SYSTEM FOR PROVIDING SECURITY IN A NETWORK COMPRISING COMPUTERIZED DEVICES
First Claim
1. A network security system, comprising:
- a first, substantially portable computerized device;
a second, substantially fixed computerized device;
a first computer program operative to run on said first computerized device and to obtain at least one network address for said first computerized device when placed in data communication with a network;
a second computer program operative to run on said first computerized device and establish a non-permanent security association between said first and second devices, said second computer program comprising a key exchange algorithm adapted to cause said first computerized device and said second device to exchange cryptographic keys while establishing said association, said keys being substantially unique to said association; and
a third computer program operative to run on said first computerized device and adapted to seal or encrypt data sent from said first device using at least one of said cryptographic keys.
2 Assignments
0 Petitions
Accused Products
Abstract
A system useful within a network and adapted to provide communication security. In one embodiment, the network comprises an untrusted network, and the system includes network security apparatus adapted to create security associations between devices on the network, including mutual authentication. Traffic between the associated devices may be encrypted for e.g., data confidentiality and integrity protection. In one variant, the network security apparatus comprises a software entity disposed at least partly within the software stack of the devices. The associated devices may be for example fixed or portable, and may also act as a gateway to other networks (including the Internet). The portable devices may be untrusted (e.g., have an untrusted operating system).
68 Citations
71 Claims
-
1. A network security system, comprising:
-
a first, substantially portable computerized device;
a second, substantially fixed computerized device;
a first computer program operative to run on said first computerized device and to obtain at least one network address for said first computerized device when placed in data communication with a network;
a second computer program operative to run on said first computerized device and establish a non-permanent security association between said first and second devices, said second computer program comprising a key exchange algorithm adapted to cause said first computerized device and said second device to exchange cryptographic keys while establishing said association, said keys being substantially unique to said association; and
a third computer program operative to run on said first computerized device and adapted to seal or encrypt data sent from said first device using at least one of said cryptographic keys. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 44, 45)
-
-
32. A security system, comprising:
-
a first, substantially portable computerized device having a communications and security card received substantially therein;
a second, substantially portable computerized device;
a first computer program operative to run on said first computerized device and establish a non-permanent ad hoc security association between said first and second devices, said first computer program comprising a key exchange algorithm adapted to cause said first computerized device and said second device to exchange cryptographic keys while establishing said association, said keys being substantially unique to said association; and
a second computer program operative to run on said first computerized device and adapted to seal or encrypt data sent from said first device using at least one of said cryptographic keys;
wherein said first computer program is further operative to cause issuance of an association request message to said second device as part of said establishment of said association, said association request being signed using at least one of said cryptographic keys. - View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 46, 47, 48, 49, 50, 51, 52, 53, 54)
-
-
55. A security system adapted to permit ad hoc and temporary security associations to exist between portable computerized devices that may or may not have communicated previously, comprising:
-
a first, substantially portable computerized device having a first communications and security card received substantially therein;
a second, substantially portable computerized device having a second communications and security card received substantially therein;
first computer programs operative to run on respective ones of said first and second computerized devices to establish a temporary ad hoc security association between said first and second devices, said first computer programs each comprising a key exchange algorithm adapted to cause said first and second devices to exchange respective cryptographic keys generated substantially under control of respective ones of said cards while establishing said association, said keys being substantially unique to said association;
second computer programs operative to run on respective ones of said first and second devices and adapted to encrypt data sent to the other device using at least one of said cryptographic keys; and
third computer programs operative to run on respective ones of said first and second devices and each adapted to evaluate said encrypted data sent from the other device for at least data integrity using cryptographic residues generated by both of said devices. - View Dependent Claims (56, 57, 58)
-
-
59. A security system comprising:
-
a network access portal;
one or more portable computerized devices having a first communications and security card received substantially therein;
first computer programs operative to run on respective ones of said one or more computerized devices to establish an ad hoc security association between said one or more devices and said access portal, said first computer programs each comprising a key exchange algorithm adapted to cause said respective device and said portal to exchange respective cryptographic keys generated substantially while establishing said association, said keys being substantially unique to said association, said establishment of said association further comprising at least authentication of said one or more devices to said portal;
second computer programs operative to run on respective ones of said one or more devices and adapted to encrypt data sent to the portal using at least one of said cryptographic keys; and
a third computer program operative to run on said portal and adapted to evaluate said encrypted data sent from the one or more devices for at least data integrity using cryptographic residues generated by both of said devices. - View Dependent Claims (60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71)
-
Specification