DISCOVERY OF SECURE NETWORK ENCLAVES

US 20100318799A1
Filed: 06/11/2009
Published: 12/16/2010
Est. Priority Date: 06/11/2009
Status: Active Grant

First Claim

Patent Images

1. A method of operating a computer system to provide secure communications, the computer system comprising a plurality of host devices interconnected by a network and organized into enclaves, the method comprising:

at a host device, receiving a packet over the network;

in the host device, analyzing the packet, the analyzing comprising;

identifying a chain of one or more markers in the packet, each marker indicating an enclave;

determining an enclave in which the host device is located based on the chain of one or more markers.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A hierarchical key generation and distribution mechanism for a computer system in which devices are organized into secure enclaves. The mechanism enables network access to be tailored to approximate minimum needed privileges for each device. At the lowest level of the hierarchy, keys are used to form security associations between devices. Keys at each level of the hierarchy are generated from keys at a higher level of the hierarchy and key derivation information. Key derivation information is readily ascertainable, either from identifiers for devices or from within messages, supporting hardware offload of cryptographic functions. Because keys may be generated based on the enclaves in which the hosts participating in a security association are located, the system includes a mechanism by which devices can discover the enclave in which they are located.

Citations

20 Claims

1. A method of operating a computer system to provide secure communications, the computer system comprising a plurality of host devices interconnected by a network and organized into enclaves, the method comprising:
- at a host device, receiving a packet over the network;
  
  in the host device, analyzing the packet, the analyzing comprising;
  
  identifying a chain of one or more markers in the packet, each marker indicating an enclave;
  
  determining an enclave in which the host device is located based on the chain of one or more markers.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein:
    - each of the markers in the chain of one or more markers comprises a value assigned to an intermediary device that processed the packet as it passed over the network; and
      
      the analyzing further comprises;
      
      determining a second enclave in which a second host device is located based on the chain of one or more markers; and
      
      selecting a key based on the enclave and the second enclave; and
      
      generating a security association between the host device and the second host device based on the selected key.
  - 3. The method of claim 1, further comprising:
    - providing a plurality of pair-wise enclave keys; and
      
      in the host device, selecting a pair-wise enclave key of the plurality of pair-wise enclave keys based in part on the determined enclave.
  - 4. The method of claim 1, wherein the packet comprises a control packet in an exchange between the host and a second host to establish a security association between the host and the second host.
  - 5. The method of claim 4, wherein the control packet is an Internet Key Exchange (IKE) or an AuthIP packet.
  - 6. The method of claim 4, further comprising, sending from the host device to the second host device a control packet comprising a value requesting intermediary devices place markers in packets addressed to the host.
  - 7. The method of claim 6, wherein the value is in a vendor ID field of the packet.

8. A method of operating a computer system to provide secure communications, the computer system comprising a plurality of host devices interconnected by a network and organized into enclaves, the method comprising:
- at an intermediary device configured in a network enclave, receiving a packet over the network;
  
  in the intermediary device, analyzing the packet to determine whether the packet contains a value requesting that intermediary devices place markers in packets addressed to the host;
  
  when the packet contains the value requesting that intermediary devices place markers in packets addressed to the host, appending a marker indicating an enclave to a field in at least one packet addressed to the host.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein:
    - the method further comprises;
      
      when the packet contains the value, storing an indication of the host; and
      
      monitoring message traffic to identify a subsequent message addressed to the host; and
      
      appending the marker comprises appending the marker to the subsequent message.
  - 10. The method of claim 9, wherein the packet and the subsequent packet comprise control packets in an exchange between the host and a second host for establishing a security association.
  - 11. The method of claim 10, wherein the value comprises a value in a vendor ID field of the packet.
  - 12. The method of claim 11, wherein:
    - appending comprises appending a marker to a list of markers in an extension field of the packet; and
      
      appending a marker indicating an enclave comprises appending a marker indicating an enclave of the intermediary device appending the marker.
  - 13. The method of claim 12, further comprising:
    - at the host, processing the subsequent packet to determine a first enclave of the host and a second enclave of the second host based on the list of markers.
  - 14. The method of claim 13, further comprising:
    - at the host, selecting a key for the security association between the host and the second host based on the first enclave and the second enclave.

15. A method of operating a computer system to provide secure communications, the computer system comprising a plurality of host devices interconnected by a network and organized into enclaves, the method comprising:
- from a first host device, sending a first packet to a second device;
  
  at one or more intermediary devices coupled in a network path between the first host and the second host, detecting the first packet and recording an indication of the first host;
  
  from the second host, sending a second packet to the first host;
  
  at each of the one or more intermediary devices, identifying the second packet based on the recorded indication of the first host and adding to the second packet an indicator of the enclave of the intermediary device; and
  
  at the first host, determining an enclave of the first host based on an indicator added by an intermediary of the one or more intermediary devices.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15, further comprising:
    - at the first host, selecting a key based in part of the determined enclave of the first host; and
      
      establishing a security association with the second host using the selected key.
  - 17. The method of claim 16, wherein:
    - the method further comprises, at the first host, determining an enclave of the second host based on an indicator added by an intermediary of the one or more intermediary devices; and
      
      selecting a key comprises selecting a key based in part on the determined enclave of the second host.
  - 18. The method of claim 17, wherein:
    - selecting a key comprises selecting a server key from a set of server keys, where each server key is derived from a different pair-wise enclave key from a set of pair-wise enclave keys.
  - 19. The method of claim 18, wherein establishing a security association with the second host comprises generating a security association key based on the selected server key and key derivation information.
  - 20. The method of claim 19, firmer comprising:
    - at least one of the one or more intermediary devices, generating the security association key based at least in part on key derivation information contained in a subsequent packet exchanged between the first host and the second host using the security association; and
      
      performing a cryptographic function on the subsequent packet using the generated security association key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Simon, Daniel R., Swander, Brian D., Montenegro, Gabriel E., Menezes, Pascal

Granted Patent

US 8,352,741 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/171
CPC Class Codes

H04L 2463/061   applying further key deriva...

H04L 63/0272   Virtual private networks

H04L 63/0281   Proxies

H04L 63/0464   using hop-by-hop encryption...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/064   Hierarchical key distributi...

H04L 63/164   at the network layer

H04L 9/0836   using tree structure or hie...

H04L 9/0861   Generation of secret inform...

H04L 9/14   using a plurality of keys o...

H04L 9/32   including means for verifyi...

DISCOVERY OF SECURE NETWORK ENCLAVES

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

DISCOVERY OF SECURE NETWORK ENCLAVES

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links