SYMMETRIC KEY DISTRIBUTION FRAMEWORK FOR THE INTERNET

US 20090154708A1
Filed: 12/14/2007
Published: 06/18/2009
Est. Priority Date: 12/14/2007
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

a key distribution server receiving measured health information from a client;

the server validating the measured health information;

the server sending a session key to the client when the measured health information is validated; and

upon receiving the session key, the client initiating an encrypted and authenticated connection with an application server in the domain using the session key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, device, and system are disclosed. In one embodiment the method includes receiving measured health information from a client on a key distribution server. Once the measured health information is received the server is capable of validating the measured health information to see if it is authentic. The server is also capable of sending a session key to the client when the measured health information is validated. When the client receives the session key, the client is capable of initiating an encrypted and authenticated connection with an application server in the domain using the session key.

70 Citations

View as Search Results

19 Claims

1. A method, comprising:
- a key distribution server receiving measured health information from a client;
  
  the server validating the measured health information;
  
  the server sending a session key to the client when the measured health information is validated; and
  
  upon receiving the session key, the client initiating an encrypted and authenticated connection with an application server in the domain using the session key.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising:
    - a network interface controller in the application server receiving one or more encrypted packets from the client over the authenticated connection;
      
      the network interface controller decrypting the one or more encrypted packets using the session key; and
      
      the application server servicing the one or more decrypted packets.
  - 3. The method of claim 2, further comprising:
    - the network interface controller dropping the one or more packets if the decryption is unsuccessful.
  - 4. The method of claim 1, wherein the key distribution server is addressable within an Internet domain.
  - 5. The method of claim 4, further comprising:
    - the client looking up a client policy on the key distribution server;
      
      based on the key distribution server client policy, the client measuring the client health information; and
      
      the client signing the client measured health information.
  - 6. The method of claim 2, wherein the one or more encrypted packets are Internet protocol security (IPSec) packets.

7. A device, comprising:
- key distribution server logic to receive measured health information from a client;
  
  validate the measured health information; and
  
  send a session key to the client when the measured health information is validated.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The device of claim 7, further comprising:
    - application server logic toreceive a packet from the client, wherein the packet is encrypted using the session key;
      
      decrypt the packet using the session key; and
      
      service the decrypted packet.
  - 9. The device of claim 8, wherein the application server logic is further operable to drop the packet if the decryption is unsuccessful.
  - 10. The device of claim 8, wherein the device is addressable within an Internet domain.
  - 11. The device of claim 8, wherein the device is further operable to store a client policy to instruct the client on one or more requirements necessary to interface with the device.
  - 12. The device of claim 8, wherein the application server logic further comprises a network interface controller.

13. A system, comprising:
- a client;
  
  a key distribution server toreceive measured health information from the client;
  
  validate the measured health information; and
  
  send a session key to the client when the measured health information is validated; and
  
  an application server toreceive a packet from the client, wherein the packet is encrypted using the session key;
  
  decrypt the packet using the session key; and
  
  service the decrypted packet.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The system of claim 13, wherein the application server is further operable to drop the packet if the decryption is unsuccessful.
  - 15. The system of claim 13, further comprising a domain name server to provide the key distribution server address to the client.
  - 16. The system of claim 13, wherein the client comprises a security management component operable tomeasure the health of the client device;
    - generate client health information based on the measurement; and
      
      sign the measured client health information.
  - 17. The system of claim 13, wherein the application server further comprises:
    - a memory to store an operating system;
      
      a processor to execute instructions from the operating system; and
      
      a network interface controller operable togenerate a decryption key using the session key and a master key;
      
      decrypt the packet with the decryption key; and
      
      send the decrypted packet to the operating system for servicing by the processor.
  - 18. The system of claim 17, wherein the network interface controller is further operable to drop the packet when the decryption is unsuccessful.
  - 19. The system of claim 18, wherein the processor does not perform any operations on the packet when the network interface controller drops the packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Kolar Sunder, Divya Naidu, Dewan, Prashant, Long, Men

Granted Patent

US 8,532,303 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/279
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/0435   wherein the sending and rec...

H04L 63/062   for key distribution, e.g. ...

H04L 63/20   for managing network securi...

H04L 9/083   involving central third par...

SYMMETRIC KEY DISTRIBUTION FRAMEWORK FOR THE INTERNET

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

70 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

SYMMETRIC KEY DISTRIBUTION FRAMEWORK FOR THE INTERNET

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

70 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links