions on a message payload in a network element, comprising:
- means for receiving one or more data packets at a network element; and
  
  means for performing, at the network element, a particular function on at least a portion of an application layer message that is contained in one or more payload portions of the one or more data packets;
  
  wherein the particular function is one of a set of functions comprising an encryption function, a decryption function, a digest function, an authentication function, an authorization function, and an auditing function.

35. An apparatus for performing an authentication function in a network element, comprising:
- means for receiving, at a network element, a first request that is destined for a first application that is hosted on a device other than the network element;
  
  means for sending, in response to receiving the first request, to a second application that sent the first request, a second request for authentication information;
  
  means for receiving the authentication information at the network element;
  
  means for determining, at the network element, whether the authentication information is valid; and
  
  means for preventing, in response to determining that the authentication information is not valid, the first request from being sent to the first application.

36. An apparatus for performing security functions on a message payload in a network element, comprising:
- a network interface that is coupled to a data network for receiving one or more packet flows therefrom;
  
  a processor;
  
  one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
  
  receiving one or more data packets at a network element; and
  
  performing, at the network element, a particular function on at least a portion of an application layer message that is contained in one or more payload portions of the one or more data packets;
  
  wherein the particular function is one of a set of functions comprising an encryption function, a decryption function, a digest function, an authentication function, an authorization function, and an auditing function.

37. An apparatus for performing an authentication function in a network element, comprising:
- a network interface that is coupled to a data network for receiving one or more packet flows therefrom;
  
  a processor;
  
  one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
  
  receiving, at a network element, a first request that is destined for a first application that is hosted on a device other than the network element;
  
  in response to receiving the first request, sending, to a second application that sent the first request, a second request for authentication information;
  
  receiving the authentication information at the network element;
  
  determining, at the network element, whether the authentication information is valid; and
  
  in response to determining that the authentication information is not valid, preventing the first request from being sent to the first application.

38. A system comprising:
- a first application that sends a message;
  
  a first network element that receives the message, encrypts the message to produce an encrypted message, and sends the encrypted message;
  
  a second network element that receives the encrypted message, decrypts the encrypted message to produce a decrypted message, and sends the decrypted message; and
  
  a second application that receives the decrypted message.
- View Dependent Claims (39)
- - 39. The system of claim 38, wherein at least one of the first and second network elements is a network router.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Srinivasan, Subramanian, Kumar, Sandeep, Anthias, Tefcros, Wiborg, Christopher R., Iyer, Subramanian N.

Granted Patent

US 7,496,750 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/154
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/104   Grouping of entities

H04L 63/123   received data contents, e.g...

H04L 63/20   for managing network securi...

Performing security functions on a message payload in a network element

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

175 Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Performing security functions on a message payload in a network element

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

175 Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links