METHOD AND APPARATUS FOR DYNAMIC, SEAMLESS SECURITY IN COMMUNICATION PROTOCOLS

US 20080022389A1
Filed: 07/18/2006
Published: 01/24/2008
Est. Priority Date: 07/18/2006
Status: Active Grant

First Claim

Patent Images

1. A method for providing communication nodes, acting as intermediate routers for communication packets transmitted between a source node and a destination node, with different access rights to the fields of the routed communication packets, the method comprising:

discovering routes of intermediate routers between the source node and the destination node;

collecting the identities of the intermediate routers on the discovered routes;

computing the aggregate trust levels of the intermediate routers;

selecting a most trusted route of the discovered routes;

computing, and securely distributing, encryption keys to intermediate routers on the most trusted route based on the trust level of the intermediate routers; and

encrypting fields of the communication packets with corresponding encryption keys.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Communication nodes, acting as intermediate routers for communication packets transmitted between a source node and a destination node, are provided with different access rights to the fields of the routed communication packets. Routes of intermediate routers between the source node and the destination node are discovered and the identities of intermediate routers on the discovered routes are collected. The aggregate trust levels of the intermediate routers are computed allowing the most trusted route to be selected. Encryption keys are securely distributed to intermediate routers on the most trusted route based on the trust level of the intermediate routers and fields of the communication packets are encrypted with encryption keys corresponding to the assigned trust level. Intermediated nodes are thereby prevented from accessing selected fields of the communication packets.

Citations

19 Claims

1. A method for providing communication nodes, acting as intermediate routers for communication packets transmitted between a source node and a destination node, with different access rights to the fields of the routed communication packets, the method comprising:
- discovering routes of intermediate routers between the source node and the destination node;
  
  collecting the identities of the intermediate routers on the discovered routes;
  
  computing the aggregate trust levels of the intermediate routers;
  
  selecting a most trusted route of the discovered routes;
  
  computing, and securely distributing, encryption keys to intermediate routers on the most trusted route based on the trust level of the intermediate routers; and
  
  encrypting fields of the communication packets with corresponding encryption keys.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. A method in accordance with claim 1, further comprising the source node and the destination node authenticating with each other.
  - 3. A method in accordance with claim 2, further comprising authenticating the intermediate routers to the source and destination nodes.
  - 4. A method in accordance with claim 2, wherein the source node and the destination node authenticating with each other, comprising sending messages containing public key certificates of the corresponding device.
  - 5. A method in accordance with claim 1, further comprising redistributing encryption keys based on behavior of the intermediate routers.
  - 6. A method in accordance with claim 1, wherein collecting identities of intermediate routers on the routes comprises adding public key certificates of the intermediate routers to messages sent from the intermediate routers.
  - 7. A method in accordance with claim 1, wherein computing the aggregate trust levels of the intermediate routers comprises taking the minimum value of the trust levels of the intermediate router assessed by the source node and the destination node.
  - 8. A method in accordance with claim 1, wherein selecting the most trusted route of the discovered routes comprises the source node selecting among all the discovered routes the route with the most trusted weakest intermediate router.
  - 9. A method in accordance with claim 1, further comprising the source node generating encryption keys for each field of the communication packets.
  - 10. A method in accordance with claim 1, wherein securely distributing encryption keys to intermediate routers on the most trusted route comprises the source node encrypting the key with a public key of the intermediate router and signing the encrypted key with the private key of the source node.
  - 11. A method in accordance with claim 1, wherein computing encryption keys is performed by the source node.
  - 12. A method in accordance with claim 1, further comprising:
    - detecting malicious behavior of intermediate routers; and
      
      if malicious behavior is detected in a intermediate router;
      
      reducing the trust level of the intermediate router;
      
      updating the aggregate trust levels of the intermediate routers;
      
      selecting a new most trusted route of the discovered routes; and
      
      distributing new encryption keys to the intermediate routers on the new most trusted route in accordance with the reduced trust level of the intermediate router.
  - 13. A method in accordance with claim 1, further comprising:
    - detecting cooperative behavior of intermediate routers; and
      
      if cooperative behavior is detected in a intermediate router;
      
      increasing the trust level of the intermediate router;
      
      updating the aggregate trust levels of the intermediate routers;
      
      selecting a new most trusted route of the discovered routes; and
      
      distributing new encryption keys to the intermediate routers on the new most trusted route in accordance with the increased trust level of the intermediate router.
  - 14. A network device operable to perform the method of claim 1.
  - 15. A computer readable medium containing programming instructions that, when executed on a processor of a network device, control the network device to perform the method of claim 1.

16. A method for secure routing of a communication packet from a source node of a network to a destination node, comprising:
- distributing a first public encryption key corresponding to a first private encryption key of the source node to an intermediate router of the network and to the destination node;
  
  distributing a second public encryption key corresponding to a second private encryption key of the source node to the destination node;
  
  encrypting data of the communication packet using the first private key and a second private key of the source node;
  
  encrypting a header of the communication packet using the first private key of the source node, the header including routing information;
  
  transmitting the communication packet to a first intermediate router;
  
  the first intermediate router decrypting the header using the first public key to recover the routing information;
  
  the first intermediate router transmitting the communication packet to the destination node in accordance with the routing information; and
  
  the destination node decrypting the data using the first public key and second public key.
- View Dependent Claims (17, 18)
- - 17. A method in accordance with claim 16, wherein the first intermediate router transmitting the communication packet to the destination node in accordance with the routing information comprises intermediate router transmitting the communication packet to the destination node via at least one second intermediate router.
  - 18. An ad-hoc network operable to perform the method of claim 16.

19. A communication exchange between an intermediate router and a source node of an ad-hoc network for distributing keys from the source node, the communication exchange comprising:
- a KEY_REQUEST message for transmission from the intermediate router to the source node, the KEY_REQUEST message comprising;
  
  a Key Usage identifier specifying a security procedure for which a key request is made;
  
  an identifier of the intermediate router;
  
  an identifier of the source node; and
  
  a public key of the intermediate router; and
  
  a KEY_RESPONSE message for transmission from the source node to the intermediate router in response to the KEY_REQUEST message, the KEY_RESPONSE message comprising;
  
  a Trust Level specifying a trust level granted to the intermediate router by the source node; and
  
  a security key corresponding to the Trust Level.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ARRIS Enterprises LLC (CommScope Holding Company, Inc.)
Original Assignee
Motorola, Inc. (Motorola Solutions, Inc.)
Inventors
Calcev, George, Carbunar, Bogdan O, Nakhjiri, Madjid F.

Granted Patent

US 7,865,717 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/14
CPC Class Codes

H04L 63/045   wherein the sending and rec...

H04L 63/0823   using certificates cryptogr...

H04L 63/12   Applying verification of th...

H04L 63/1433   Vulnerability analysis

H04W 40/28   for reactive routing

METHOD AND APPARATUS FOR DYNAMIC, SEAMLESS SECURITY IN COMMUNICATION PROTOCOLS

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND APPARATUS FOR DYNAMIC, SEAMLESS SECURITY IN COMMUNICATION PROTOCOLS

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links