SYSTEM FOR PROVIDING SECURITY IN A NETWORK COMPRISING COMPUTERIZED DEVICES

US 20080016344A1
Filed: 07/11/2007
Published: 01/17/2008
Est. Priority Date: 07/30/1996
Status: Active Grant

First Claim

Patent Images

1. A network security system, comprising:

a first, substantially portable computerized device;

a second, substantially fixed computerized device;

a first computer program operative to run on said first computerized device and to obtain at least one network address for said first computerized device when placed in data communication with a network;

a second computer program operative to run on said first computerized device and establish a non-permanent security association between said first and second devices, said second computer program comprising a key exchange algorithm adapted to cause said first computerized device and said second device to exchange cryptographic keys while establishing said association, said keys being substantially unique to said association; and

a third computer program operative to run on said first computerized device and adapted to seal or encrypt data sent from said first device using at least one of said cryptographic keys.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system useful within a network and adapted to provide communication security. In one embodiment, the network comprises an untrusted network, and the system includes network security apparatus adapted to create security associations between devices on the network, including mutual authentication. Traffic between the associated devices may be encrypted for e.g., data confidentiality and integrity protection. In one variant, the network security apparatus comprises a software entity disposed at least partly within the software stack of the devices. The associated devices may be for example fixed or portable, and may also act as a gateway to other networks (including the Internet). The portable devices may be untrusted (e.g., have an untrusted operating system).

68 Citations

View as Search Results

71 Claims

1. A network security system, comprising:
- a first, substantially portable computerized device;
  
  a second, substantially fixed computerized device;
  
  a first computer program operative to run on said first computerized device and to obtain at least one network address for said first computerized device when placed in data communication with a network;
  
  a second computer program operative to run on said first computerized device and establish a non-permanent security association between said first and second devices, said second computer program comprising a key exchange algorithm adapted to cause said first computerized device and said second device to exchange cryptographic keys while establishing said association, said keys being substantially unique to said association; and
  
  a third computer program operative to run on said first computerized device and adapted to seal or encrypt data sent from said first device using at least one of said cryptographic keys.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 44, 45)
- - 2. The system of claim 1, wherein said first device comprises an untrusted operating system, and is physically non-secure.
  - 3. The system of claim 2, wherein said second device comprises an untrusted operating system, and is physically non-secure.
  - 4. The system of claim 1, wherein said second device comprises an untrusted operating system, and is physically non-secure.
  - 5. The system of claim 1, wherein said second device comprises a gateway to a second network.
  - 6. The system of claim 5, wherein said gateway is configured not to pass communications from said first device over said second network until said first device is properly authenticated to said gateway.
  - 7. The system of claim 5, wherein said second network comprises an untrusted and at least partly physically non-secure network.
  - 8. The system of claim 5, wherein said second network comprises the Internet, and further comprises at least one website in communication with said Internet, and wherein said at least one website and said first device are placed in secure data communication with one another via at least said first network, said gateway and said Internet.
  - 9. The system of claim 8, wherein said gateway is configured not to pass communications from said first device over said second network until said first device is properly authenticated to said gateway.
  - 10. The system of claim 1, wherein said first device is adapted to dynamically generate at least one encryption key for each security association, said act of generating not requiring either (i) intervention by a network administrator;
    - or (ii) intervention by a user of said first device.
  - 11. The system of claim 1, wherein said first device comprises a network communications interface, and a card-like structure adapted to fit at least partly within a receptacle of said first device, said card-like structure adapted to generate at least one of said cryptographic keys.
  - 12. The system of claim 11, wherein said card-like structure further comprises a device driver having an application programming interface (API).
  - 13. The system of claim 1, wherein, said second program is further adapted to generate an association request message for transmission to at least said another device, said request message comprising at least one of said cryptographic keys.
  - 14. The system of claim 1, wherein said network address comprises an IP address, and said first program is further adapted to:
    - (i) obtain an IP address for said another device based on a hardware address thereof;
      
      or (ii) obtain a hardware address for said another device based on an IP address thereof.
  - 15. The system of claim 1, wherein at least a portion of said data sent is evaluated by said second device using a first cryptographic residue generated at said second device using at least locally stored information, and a second residue of said sent data.
  - 16. The system of claim 1, wherein said association comprises a temporary trusted communications channel between, and unique to, said first and second devices.
  - 17. The system of claim 1, wherein said first device comprises an encryption algorithm that is initialized at least in part using an initialization vector (IV).
  - 18. The system of claim 17, wherein said first device is adapted to generate a new IV for each encryption event.
  - 19. The system of claim 18, wherein said second device comprises:
    - a fourth computer program operative to run on said second computerized device and establish a non-permanent security association between said first and second devices, said fourth computer program comprising a key exchange algorithm adapted to cause said first computerized device and said second device to exchange cryptographic keys while establishing said association, said keys being substantially unique to said association; and
      
      a fifth computer program operative to run on said second computerized device and adapted to seal or encrypt data sent from said second device using at least one of said cryptographic keys.
  - 20. The system of claim 18, wherein said second device comprises:
    - a fourth computer program operative to run on said first computerized device and establish a non-permanent security association between said second device and a third computerized device, said fourth computer program comprising a key exchange algorithm adapted to cause said third device and said second device to exchange cryptographic keys while establishing said association, said keys being substantially unique to said association; and
      
      a fifth computer program operative to run on said second computerized device and adapted to seal or encrypt data sent from said second device using at least one of said cryptographic keys.
  - 21. The system of claim 20, wherein said third computerized device comprises a substantially portable computerized device that is in data communication with said second device via said network.
  - 22. The system of claim 20, wherein said third computerized device comprises a substantially portable computerized device that is in data communication with said second device via a second network, said second device comprising a gateway between said network and said second network.
  - 23. The system of claim 22, wherein said second network comprises the Internet.
  - 24. The system of claim 22, wherein said second network is in direct or indirect data communication with the Internet.
  - 25. The system of claim 1, wherein said network address comprises an IP address obtained directly or indirectly from a 48-bit hardware address.
  - 26. The system of claim 1, wherein said second and third computer programs are disposed logically within a software stack of said first device above the Physical Layer thereof.
  - 27. The system of claim 1, wherein said second and third computer programs are disposed logically within a software stack of said first device below the Network Layer thereof.
  - 28. The system of claim 1, wherein said second and third computer programs are disposed logically within a software stack of said first device below the Transport Layer thereof.
  - 29. The system of claim 1, wherein said association comprises a multi-way authentication process, wherein said first device is adapted to authenticate said second device, and further adapted to authenticate itself to said second device or another entity.
  - 30. The system of claim 1, wherein said second device comprises at least one interface port, access to which is based at least in part on identification of a user of said first device.
  - 31. The system of claim 30, wherein said identification of a user is accomplished based at least in part on a cryptographic element associated with said first device.
  - 44. The system of claim 1, wherein said first device further comprises a cryptographic element exchange algorithm adapted to generate and transmit random data to said second device.
  - 45. The system of claim 44, wherein said transmission of said random data is associated with a procedure that permits both said first and second devices to possess encryption keys that permit the two devices to decrypt encrypted data sent by the other.

32. A security system, comprising:
- a first, substantially portable computerized device having a communications and security card received substantially therein;
  
  a second, substantially portable computerized device;
  
  a first computer program operative to run on said first computerized device and establish a non-permanent ad hoc security association between said first and second devices, said first computer program comprising a key exchange algorithm adapted to cause said first computerized device and said second device to exchange cryptographic keys while establishing said association, said keys being substantially unique to said association; and
  
  a second computer program operative to run on said first computerized device and adapted to seal or encrypt data sent from said first device using at least one of said cryptographic keys;
  
  wherein said first computer program is further operative to cause issuance of an association request message to said second device as part of said establishment of said association, said association request being signed using at least one of said cryptographic keys.
- View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 46, 47, 48, 49, 50, 51, 52, 53, 54)
- - 33. The system of claim 32, wherein said first and second devices comprise untrusted operating systems, and are physically non-secure.
  - 34. The system of claim 32, wherein said first device is adapted to dynamically generate at least one encryption key for each new security association, said act of generating not requiring either (i) intervention by a network administrator;
    - or (ii) intervention by a user of said first device.
  - 35. The system of claim 32, wherein said first device comprises a network communications interface, and said card is adapted to generate at least one of said keys.
  - 36. The system of claim 35, wherein said card further comprises a device driver having an application programming interface (API) useful for at least said signing.
  - 37. The system of claim 32, further comprising a third computer program adapted to determine automatically a dynamically assigned IP address for said second device.
  - 38. The system of claim 32, wherein at least a portion of said data sent is evaluated by said second device using a first cryptographic residue generated at said second device using at least locally stored information, and a second residue of said sent data.
  - 39. The system of claim 38, wherein said first device comprises an encryption algorithm that is initialized at least in part using an initialization vector (IV).
  - 40. The system of claim 39, wherein said first device is adapted to generate a new IV for each encryption event.
  - 41. The system of claim 32, wherein said second device comprises:
    - a third computer program operative to run on said second computerized device and establish a non-permanent security association between said first and second devices, said third computer program comprising a key exchange algorithm adapted to cause said first computerized device and said second device to exchange cryptographic keys while establishing said association, said keys being substantially unique to said association; and
      
      a fourth computer program operative to run on said second computerized device and adapted to seal or encrypt data sent from said second device using at least one of said cryptographic keys.
  - 42. The system of claim 32, farther comprising a third computer program adapted to determine automatically a IP address for said second device, said IP address obtained directly or indirectly from a 48-bit hardware address.
  - 43. The system of claim 32, wherein said second device comprises at least one interface port, access to which is based at least in part on identification of a user of said first device, said identification of a user is accomplished based at least in part on a cryptographic element associated with said first device.
  - 46. The system of claim 32, wherein said first device comprises a network communications interface comprising a 48-bit hardware address and adapted to conform to the Ethernet networking protocol.
  - 47. The system of claim 32, wherein said first and second devices each comprise a hardware network interface, said interfaces each adapted to communicate with one another over an untrusted medium.
  - 48. The system of claim 47, wherein said untrusted medium comprises a wireline medium.
  - 49. The system of claim 47, wherein said communicate with one another over said untrusted medium without using an intermediary entity or apparatus.
  - 50. The system of claim 47, wherein said communicate with one another over said untrusted medium using at least one gateway apparatus.
  - 51. The system of claim 50, wherein said gateway apparatus is configured not to pass communications from said first device to said second device until said first device is properly authenticated.
  - 52. The system of claim 32, wherein said first and second devices can establish said association between themselves without accessing any other entity on said network.
  - 53. The system of claim 32, wherein said first and second devices can establish said association between themselves without accessing any other entity on said network for cryptographic information.
  - 54. The system of claim 32, wherein said data sent comprises Internet Protocol (IP) datagrams.

55. A security system adapted to permit ad hoc and temporary security associations to exist between portable computerized devices that may or may not have communicated previously, comprising:
- a first, substantially portable computerized device having a first communications and security card received substantially therein;
  
  a second, substantially portable computerized device having a second communications and security card received substantially therein;
  
  first computer programs operative to run on respective ones of said first and second computerized devices to establish a temporary ad hoc security association between said first and second devices, said first computer programs each comprising a key exchange algorithm adapted to cause said first and second devices to exchange respective cryptographic keys generated substantially under control of respective ones of said cards while establishing said association, said keys being substantially unique to said association;
  
  second computer programs operative to run on respective ones of said first and second devices and adapted to encrypt data sent to the other device using at least one of said cryptographic keys; and
  
  third computer programs operative to run on respective ones of said first and second devices and each adapted to evaluate said encrypted data sent from the other device for at least data integrity using cryptographic residues generated by both of said devices.
- View Dependent Claims (56, 57, 58)
- - 56. The system of claim 55, wherein said evaluation comprises comparing a first of said residues generated by a receiving one of said devices to a second of said residues generated by a sending one of said devices.
  - 57. The system of claim 56, wherein said second of said residues is included within a message sent from said sending one of said devices, said message further comprising said encrypted data encrypted by at least one of said cryptographic keys.
  - 58. The system of claim 56, wherein said establishment of an association comprises a mutual authentication procedure, said mutual authentication based on evaluating respective ones of digital signatures uniquely associated with said devices.

59. A security system comprising:
- a network access portal;
  
  one or more portable computerized devices having a first communications and security card received substantially therein;
  
  first computer programs operative to run on respective ones of said one or more computerized devices to establish an ad hoc security association between said one or more devices and said access portal, said first computer programs each comprising a key exchange algorithm adapted to cause said respective device and said portal to exchange respective cryptographic keys generated substantially while establishing said association, said keys being substantially unique to said association, said establishment of said association further comprising at least authentication of said one or more devices to said portal;
  
  second computer programs operative to run on respective ones of said one or more devices and adapted to encrypt data sent to the portal using at least one of said cryptographic keys; and
  
  a third computer program operative to run on said portal and adapted to evaluate said encrypted data sent from the one or more devices for at least data integrity using cryptographic residues generated by both of said devices.
- View Dependent Claims (60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71)
- - 60. The system of claim 59, wherein said evaluation comprises comparing a first of said residues generated by said portal to a second of said residues generated by a sending one of said devices.
  - 61. The system of claim 60, wherein said second of said residues is included within a message sent from said sending one of said devices, said message further comprising said encrypted data encrypted by at least one of said cryptographic keys.
  - 62. The system of claim 60, wherein said at least authentication of said one or more devices to said portal comprises a mutual authentication procedure between said portal and each of said one or more devices, said mutual authentication based on evaluating respective ones of digital signatures uniquely associated with said devices.
  - 63. The system of claim 59, wherein said portal comprises a trusted computing base comprising hardware and software, said base being adapted to enforce one or more security policies.
  - 64. The system of claim 63, wherein said one or more security policies comprises authentication of said one or more portable devices.
  - 65. The system of claim 64, wherein said trusted computing base comprises hardware and software disposed at a different physical location from that of said portal.
  - 66. The system of claim 65, wherein said portal comprises an untrusted operating system and physically non-secure device.
  - 67. The system of claim 66, wherein said one or more devices each comprise an untrusted operating system and a physically non-secure device.
  - 68. The system of claim 67, wherein said trusted computing base comprises at least one of:
    - (i) a trusted operating system; and
      
      (ii) physically secure hardware.
  - 69. The system of claim 65, wherein said portal is in data communication with a second network, and is configured not to pass communications from a requesting one of said one or more devices over said second network until said requesting device is properly authenticated to said portal.
  - 70. The system of claim 69, wherein said second network comprises an untrusted and at least partly physically non-secure network.
  - 71. The system of claim 69, wherein said second network comprises the Internet, and further comprises at least one website in communication with said Internet, and wherein said at least one website and said requesting device are placed in secure data communication with one another via at least said portal and said Internet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Round Rock Research LLC
Original Assignee
Micron Technology, Inc.
Inventors
Holden, James, Levin, Stephen, Wrench, Edwin, Nickel, James

Granted Patent

US 7,917,631 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/166
CPC Class Codes

G06F 21/31   User authentication

G06F 21/606   by securing the transmissio...

G06F 21/85   interconnection devices, e....

G06F 2211/001   In-Line Device

G06F 2211/005   Network, LAN, Remote Access...

G06F 2211/007   Encryption, En-/decode, En-...

G06F 2211/009   Trust

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

G06F 2221/2153   Using hardware token as a s...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/02   for separating internal fro...

H04L 63/0218   Distributed architectures, ...

H04L 63/0442   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0869   for achieving mutual authen...

H04L 63/101   Access control lists [ACL]

H04L 63/105   Multiple levels of security

H04L 63/126   the source of the received ...

H04L 63/14 : for detecting or protecting...

H04L 67/141 : Setup of application sessio...

H04L 67/563 : Data redirection of data ne...

H04L 9/3247 : involving digital signatures

H04L 9/3268 : using certificate validatio...

H04L 9/3273 : for mutual authentication n...

H04L 9/40 : Network security protocols

H04W 12/069 : using certificates or pre-s...

View All

SYSTEM FOR PROVIDING SECURITY IN A NETWORK COMPRISING COMPUTERIZED DEVICES

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

68 Citations

71 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM FOR PROVIDING SECURITY IN A NETWORK COMPRISING COMPUTERIZED DEVICES

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

71 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links