Cryptographic peer discovery, authentication, and authorization for on-path signaling

US 20060242408A1
Filed: 04/26/2005
Published: 10/26/2006
Est. Priority Date: 04/26/2005
Status: Active Grant

First Claim

Patent Images

1. A method for secure network device policy configuration, the method comprising the computer-implemented steps of:

intercepting, at an intermediary network device, one or more data packets that (a) are addressed to a destination device other than the intermediary network device, (b) collectively contain a request, and (c) collectively contain a group identifier;

selecting, from among one or more cryptographic keys that are stored at the intermediary network device, a particular cryptographic key that is mapped to the group identifier;

sending, toward an upstream device that sent the one or more data packets toward the intermediary network device, a first message that contains a first challenge;

receiving a second message that contains a first response;

generating a verification value based on (a) the particular cryptographic key and (b) the first challenge;

determining whether the first response matches the verification value; and

in response to determining that the first response matches the verification value, performing particular steps comprising;

selecting, from among one or more authorization sets, a particular authorization set that is mapped to the group identifier;

determining whether the request is allowed by the particular authorization set; and

in response to determining that the request is allowed by the particular authorization set, configuring, based on the request, a policy of the intermediary network device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is disclosed for cryptographic peer discovery, authentication, and authorization. According to one embodiment, a data packet, which is addressed to a destination device other than an intermediary network device, is intercepted at the intermediary network device. The data packet contains a request and a group identifier. A shared secret cryptographic key, which is mapped to the group identifier, is selected. A challenge is sent toward an upstream device from whence the data packet came. A response is received. A verification value is generated based on the cryptographic key and the challenge. It is determined whether the response matches the verification value. If the response matches the verification value, then it is determined whether the request is allowed by an authorization set that is mapped to the group identifier. If the request is allowed, then a policy of the intermediary network device is configured based on the request.

18 Citations

View as Search Results

16 Claims

1. A method for secure network device policy configuration, the method comprising the computer-implemented steps of:
- intercepting, at an intermediary network device, one or more data packets that (a) are addressed to a destination device other than the intermediary network device, (b) collectively contain a request, and (c) collectively contain a group identifier;
  
  selecting, from among one or more cryptographic keys that are stored at the intermediary network device, a particular cryptographic key that is mapped to the group identifier;
  
  sending, toward an upstream device that sent the one or more data packets toward the intermediary network device, a first message that contains a first challenge;
  
  receiving a second message that contains a first response;
  
  generating a verification value based on (a) the particular cryptographic key and (b) the first challenge;
  
  determining whether the first response matches the verification value; and
  
  in response to determining that the first response matches the verification value, performing particular steps comprising;
  
  selecting, from among one or more authorization sets, a particular authorization set that is mapped to the group identifier;
  
  determining whether the request is allowed by the particular authorization set; and
  
  in response to determining that the request is allowed by the particular authorization set, configuring, based on the request, a policy of the intermediary network device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A method as recited in claim 1, further comprising the step of:
    - generating a second response based on (a) the particular cryptographic key and (b) a second challenge that is collectively contained in the one or more data packets;
      
      wherein the first message contains the second response.
  - 3. A method as recited in claim 1, wherein the one or more data packets do not contain the particular cryptographic key.
  - 4. A method as recited in claim 1, wherein the particular steps further comprise:
    - sending the one or more data packets toward the destination device.
  - 5. A method as recited in claim 1, wherein configuring the policy of the intermediary network device comprises configuring a firewall to allow forwarding of each data flow that satisfies criteria that are specified in the request.
  - 6. A method as recited in claim 1, wherein configuring the policy of the intermediary network device comprises configuring the intermediary network device to provide, to each data flow that satisfies criteria that are specified in the request, a quality of service that is at least as high as a quality of service that is specified in the request.
  - 7. A method as recited in claim 1, further comprising the step of:
    - determining whether the one or more data packets collectively contain a particular kind of message;
      
      wherein the step of sending the first message is performed in response to determining that the one or more data packets collectively contain the particular kind of message.

8. An apparatus for secure network device policy configuration, comprising:
- means for intercepting, at an intermediary network device, one or more data packets that (a) are addressed to a destination device other than the intermediary network device, (b) collectively contain a request, and (c) collectively contain a group identifier;
  
  means for selecting, from among one or more cryptographic keys that are stored at the intermediary network device, a particular cryptographic key that is mapped to the group identifier;
  
  means for sending, toward an upstream device that sent the one or more data packets toward the intermediary network device, a first message that contains a first challenge;
  
  means for receiving a second message that contains a first response;
  
  means for generating a verification value based on (a) the particular cryptographic key and (b) the first challenge;
  
  means for determining whether the first response matches the verification value; and
  
  means for selecting, in response to determining that the first response matches the verification value, and from among one or more authorization sets, a particular authorization set that is mapped to the group identifier;
  
  means for determining, in response to determining that the first response matches the verification value, whether the request is allowed by the particular authorization set; and
  
  means for configuring, in response to determining that the first response matches the verification value, in response to determining that the request is allowed by the particular authorization set, and based on the request, a policy of the intermediary network device.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. An apparatus as recited in claim 8, further comprising:
    - means for generating a second response based on (a) the particular cryptographic key and (b) a second challenge that is collectively contained in the one or more data packets;
      
      wherein the first message contains the second response.
  - 10. An apparatus as recited in claim 8, wherein the one or more data packets do not contain the particular cryptographic key.
  - 11. An apparatus as recited in claim 8, further comprising:
    - means for sending, in response to determining that the first response matches the verification value, the one or more data packets toward the destination device.
  - 12. An apparatus as recited in claim 8, wherein the means for configuring the policy of the intermediary network device comprise means for configuring a firewall to allow forwarding of each data flow that satisfies criteria that are specified in the request.
  - 13. An apparatus as recited in claim 8, wherein the means for configuring the policy of the intermediary network device comprise means for configuring the intermediary network device to provide, to each data flow that satisfies criteria that are specified in the request, a quality of service that is at least as high as a quality of service that is specified in the request.
  - 14. An apparatus as recited in claim 8, further comprising:
    - means for determining whether the one or more data packets collectively contain a particular kind of message;
      
      wherein the means for sending the first message are means for sending the first message in response to determining that the one or more data packets collectively contain the particular kind of message.

15. An apparatus for secure network device policy configuration, comprising:
- a network interface that is coupled to a data network for receiving one or more packet flows therefrom;
  
  a processor;
  
  one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
  
  intercepting, at an intermediary network device, one or more data packets that (a) are addressed to a destination device other than the intermediary network device, (b) collectively contain a request, and (c) collectively contain a group identifier;
  
  selecting, from among one or more cryptographic keys that are stored at the intermediary network device, a particular cryptographic key that is mapped to the group identifier;
  
  sending, toward an upstream device that sent the one or more data packets toward the intermediary network device, a first message that contains a first challenge;
  
  receiving a second message that contains a first response;
  
  generating a verification value based on (a) the particular cryptographic key and (b) the first challenge;
  
  determining whether the first response matches the verification value; and
  
  in response to determining that the first response matches the verification value, performing particular steps comprising;
  
  selecting, from among one or more authorization sets, a particular authorization set that is mapped to the group identifier;
  
  determining whether the request is allowed by the particular authorization set; and
  
  in response to determining that the request is allowed by the particular authorization set, configuring, based on the request, a policy of the intermediary network device.

16. A method comprising:
- intercepting one or more data packets that collectively contain a request;
  
  selecting, from among one or more cryptographic keys, a particular cryptographic key;
  
  sending, toward an upstream device, a first challenge;
  
  receiving a first response;
  
  generating a verification value based on the particular cryptographic key and the first challenge;
  
  determining whether the first response matches the verification value; and
  
  in response to determining that the first response matches the verification value;
  
  selecting, from among one or more authorization sets, a particular authorization set;
  
  determining whether the request is allowed by the particular authorization set; and
  
  in response to determining that the request is allowed by the particular authorization set, configuring, based on the request, an intermediary network device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
McGrew, David A., Shore, Melinda L.

Granted Patent

US 7,350,227 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/101   Access control lists [ACL]

H04L 9/3273   for mutual authentication n...

Cryptographic peer discovery, authentication, and authorization for on-path signaling

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

18 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Cryptographic peer discovery, authentication, and authorization for on-path signaling

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links