Method and system for securely scanning network traffic

US 20070169187A1
Filed: 02/06/2007
Published: 07/19/2007
Est. Priority Date: 04/04/2002
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

via an obtained encryption parameter shared by a first device, a second device, and a separate computer, forwarding only each data packet, of a plurality of received packets, that is in compliance with a predetermined criterion associated with said separate computer, a decrypted copy of each data packet scanned for compliance with said predetermined criterion at a predetermined portion of said separate computer, said predetermined portion of said separate computer adapted to provide only an affirmative response or a negative response regarding compliance with said predetermined criterion, wherein contents of said decrypted copy of each data packet is restricted to said predetermined portion of said separate computer, said separate computer adapted for restricting all operators of said separate computer from accessing contents of said decrypted copy of each data packet.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for implementing secure network communications between a first device and a second device, at least one of the devices communicating with the other device via a firewall device, are provided. The method and system may include obtaining an encryption parameter that is shared by the first device, second device and firewall device. A data packet sent by the first device may then be copied within the firewall device, so that decryption of the copy of the data packet within a portion of the firewall device may take place. In particular, the portion of the firewall device in which decryption takes place is defined such that contents of the portion are inaccessible to an operator of the firewall device. Thus, scanning of the decrypted copy of the data packet for compliance with a predetermined criterion may take place within the firewall device, without an operator of the firewall device having access to the contents of the data packet to be transmitted. Thereafter, the original data packet can be forwarded to its originally intended recipient.

70 Citations

View as Search Results

19 Claims

1. A method comprising:
- via an obtained encryption parameter shared by a first device, a second device, and a separate computer, forwarding only each data packet, of a plurality of received packets, that is in compliance with a predetermined criterion associated with said separate computer, a decrypted copy of each data packet scanned for compliance with said predetermined criterion at a predetermined portion of said separate computer, said predetermined portion of said separate computer adapted to provide only an affirmative response or a negative response regarding compliance with said predetermined criterion, wherein contents of said decrypted copy of each data packet is restricted to said predetermined portion of said separate computer, said separate computer adapted for restricting all operators of said separate computer from accessing contents of said decrypted copy of each data packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising:
    - obtaining said encryption parameter.
  - 3. The method of claim 1, further comprising:
    - copying each data packet within said separate computer.
  - 4. The method of claim 1, further comprising:
    - decrypting said copy of each data packet within said separate computer.
  - 5. The method of claim 1, further comprising:
    - forwarding each data packet to said second device if said copy of each data packet complies with said predetermined criterion.
  - 6. The method of claim 1, further comprising:
    - deleting each data packet that does not comply with said predetermined criterion.
  - 7. The method of claim 1, further comprising:
    - deleting said decrypted copy of each data packet after each data packet has been scanned.
  - 8. The method of claim 1, wherein said predetermined portion of said separate computer that is inaccessible to any operator of said computer is a hardware chipset within said separate computer.
  - 9. The method of claim 1, further comprising:
    - obtaining said encryption parameter via;
      
      building a first secret key with said first device during a negotiation of a first security association;
      
      building a second secret key, based on said first secret key, with said second device during a negotiation of a second security association;
      
      communicating information to said first device that allows said first device to calculate said second secret key using said first secret key, wherein said second secret key is used as said encryption parameter.
  - 10. The method of claim 1, wherein public keys associated with said first device, said second device, or said separate computer are authenticated by virtue of an inclusion of one or more of said public keys on a digital certificate.
  - 11. The method of claim 1, further comprising:
    - obtaining said encryption parameter via;
      
      building a first secret key with said first device during a negotiation of a first security association;
      
      building a second secret key, based on said first secret key, with said second device during a negotiation of a second security association;
      
      communicating information to said first device that allows said first device to calculate said second secret key using said first secret key, wherein said second secret key is used as said encryption parameter, wherein said information is a public key of said second device.
  - 12. The method of claim 1, further comprising:
    - obtaining said encryption parameter via;
      
      building a first secret key with said first device during a negotiation of a first security association;
      
      building a second secret key, based on said first secret key, with said second device during a negotiation of a second security association;
      
      communicating information to said first device that allows said first device to calculate said second secret key using said first secret key, wherein said second secret key is used as said encryption parameter, wherein said first security association is negotiated between said first device and a first address of said separate computer associated with said device, and said second security association is negotiated between said second device and a second address of said separate computer associated with said first device.
  - 13. The method of claim 1, further comprising:
    - obtaining said encryption parameter via;
      
      negotiating, transparently through said separate computer, a first security association between said first device and said second device;
      
      sharing said encryption parameter between said first and second devices using said first security association;
      
      negotiating a second security association between said first device and said separate computer; and
      
      sharing said encryption parameter between said first device and said separate computer through said second security association.

14. A device comprising:
- a content scanner adapted to, via an obtained encryption parameter shared by a first device, a second device, and a separate computer, forward only each data packet, of a plurality of received packets, that is in compliance with a predetermined criterion associated with said separate computer, a decrypted copy of each data packet scanned for compliance with said predetermined criterion at a predetermined portion of said separate computer, said predetermined portion of said separate computer adapted to provide only an affirmative response or a negative response regarding compliance with said predetermined criterion, wherein contents of said decrypted copy of each data packet is restricted to said predetermined portion of said separate computer, said separate computer adapted for restricting all operators of said separate computer from accessing contents of said decrypted copy of each data packet.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The device of claim 14, wherein each data packet is forwarded to said second device if said copy of each data packet complies with said predetermined criterion.
  - 16. The device of claim 14, wherein each data packet is deleted if said copy of each data packet does not comply with said predetermined criterion.
  - 17. The device of claim 14, wherein said copy of each data packet is deleted after each data packet has been scanned for compliance with said predetermined criterion.
  - 18. The device of claim 14, wherein said predetermined portion of said separate computer that is inaccessible to any operator of said computer is a hardware chipset within said separate computer.

19. A system comprising:
- a firewall device adapted to, via an obtained encryption parameter shared by a first device, a second device, and a separate computer, forward only each data packet, of a plurality of received packets, that is in compliance with a predetermined criterion associated with said separate computer, a decrypted copy of each data packet scanned for compliance with said predetermined criterion at a predetermined portion of said separate computer, said predetermined portion of said separate computer adapted to provide only an affirmative response or a negative response regarding compliance with said predetermined criterion, wherein contents of said decrypted copy of each data packet is restricted to said predetermined portion of said separate computer, said separate computer adapted for restricting all operators of said separate computer from accessing contents of said decrypted copy of each data packet; and
  
  said first device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intellectual Ventures II LLC (Intellectual Ventures LLC)
Original Assignee
AT&T Corporation (AT&T, Inc.)
Inventors
Balissat, Joel, Sommerlatt, Jean-Marie, Galand, Claude, Le Penncc, Jean-Francois

Granted Patent

US 7,543,332 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/15
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/0272   Virtual private networks

H04L 63/0435   wherein the sending and rec...

H04L 63/0464   using hop-by-hop encryption...

Method and system for securely scanning network traffic

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

70 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for securely scanning network traffic

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

70 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links