Securing network traffic using distributed key generation and dissemination over secure tunnels

US 20070186281A1
Filed: 01/03/2007
Published: 08/09/2007
Est. Priority Date: 01/06/2006
Status: Abandoned Application

First Claim

Patent Images

1. A method for securing message traffic in a data network using a security protocol, the method comprising the steps of:

at a policy enforcement point (PEP) within a network of PEPS, determining a security policy definition to be applied to the traffic across the network, the policy definition including at least a definition of the traffic to be secured and parameters to be applied to the secured traffic;

generating an outbound key to be used in securing the traffic;

distributing the outbound key to peer PEPs in the network of PEPs;

receiving an outbound packet, the outbound packet having original source and destination addresses;

applying security processing to the outbound packet according to the security policy; and

forwarding the secured packet in the network using the security protocol, the secured packet having at least a partially unsecured header portion indicating at least one of the original source and destination addresses.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique for securing message traffic in a data network using a protocol such as IPsec, and more particularly various methods for distributing security keys where key generation, key distribution, policy generation and policy distribution are separated, with inner to outer header replication on packet traffic. The approach permits encrypted messages to travel seamlessly through various otherwise unsecured internetworking devices.

Citations

27 Claims

1. A method for securing message traffic in a data network using a security protocol, the method comprising the steps of:
- at a policy enforcement point (PEP) within a network of PEPS, determining a security policy definition to be applied to the traffic across the network, the policy definition including at least a definition of the traffic to be secured and parameters to be applied to the secured traffic;
  
  generating an outbound key to be used in securing the traffic;
  
  distributing the outbound key to peer PEPs in the network of PEPs;
  
  receiving an outbound packet, the outbound packet having original source and destination addresses;
  
  applying security processing to the outbound packet according to the security policy; and
  
  forwarding the secured packet in the network using the security protocol, the secured packet having at least a partially unsecured header portion indicating at least one of the original source and destination addresses.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein in the step of forwarding the packet includes routing the packet through one of many possible data paths that are not known in advance of the step of forwarding the packet.
  - 3. The method of claim 2, wherein the data path for the packet is determined using load balancing, quality of service, multicast, or broadcast routing techniques.
  - 4. The method of claim 1, wherein the step of generating an outbound key is performed at initial key creation or at defined re-key intervals.
  - 5. The method of claim 1, wherein the step of distributing the outbound key to peer PEPs further comprises the steps of:
    - establishing a secure tunnel with a peer PEP; and
      
      forwarding the outbound key to the peer PEP via the secure tunnel.
  - 6. The method of claim 1, wherein the step of distributing the outbound key to peer PEPs further comprises:
    - establishing a secure tunnel with a key authority point (KAP), and at the KAP, further performing the steps of;
      
      (i) authenticating a PEP as authorized to exchange keys;
      
      (ii) identifying peer PEP/KAPs based on the security policy;
      
      (iii) establishing secure tunnels with the peer PEP/KAPs; and
      
      (iv) distributing the outbound keys to the peer PEPs.
  - 7. The method of claim 6, wherein the step of determining a security policy definition includes configuring the security policy definition to include addresses of a peer PEP and a KAP.
  - 8. The method of claim 1, wherein the step of determining a security policy definition includes configuring the security policy definition to include addresses of a peer PEP.
  - 9. The method of claim 1, wherein the step of determining a security policy definition occurs when the PEP (a) is configured, or (b) receives a packet for which no policy definition exists.
  - 10. The method of claim 1, wherein the step of generating an outbound key is performed at a centralized key server, and the method further comprises the step of:
    - at the PEP, receiving the key from the centralized key server.
  - 11. The method of claim 1, wherein one or more PEPs are associated with a key authority point (KAP), and the network is configured to have at least two KAPs interconnected by a secure tunnel, and the step of distributing the outbound key further comprises:
    - at a selected KAP, performing an Internet Key Exchange (IKE) negotiation between the selected KAP and at least one other KAP using the secure tunnel; and
      
      at the selected KAP, distributing any received keys to at least one PEP associated with the selected KAP.
  - 12. The method of claim 1, wherein the PEPs use shared keys to perform data decryption and encryption around firewalls, intrusion detection systems, SSL accelerators, and other devices that need to inspect decrypted packets without burdening the network with multiple secure negotiations.
  - 13. The method of claim 1, wherein the PEP is implemented in a network that services mobile wireless devices, and the method further comprises the step of:
    - enabling the same given key to be used for communication with a mobile device as the mobile device moves between wireless coverage areas and the mobile device'"'"'s source address changes.

14. A policy enforcement point (PEP) within a network of PEPs, the PEP comprising:
- a security policy definition to be applied to the traffic across the network, the policy definition including at least a definition of the traffic to be secured and parameters to be applied to the secured traffic;
  
  an outbound key to be used in securing the traffic, the outbound key being distributed to peer PEPs in the network of PEPs;
  
  means for receiving an outbound packet, the outbound packet having original source and destination addresses;
  
  means for applying security processing to the outbound packet according to the security policy; and
  
  means for forwarding the secured packet in the network using the security protocol, the secured packet having at least a partially unsecured header portion indicating at least one of the original source and destination addresses.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. The policy enforcement point of claim 14, wherein forwarding the packet includes routing the packet through one of many possible data paths that are not known in advance of forwarding the packet.
  - 16. The policy enforcement point of claim 15, wherein the data path for the packet is determined using load balancing, quality of service, multicast, or broadcast routing techniques.
  - 17. The policy enforcement point of claim 14, wherein the outbound key is generated at initial key creation or at defined re-key intervals.
  - 18. The policy enforcement point of claim 14, wherein the PEP distributes the outbound key to peer PEPs via a secure tunnel.
  - 19. The policy enforcement point of claim 14, wherein the PEP distributes the outbound key to peer PEPs via a secure tunnel with a key authority point (KAP), the KAP:
    - (i) authenticating a PEP as authorized to exchange keys;
      
      (ii) identifying peer PEP/KAPs based on the security policy;
      
      (iii) establishing secure tunnels with the peer PEP/KAPs; and
      
      (iv) distributing the outbound keys to the peer PEPs.
  - 20. The policy enforcement point of claim 19, wherein the security policy definition includes addresses of a peer PEP and a KAP.
  - 21. The policy enforcement point of claim 14, wherein the security policy definition includes addresses of a peer PEP.
  - 22. The policy enforcement point of claim 14, wherein the security policy definition is determined when the PEP (a) is configured, or (b) receives a packet for which no policy definition exists.
  - 23. The policy enforcement point of claim 14, wherein the outbound key is generated at a centralized key server, and the PEP receives the key from the centralized key server.
  - 24. The policy enforcement point of claim 14, wherein the PEP is associated with a key authority point (KAP), the KAP being connected to at least one other KAP by a secure tunnel and distributing the outbound key to at least one associated PEP by performing an Internet Key Exchange (IKE) negotiation with at least one other KAP using the secure tunnel.
  - 25. The policy enforcement point of claim 14, wherein the PEP uses shared keys to perform data decryption and encryption around firewalls, intrusion detection systems, SSL accelerators, and other devices that need to inspect decrypted packets without burdening the network with multiple secure negotiations.
  - 26. The policy enforcement point of claim 14, wherein the PEP is implemented in a network that services mobile wireless devices and uses the same given key for communication with a mobile device as the mobile device moves between wireless coverage areas and the mobile device'"'"'s source address changes.

27. A computer readable medium having computer readable program codes embodied therein for securing message traffic in a data network using a security protocol at a policy enforcement point (PEP) within a network of PEPs, the computer readable medium program codes performing functions comprising:
- a routine for determining a security policy definition to be applied to the traffic across the network, the policy definition including at least a definition of the traffic to be secured and parameters to be applied to the secured traffic;
  
  a routine for generating an outbound key to be used in securing the traffic;
  
  a routine for distributing the outbound key to peer PEPs in the network of PEPs;
  
  a routine for receiving an outbound packet, the outbound packet having original source and destination addresses;
  
  a routine for applying security processing to the outbound packet according to the security policy; and
  
  a routine for forwarding the secured packet in the network using the security protocol, the secured packet having at least a partially unsecured header portion indicating at least one of the original source and destination addresses.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Certes Networks, Inc.
Original Assignee
Certes Networks, Inc.
Inventors
McAlister, Donald

Application Number

US11/649,336
Publication Number

US 20070186281A1
Time in Patent Office

Days
Field of Search
US Class Current

726/14
CPC Class Codes

H04L 63/164 at the network layer

H04L 63/20 for managing network securi...

Securing network traffic using distributed key generation and dissemination over secure tunnels

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Securing network traffic using distributed key generation and dissemination over secure tunnels

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links