METHOD OF NEGOTIATING SECURITY PARAMETERS AND AUTHENTICATING USERS INTERCONNECTED TO A NETWORK

US 20090276828A1
Filed: 07/09/2009
Published: 11/05/2009
Est. Priority Date: 11/14/2003
Status: Active Grant

First Claim

Patent Images

1-14. -14. (canceled)

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for authenticating and negotiating security parameters among two or more network devices is disclosed. The method has a plurality of modes including a plurality of messages exchanged between the two or more network devices. In a main mode, the two or more network devices establish a secure channel and select security parameters to be used during a quick mode and a user mode. In the quick mode, the two or more computers derive a set of keys to secure data sent according to a security protocol. The optional user mode provides a means of authenticating one or more users associated with the two or more network devices. A portion of the quick mode is conducted during the main mode thereby minimizing the plurality of messages that need to be exchanged between the initiator and the responder.

Citations

39 Claims

1-14. -14. (canceled)

15. A method for executing a security policy at a first network device wherein the first network device is communicatively coupled to a second network device over a computer network, comprising:
- initiating a first security negotiation at the first network device by sending a first message with a first set of proposed security parameters;
  
  determining, at the first network device, that the first security negotiation is unsuccessful and identifying a basis for the unsuccessful first security negotiation; and
  
  initiating a second security negotiation, at the first network device, by sending a second message with a second set of proposed security parameters based on the basis for the unsuccessful first security negotiation.
- View Dependent Claims (16, 17, 26, 27, 28, 29, 30, 31)
- - 16. The method of claim 15, wherein the unsuccessful security negotiation results from the first set of proposed security parameters failing to conform to a security policy of the second network device and wherein the second set of proposed security parameters conform to the security policy of the second network device.
  - 17. The method of claim 15, wherein the unsuccessful security negotiation results from a first certificate sent form a responder to an initiator, wherein the first certificate is invalid, the second security negotiation further comprising:
    - sending a certificate request from the initiator to the responder that includes an identification payload requesting a second certificate from the responder such that the second certificate is distinct from the first certificate.
  - 26. The method of claim 15, further comprising before initiating the security negotiation, receiving a packet at the first network device for the second device and determining whether the packet must be sent securely to the second network device.
  - 27. The method of claim 26, wherein the packet must be sent according to the encapsulating security protocol (ESP).
  - 28. The method of claim 26, wherein the packet must be sent according to the authentication header (AH) protocol.
  - 29. The method of claim 26, wherein if the packet is not required to be sent securely, the package is sent unsecured as a standard IP packet.
  - 30. The method of claim 29, further comprising determining if the second network device initiates a security negotiation.
  - 31. The method of claim 30, wherein if the second network device initiates a security policy, the first network device initiates a security negotiation according to the security policy initiated by the second network device.

18-22. -22. (canceled)

23. A computer storage medium for executing computer-readable instructions for executing a security policy at a first network device wherein the first network device is communicatively coupled to a second network device over a computer network, comprising:
- initiating a first security negotiation at the first network device by sending a first message with a first set of proposed security parameters;
  
  determining, at the first network device, that the first security negotiation is unsuccessful and identifying a basis for the unsuccessful first security negotiation; and
  
  initiating a second security negotiation at the first network device by sending a second message with a second set of proposed security parameters based on the basis for the unsuccessful first security negotiation.
- View Dependent Claims (24, 25, 32, 33, 34, 35, 36, 37, 39)
- - 24. The computer storage medium of claim 23, wherein the unsuccessful security negotiation results from the first set of security parameters failing to conform to a security policy of the second network device and wherein the second set of proposed security parameters conform to the security policy of the second network device.
  - 25. The computer storage medium of claim 23, wherein the unsuccessful security negotiation results from a first certificate sent from the responder to the initiator, wherein the first certificate is invalid, the second security negotiation further comprising:
    - sending a certificate request from the initiator to the responder that includes an identification payload requesting a second certificate from the responder such that the second certificate is distinct from the first certificate.
  - 32. The computer storage medium of claim 23, further comprising before initiating the security negotiation, receiving a packet at the first network device for the second device and determining whether the packet must be sent securely to the second network device.
  - 33. The computer storage medium of claim 32, wherein the packet must be sent according to the encapsulating security protocol (ESP).
  - 34. The computer storage medium of claim 32, wherein the packet must be sent according to the authentication header (AH) protocol.
  - 35. The computer storage medium of claim 32, wherein if the packet is not required to be sent securely, the package is sent unsecured as a standard Internet Protocol (IP) packet.
  - 36. The computer storage medium of claim 32, further comprising determining if the second network device initiates a security negotiation.
  - 37. The computer storage medium of claim 36, wherein if the second network device initiates a security policy, the first network device initiates a security negotiation according to the security policy initiated by the second network device.
  - 39. The system of claim 35, wherein the step of initiating a second security negotiation comprises initiating a new main mode negotiation.

38. A system for executing a security policy at a first network device wherein the first network device is communicatively coupled to a second network device over a computer network, the system comprising:
- one or more processing units;
  
  a memory coupled with and readable by the one or more processing units, the memory containing a series of instructions that, when executed by the one or more processing units, cause the one or more processing units to perform a method of executing a security policy comprising the steps of;
  
  receiving a packet;
  
  determining if the packet must be sent securely;
  
  if the packet must be sent securely, initiating a security policy, wherein initiating a security policy comprises;
  
  initiating a first security negotiation at a first network device by sending a first message with a first set of proposed security parameters;
  
  determining, at the first network device, that the first security negotiation is unsuccessful and identifying a basis for the unsuccessful first security negotiation; and
  
  initiating a second security negotiation at the first network device by sending a second message with a second set of proposed security parameters based on the basis for the unsuccessful first security negotiation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Bitan, Sara, Huitema, Christian, Simon, Daniel R., Swander, Brian D., Mayfield, Paul G.

Granted Patent

US 8,275,989 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0823   using certificates cryptogr...

H04L 63/164   at the network layer

H04L 63/20   for managing network securi...

H04L 9/0844   with user authentication or...

METHOD OF NEGOTIATING SECURITY PARAMETERS AND AUTHENTICATING USERS INTERCONNECTED TO A NETWORK

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD OF NEGOTIATING SECURITY PARAMETERS AND AUTHENTICATING USERS INTERCONNECTED TO A NETWORK

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links