Network Communications Security Agent
First Claim
1. A method for implementing data security in a transfer of an event from a sending client to a receiving client located remotely therefrom across a network, the network further including a key server located remotely from each of the sending and receiving clients, the method comprising:
- (a) at each of the sending and receiving clients, receiving keying information associated with the event from the key server, the keying information including a plurality of selector/security association pairs corresponding to different timewise intervals of the event;
(b) at the sending client, populating a first database of selector/security association pairs local to the sending client using said keying information received from the key server;
(c) at the receiving client, populating a second database of selector/security association pairs local to the receiving client using said keying information received from the key server;
(d) at the sending client, receiving first data from a network application program interface (API) of the sending client, the first data comprising a portion of the event to be sent from the sending client to the receiving client;
(e) at the sending client, determining if the first data is eligible for a first security operation, wherein eligibility is determined by first selector data contained in the first data;
(f) at the sending client, creating a first selector based on the first selector data and using said first selector to search the first database for at least one selector/security association pair identifying a first security association corresponding to the first selector;
(g) at the sending client, applying the first security operation to the first data if the first data is eligible, wherein applying the first security operation comprises using the first security association on the at least a portion of the first data; and
(h) at the sending client, sending the first data to which the first security operation has been applied to a network protocol layer of the sending client for transfer over the network and reception by a network protocol layer of the receiving client;
(i) at the receiving client, receiving second data from the network protocol layer of the receiving client, the second data including the first data to which the first security operation has been applied;
(j) at the receiving client, determining if said second data is eligible for a second security operation, wherein eligibility is determined by second selector data contained in the second data;
(k) at the receiving client, creating a second selector based on the second selector data and using said second selector to search the second database for at least one selector/security association pair identifying a second security association corresponding to the second selector;
(l) at the receiving client, applying the second security operation to the second data if the second data is eligible, wherein applying the second security operation comprises using the second security association on the at least a portion of the second data; and
(m) at the receiving client, sending the second data to which the second security operation has been applied to a network API of the receiving client.
2 Assignments
0 Petitions
Accused Products
Abstract
One embodiment of an inventive networking environment includes clients called sending clients because they send network content through a network, and clients called receiving clients because they receive the network content from the sending clients through the network. Both sending clients and receiving clients are “clients” in that they rely on a management server to orchestrate the secure transfer of information from sending clients to receiving clients.
106 Citations
20 Claims
-
1. A method for implementing data security in a transfer of an event from a sending client to a receiving client located remotely therefrom across a network, the network further including a key server located remotely from each of the sending and receiving clients, the method comprising:
-
(a) at each of the sending and receiving clients, receiving keying information associated with the event from the key server, the keying information including a plurality of selector/security association pairs corresponding to different timewise intervals of the event;
(b) at the sending client, populating a first database of selector/security association pairs local to the sending client using said keying information received from the key server;
(c) at the receiving client, populating a second database of selector/security association pairs local to the receiving client using said keying information received from the key server;
(d) at the sending client, receiving first data from a network application program interface (API) of the sending client, the first data comprising a portion of the event to be sent from the sending client to the receiving client;
(e) at the sending client, determining if the first data is eligible for a first security operation, wherein eligibility is determined by first selector data contained in the first data;
(f) at the sending client, creating a first selector based on the first selector data and using said first selector to search the first database for at least one selector/security association pair identifying a first security association corresponding to the first selector;
(g) at the sending client, applying the first security operation to the first data if the first data is eligible, wherein applying the first security operation comprises using the first security association on the at least a portion of the first data; and
(h) at the sending client, sending the first data to which the first security operation has been applied to a network protocol layer of the sending client for transfer over the network and reception by a network protocol layer of the receiving client;
(i) at the receiving client, receiving second data from the network protocol layer of the receiving client, the second data including the first data to which the first security operation has been applied;
(j) at the receiving client, determining if said second data is eligible for a second security operation, wherein eligibility is determined by second selector data contained in the second data;
(k) at the receiving client, creating a second selector based on the second selector data and using said second selector to search the second database for at least one selector/security association pair identifying a second security association corresponding to the second selector;
(l) at the receiving client, applying the second security operation to the second data if the second data is eligible, wherein applying the second security operation comprises using the second security association on the at least a portion of the second data; and
(m) at the receiving client, sending the second data to which the second security operation has been applied to a network API of the receiving client. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 10, 11, 12)
-
-
9. A method for implementing data security in a transfer of an event from a sending client to a receiving client located remotely therefrom across a network, the network further including a key server located remotely from each of the sending and receiving clients, the method comprising:
-
at the sending client, receiving data from a network application program interface (API) of the sending client, the data comprising a portion of the event to be sent from the sending client to the receiving client;
at the sending client, determining if the data is eligible for a security operation, wherein eligibility is determined by selector data contained in the data;
at the sending client, creating a selector based on the selector data and using said selector to search a local sending client database of security associations for at least one selector/security association pair identifying a security association corresponding to the selector, said database storing a plurality of selector/security association pairs received from the key server corresponding to different timewise intervals of said event, wherein, at the receiving client, the receiving client stores a receiving client database comprising a corresponding plurality of selector/security association pairs received from the key server;
at the sending client, applying the security operation to the data if the data is eligible, wherein applying the security operation comprises using the security association on the at least a portion of the data; and
at the sending client, sending the data to which the security operation has been applied to a network protocol layer of the sending client.
-
-
13. A method for implementing data security in a transfer of an event from a sending client to a receiving client located remotely therefrom across a network, the network further including a key server located remotely from each of the sending and receiving clients, the method comprising:
-
at the receiving client, receiving data from a network protocol layer of the receiving client, the data comprising a portion of the event being received at the receiving client;
at the receiving client, determining if the data is eligible for a security operation, wherein eligibility is determined by selector data contained in the data;
at the receiving client, creating a selector based on the selector data and using said selector to search a local receiving client database of security associations for at least one selector/security association pair identifying a security association corresponding to the selector, said local receiving client database storing a plurality of selector/security association pairs received from the key server corresponding to different timewise intervals of said event, wherein, at the sending client, the sending client stores a sending client database comprising a corresponding plurality of selector/security association pairs received from the key server;
at the receiving client, applying the security operation to the data if the data is eligible, wherein applying the security operation comprises using the security association on the at least a portion of the data; and
at the receiving client, sending the data to which the security operation has been applied to a network API of the receiving client.
-
- 17. The method of claim 17, further comprising blocking the data from being sent to the network API if the data includes selector data but no selector can be created from it.
Specification