Separating Control and Data Operations to Support Secured Data Transfers

US 20080101598A1
Filed: 11/01/2006
Published: 05/01/2008
Est. Priority Date: 11/01/2006
Status: Active Grant

First Claim

Patent Images

1. One or more processor-accessible media including processor-executable instructions, the processor-executable instructions comprising:

a protocol unit that includes a first protocol module and a second protocol module;

the first protocol module to communicate over at least one control channel in accordance with a first protocol, the second protocol module to communicate over one or more data channels in accordance with a second protocol; and

a security unit that includes a security negotiator;

the security negotiator to negotiate security via the at least one control channel using the first protocol module, the negotiated security to be used on the one or more data channels to transmit data.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

For a data transfer, security is negotiated via a control channel operating in accordance with a first protocol. The data is transmitted responsive to the security negotiation on a data channel operating in accordance with a second protocol.

Citations

20 Claims

1. One or more processor-accessible media including processor-executable instructions, the processor-executable instructions comprising:
- a protocol unit that includes a first protocol module and a second protocol module;
  
  the first protocol module to communicate over at least one control channel in accordance with a first protocol, the second protocol module to communicate over one or more data channels in accordance with a second protocol; and
  
  a security unit that includes a security negotiator;
  
  the security negotiator to negotiate security via the at least one control channel using the first protocol module, the negotiated security to be used on the one or more data channels to transmit data.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The one or more processor-accessible media as recited in claim 1, wherein the security unit further includes a security implementer to implement the negotiated security when the data is being transmitted via the one or more data channels using the second protocol module.
  - 3. The one or more processor-accessible media as recited in claim 2, wherein the security implementer is to implement the negotiated security on one chunk of the data that is being transmitted via the one or more data channels using the second protocol module while the security negotiator is to negotiate security for another chunk of the data via the at least one control channel using the first protocol module.
  - 4. The one or more processor-accessible media as recited in claim 2, wherein:
    - the processor-executable instructions comprise at least part of a requesting application in which the security implementer is to implement the negotiated security to receive the data via the one or more data channels using the second protocol module;
      
      orthe processor-executable instructions comprise at least part of a responding application in which the security implementer is to implement the negotiated security when transmitting the data via the one or more data channels using the second protocol module.
  - 5. The one or more processor-accessible media as recited in claim 1, wherein the first protocol comprises a message-oriented communication protocol, and the second protocol comprises a stream-oriented transfer protocol.
  - 6. The one or more processor-accessible media as recited in claim 1, wherein the security negotiator comprises an integrity negotiator and a confidentiality negotiator;
    - the integrity negotiator to negotiate integrity information via the at least one control channel for use with transmission of the data via the one or more data channels, the confidentiality negotiator to negotiate confidentiality information via the at least one control channel for use with transmission of the data via the one or more data channels.
  - 7. The one or more processor-accessible media as recited in claim 1, wherein the processor-executable instructions further negotiate the second protocol with a remote application using at least one message.

8. A method comprising:
- via at least one control channel operating in accordance with a first protocol, negotiating confidentiality information for a data transfer;
  
  via the at least one control channel operating in accordance with the first protocol, negotiating integrity information for the data transfer; and
  
  via one or more data channels operating in accordance with a second protocol, transferring data responsive to the negotiated confidentiality information and the negotiated integrity information.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method as recited in claim 8, further comprising:
    - via the at least one control channel operating in accordance with the first protocol, performing an authentication procedure between a requester and a responder to authenticate the requester of the data and/or the responder who is to supply the data.
  - 10. The method as recited in claim 8, further comprising:
    - via the at least one control channel operating in accordance with the first protocol, identifying the data to-be-transferred on the one or more data channels and stipulating the second protocol to-be-used for the one or more data channels.
  - 11. The method as recited in claim 8, wherein the first protocol comprises a Simple Object Access Protocol (SOAP), a Remote Procedure Call (RPC) protocol, or a Web Services protocol;
    - and wherein the second protocol comprises a Transmission Control Protocol/Internet Protocol (TCP/IP) protocol, a Remote Direct Memory Access (RDMA) protocol, a File Transfer Protocol (FTP), or a GridFTP.
  - 12. The method as recited in claim 8, wherein the negotiating confidentiality information for a data transfer comprises:
    - designating an encryption algorithm that is to be used for the data transfer.
  - 13. The method as recited in claim 8, wherein the negotiating confidentiality information for a data transfer comprises:
    - specifying one or more cryptographic keys for cryptographic operations to be implemented on the data for the data transfer.
  - 14. The method as recited in claim 8, wherein the negotiating integrity information for the data transfer comprises:
    - designating an integrity algorithm that is to be used for the data transfer.

15. A device comprising:
- an application that is to negotiate security in a security negotiation performed via at least one control channel operating in accordance with a first protocol, the application to implement a data transmission that is responsive to the negotiated security via one or more data channels operating in accordance with a second protocol;
  
  wherein the negotiated security creates a binding between the security negotiation and the data transmission such that security information negotiated via the at least one control channel can be applied to data transmitted on the one or more data channels.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The device as recited in claim 15, wherein the security negotiation is accomplished by the application using one or more messages;
    - and wherein the one or more messages (i) stipulate a data channel protocol that is to be the second protocol of the one or more data channels and (ii) identify the data to-be-transmitted.
  - 17. The device as recited in claim 15, wherein the security information comprises confidentiality information including (i) chunk sizes and chunk initialization vectors (IVs) for a block cipher or (ii) a key schedule for a stream cipher.
  - 18. The device as recited in claim 15, wherein the security information comprises integrity information including digest values or hash values that may be digitally signed by the originator.
  - 19. The device as recited in claim 15, wherein the security negotiation is accomplished by the application using one or more messages;
    - and wherein a set of encryption parameters or a set of integrity parameters are combined into a single file so that the set of parameters may be efficiently transmitted together.
  - 20. The device as recited in claim 19, wherein the single file is transmitted via the at least one control channel or via the one or more data channels.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Dillaway, Blair B.

Granted Patent

US 8,687,804 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/44
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/123   received data contents, e.g...

H04L 63/20   for managing network securi...

Separating Control and Data Operations to Support Secured Data Transfers

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Separating Control and Data Operations to Support Secured Data Transfers

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links