Network Communications Security Agent

US 20070294525A1
Filed: 08/28/2007
Published: 12/20/2007
Est. Priority Date: 04/07/2000
Status: Active Grant

First Claim

Patent Images

1. A method for implementing data security in a transfer of an event from a sending client to a receiving client located remotely therefrom across a network, the network further including a key server located remotely from each of the sending and receiving clients, the method comprising:

(a) at each of the sending and receiving clients, receiving keying information associated with the event from the key server, the keying information including a plurality of selector/security association pairs corresponding to different timewise intervals of the event;

(b) at the sending client, populating a first database of selector/security association pairs local to the sending client using said keying information received from the key server;

(c) at the receiving client, populating a second database of selector/security association pairs local to the receiving client using said keying information received from the key server;

(d) at the sending client, receiving first data from a network application program interface (API) of the sending client, the first data comprising a portion of the event to be sent from the sending client to the receiving client;

(e) at the sending client, determining if the first data is eligible for a first security operation, wherein eligibility is determined by first selector data contained in the first data;

(f) at the sending client, creating a first selector based on the first selector data and using said first selector to search the first database for at least one selector/security association pair identifying a first security association corresponding to the first selector;

(g) at the sending client, applying the first security operation to the first data if the first data is eligible, wherein applying the first security operation comprises using the first security association on the at least a portion of the first data; and

(h) at the sending client, sending the first data to which the first security operation has been applied to a network protocol layer of the sending client for transfer over the network and reception by a network protocol layer of the receiving client;

(i) at the receiving client, receiving second data from the network protocol layer of the receiving client, the second data including the first data to which the first security operation has been applied;

(j) at the receiving client, determining if said second data is eligible for a second security operation, wherein eligibility is determined by second selector data contained in the second data;

(k) at the receiving client, creating a second selector based on the second selector data and using said second selector to search the second database for at least one selector/security association pair identifying a second security association corresponding to the second selector;

(l) at the receiving client, applying the second security operation to the second data if the second data is eligible, wherein applying the second security operation comprises using the second security association on the at least a portion of the second data; and

(m) at the receiving client, sending the second data to which the second security operation has been applied to a network API of the receiving client.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of an inventive networking environment includes clients called sending clients because they send network content through a network, and clients called receiving clients because they receive the network content from the sending clients through the network. Both sending clients and receiving clients are “clients” in that they rely on a management server to orchestrate the secure transfer of information from sending clients to receiving clients.

106 Citations

View as Search Results

20 Claims

1. A method for implementing data security in a transfer of an event from a sending client to a receiving client located remotely therefrom across a network, the network further including a key server located remotely from each of the sending and receiving clients, the method comprising:
- (a) at each of the sending and receiving clients, receiving keying information associated with the event from the key server, the keying information including a plurality of selector/security association pairs corresponding to different timewise intervals of the event;
  
  (b) at the sending client, populating a first database of selector/security association pairs local to the sending client using said keying information received from the key server;
  
  (c) at the receiving client, populating a second database of selector/security association pairs local to the receiving client using said keying information received from the key server;
  
  (d) at the sending client, receiving first data from a network application program interface (API) of the sending client, the first data comprising a portion of the event to be sent from the sending client to the receiving client;
  
  (e) at the sending client, determining if the first data is eligible for a first security operation, wherein eligibility is determined by first selector data contained in the first data;
  
  (f) at the sending client, creating a first selector based on the first selector data and using said first selector to search the first database for at least one selector/security association pair identifying a first security association corresponding to the first selector;
  
  (g) at the sending client, applying the first security operation to the first data if the first data is eligible, wherein applying the first security operation comprises using the first security association on the at least a portion of the first data; and
  
  (h) at the sending client, sending the first data to which the first security operation has been applied to a network protocol layer of the sending client for transfer over the network and reception by a network protocol layer of the receiving client;
  
  (i) at the receiving client, receiving second data from the network protocol layer of the receiving client, the second data including the first data to which the first security operation has been applied;
  
  (j) at the receiving client, determining if said second data is eligible for a second security operation, wherein eligibility is determined by second selector data contained in the second data;
  
  (k) at the receiving client, creating a second selector based on the second selector data and using said second selector to search the second database for at least one selector/security association pair identifying a second security association corresponding to the second selector;
  
  (l) at the receiving client, applying the second security operation to the second data if the second data is eligible, wherein applying the second security operation comprises using the second security association on the at least a portion of the second data; and
  
  (m) at the receiving client, sending the second data to which the second security operation has been applied to a network API of the receiving client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 10, 11, 12)
- - 2. The method of claim 1, wherein the first selector data is based at least in part on one of an internet protocol address taken from the first data and a port indicator taken from the first data.
  - 3. The method of claim 1, wherein said applying the first security operation comprises at least one of attaching a header to the first data, said header including a security operation tag, and encrypting the first data.
  - 4. The method of claim 1, wherein said determining if the second data is eligible for the second security operation comprises at least one of detecting a security operation tag in a header of the second data, and detecting failure of an integrity check on the second data.
  - 5. The method of claim 1, wherein said determining if the second data is eligible for the second security operation comprises determining that the second data is not eligible for the second security operation if the second selector cannot be created based on the second selector data, and wherein said second data is sent to the network API of the receiving client without an applied security operation if it is so determined that the second data is not eligible.
  - 6. The method of claim 1, wherein the second security association comprises at least one of applying encryption to the second data, removing special packaging from the second data, applying decryption to the second data, and performing an integrity check on the second data.
  - 7. The method of claim 1, wherein said timewise intervals of said event are relatively short compared to an overall duration of said event.
  - 8. The method of claim 7, wherein said applying the first security operation at the sending client comprises encrypting the first data using a first symmetric encryption key from the first database, and wherein said applying the second security operation at the receiving client comprises reversing said first security operation using a second symmetric encryption key from the second database corresponding to said first symmetric encryption key.
  - 10. The method of claim 8, wherein the selector data is based at least in part on one of an internet protocol address taken from the data and a port indicator taken from the data.
  - 11. The method of claim 8, wherein said applying the security operation comprises at least one of attaching a header to the data, said header including a security operation tag, and encrypting the data.
  - 12. The method of claim 8, wherein said timewise intervals of said event are relatively short compared to an overall duration of said event.

9. A method for implementing data security in a transfer of an event from a sending client to a receiving client located remotely therefrom across a network, the network further including a key server located remotely from each of the sending and receiving clients, the method comprising:
- at the sending client, receiving data from a network application program interface (API) of the sending client, the data comprising a portion of the event to be sent from the sending client to the receiving client;
  
  at the sending client, determining if the data is eligible for a security operation, wherein eligibility is determined by selector data contained in the data;
  
  at the sending client, creating a selector based on the selector data and using said selector to search a local sending client database of security associations for at least one selector/security association pair identifying a security association corresponding to the selector, said database storing a plurality of selector/security association pairs received from the key server corresponding to different timewise intervals of said event, wherein, at the receiving client, the receiving client stores a receiving client database comprising a corresponding plurality of selector/security association pairs received from the key server;
  
  at the sending client, applying the security operation to the data if the data is eligible, wherein applying the security operation comprises using the security association on the at least a portion of the data; and
  
  at the sending client, sending the data to which the security operation has been applied to a network protocol layer of the sending client.

13. A method for implementing data security in a transfer of an event from a sending client to a receiving client located remotely therefrom across a network, the network further including a key server located remotely from each of the sending and receiving clients, the method comprising:
- at the receiving client, receiving data from a network protocol layer of the receiving client, the data comprising a portion of the event being received at the receiving client;
  
  at the receiving client, determining if the data is eligible for a security operation, wherein eligibility is determined by selector data contained in the data;
  
  at the receiving client, creating a selector based on the selector data and using said selector to search a local receiving client database of security associations for at least one selector/security association pair identifying a security association corresponding to the selector, said local receiving client database storing a plurality of selector/security association pairs received from the key server corresponding to different timewise intervals of said event, wherein, at the sending client, the sending client stores a sending client database comprising a corresponding plurality of selector/security association pairs received from the key server;
  
  at the receiving client, applying the security operation to the data if the data is eligible, wherein applying the security operation comprises using the security association on the at least a portion of the data; and
  
  at the receiving client, sending the data to which the security operation has been applied to a network API of the receiving client.

17. The method of claim 17, further comprising blocking the data from being sent to the network API if the data includes selector data but no selector can be created from it.
- View Dependent Claims (14, 15, 16, 18, 19, 20)
- - 14. The method of claim 17, wherein determining if the data is eligible for a security operation comprises at least one of detecting a security operation tag in a header of the data, and detecting failure of an integrity check on the data.
  - 15. The method of claim 17, further comprising blocking the data from being sent to the network API if no security association corresponding to the selector is found.
  - 16. The method of claim 17, wherein determining if the data is eligible for the security operation comprises determining that the data is not eligible for the security operation if the selector cannot be created based on the selector data, and wherein said data is sent to the network API of the receiving client without an applied security operation if it is so determined that the data is not eligible.
  - 18. The method of claim 17, wherein the security association comprises at least one of applying encryption to the data, removing special packaging from the data, applying decryption to the data;
    - and performing an integrity check on the data.
  - 19. The method of claim 17, wherein said timewise intervals of said event are relatively short compared to an overall duration of said event.
  - 20. The method of claim 19, wherein said applying the security operation to the data comprises reversing a previous security operation applied to the data by the sending client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intertrust Technologies Corporation (Fidelio Acquisition Co LLC)
Original Assignee
Intertrust Technologies Corporation (Fidelio Acquisition Co LLC)
Inventors
Janes, Sherman

Granted Patent

US 7,454,609 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/151
CPC Class Codes

H04L 2209/60   Digital content management,...

H04L 63/164   at the network layer

H04L 63/20   for managing network securi...

H04L 9/0891   Revocation or update of sec...

Network Communications Security Agent

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

106 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Network Communications Security Agent

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

106 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links