CENTRALIZED SECURE OFFLOAD OF CRYPTOGRAPHIC SECURITY SERVICES FOR DISTRIBUTED SECURITY ENFORCEMENT POINTS

US 20080175382A1
Filed: 01/24/2007
Published: 07/24/2008
Est. Priority Date: 01/24/2007
Status: Active Grant

First Claim

Patent Images

1. A network data processing system configured for centralized secure offload of cryptographic security services for distributed security enforcement points, the system comprising:

a security enforcement point controlling communication flows between devices in different less trusted zones of protection; and

,a security server communicatively coupled to the security enforcement point and hosting cryptographic security services disposed in a more trusted zone of protection,the security enforcement point comprising an interface to the cryptographic security services and program code enabled to offload at least one portion of a cryptographic security operation through the interface to cryptographic security services disposed in the more trusted zone of protection.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present invention address deficiencies of the art in respect to network security and provide a method, system and computer program product for centralized secure offload of key exchange services for distributed security enforcement points. In one embodiment, a data processing system for centralized secure offload of key exchange services for distributed security enforcement points can be provided. The system can include a security enforcement point controlling communication flows between devices in different less trusted zones of protection, and a security server communicatively coupled to the security enforcement point and hosting key exchange services disposed in a more trusted zone of protection. The security enforcement point can include an interface to the key exchange services and program code enabled to offload at least one portion of a key exchange through the interface to the key exchange services disposed in the more trusted zone of protection.

44 Citations

View as Search Results

18 Claims

1. A network data processing system configured for centralized secure offload of cryptographic security services for distributed security enforcement points, the system comprising:
- a security enforcement point controlling communication flows between devices in different less trusted zones of protection; and
  
  ,a security server communicatively coupled to the security enforcement point and hosting cryptographic security services disposed in a more trusted zone of protection,the security enforcement point comprising an interface to the cryptographic security services and program code enabled to offload at least one portion of a cryptographic security operation through the interface to cryptographic security services disposed in the more trusted zone of protection.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, wherein the cryptographic security services comprise key public/private key services.
  - 3. The system of claim 2, wherein the cryptographic security services comprise Internet Key Exchange (IKE) signature mode key exchange services.
  - 4. The system of claim 2, wherein the security enforcement point comprises at least one of a key exchange request initiator and a key exchange request responder.
  - 5. The system of claim 1, wherein the less trusted zones of protection comprises a public Internet zone of protection, a demilitarized zone of protection and an Intranet zone of protection.
  - 6. The system of claim 4, wherein the more trusted zone of protection comprises an enterprise information system (EIS) zone of protection.

7. A method for centralized secure offload of cryptographic security services for distributed security enforcement points, the method comprising:
- initiating a key exchange in a less trusted zone of protection with a responder;
  
  offloading a portion of the key exchange to logic disposed in a more trusted zone of protection; and
  
  ,completing the key exchange in the less trusted zone of protection.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, further comprising:
    - responding in a less trusted zone of protection to a request to initiate a key exchange with an initiator;
      
      offloading a portion of the key exchange to logic disposed in a more trusted zone of protection; and
      
      ,completing the key exchange in the less trusted zone of protection.
  - 9. The method of claim 7, wherein initiating a key exchange in a less trusted zone of protection with a responder, comprises initiating an Internet Key Exchange (IKE) signature mode key exchange in a less trusted zone of protection with a responder.
  - 10. The method of claim 8, wherein responding in a less trusted zone of protection to a request to initiate a key exchange with an initiator, comprises responding in the less trusted zone of protection to a request to initiate an Internet Key Exchange (IKE) signature mode key exchange with an initiator.
  - 11. The method of claim 7, wherein offloading a portion of the key exchange to logic disposed in a more trusted zone of protection, comprises offloading signing a digital certificate in the key exchange to logic disposed in a more trusted zone of protection.
  - 12. The method of claim 7, wherein offloading a portion of the key exchange to logic disposed in a more trusted zone of protection, comprises offloading digital signature validation in the key exchange to logic disposed in a more trusted zone of protection.

13. A computer program product comprising a computer usable medium embodying computer usable program code for centralized secure offload of cryptographic security services for distributed security enforcement points, the computer program product including:
- computer usable program code for initiating a key exchange in a less trusted zone of protection with a responder;
  
  computer usable program code for offloading a portion of the key exchange to logic disposed in a more trusted zone of protection; and
  
  ,computer usable program code for completing the key exchange in the less trusted zone of protection.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computer program product of claim 13, further comprising:
    - computer usable program code for responding in a less trusted zone of protection to a request to initiate a key exchange with an initiator;
      
      computer usable program code for offloading a portion of the key exchange to logic disposed in a more trusted zone of protection; and
      
      ,computer usable program code for completing the key exchange in the less trusted zone of protection.
  - 15. The computer program product of claim 13, wherein the computer usable program code for initiating a key exchange in a less trusted zone of protection with a responder, comprises computer usable program code for initiating an Internet Key Exchange (IKE) signature mode key exchange in a less trusted zone of protection with a responder.
  - 16. The computer program product of claim 14, wherein the computer usable program code for responding in a less trusted zone of protection to a request to initiate a key exchange with an initiator, comprises computer usable program code for responding in the less trusted zone of protection to a request to initiate an Internet Key Exchange (IKE) signature mode key exchange with an initiator.
  - 17. The computer program product of claim 13, wherein the computer usable program code for offloading a portion of the key exchange to logic disposed in a more trusted zone of protection, comprises computer usable program code for offloading signing of a digital certificate in the key exchange to logic disposed in a more trusted zone of protection.
  - 18. The computer program product of claim 13, wherein the computer usable program code for offloading a portion of the key exchange to logic disposed in a more trusted zone of protection, comprises computer usable program code for offloading digital signature validation in the key exchange to logic disposed in a more trusted zone of protection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Meyer, Christopher, Overby, Linwood H., Wierbowski, David J., Gearhart, Curtis M.

Granted Patent

US 9,137,203 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/255
CPC Class Codes

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/0209   Architectural arrangements,...

H04L 63/04   for providing a confidentia...

H04L 63/0485   Networking architectures fo...

H04L 63/0823   using certificates cryptogr...

H04L 63/1408   by monitoring network traff...

CENTRALIZED SECURE OFFLOAD OF CRYPTOGRAPHIC SECURITY SERVICES FOR DISTRIBUTED SECURITY ENFORCEMENT POINTS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

44 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

CENTRALIZED SECURE OFFLOAD OF CRYPTOGRAPHIC SECURITY SERVICES FOR DISTRIBUTED SECURITY ENFORCEMENT POINTS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

44 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links