SYSTEM AND METHOD TO COMMUNICATE SENSITIVE INFORMATION VIA ONE OR MORE UNTRUSTED INTERMEDIATE NODES WITH RESILIENCE TO DISCONNECTED NETWORK TOPOLOGY

US 20160044000A1
Filed: 08/05/2014
Published: 02/11/2016
Est. Priority Date: 08/05/2014
Status: Active Grant

First Claim

Patent Images

1. A method of communicating using a system configured to exchange encrypted data via at least two nodes, the method comprising:

executing an agent in the system configured with (i) an internal DNS address to point to one of the at least two nodes, and (ii) an external DNS address to point to another one of the at least two nodes;

establishing a communication link between one of the at least two nodes and the agent;

signing a payload containing data using a private key to produce an envelope; and

encrypting the envelope using a public key associated with one of the at least two nodes and the agent,wherein the at least two nodes are configured to authenticate the agent when establishing the communication link between the one of the at least two nodes and the agent.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method to communicate secure information between a plurality of computing machines using an untrusted intermediate with resilience to disconnected network topology. The system and method utilize agnostic endpoints that are generalized to be interoperable among various systems, with their functionality based on their location in a network. The system and method enable horizontal scaling on the network. One or more clusters may be set up in a location within a network or series of networks in electronic communication, e.g., in a cloud or a sub-network, residing between a secure area of the network(s) and an unsecure area such as of an external network or portion of a network. The horizontal scaling allows the system to take advantage of a capacity of a local network. As long as an agent has connectivity to at least one locale of the network, the agent is advantageously operable to move data across the system.

194 Citations

29 Claims

1. A method of communicating using a system configured to exchange encrypted data via at least two nodes, the method comprising:
- executing an agent in the system configured with (i) an internal DNS address to point to one of the at least two nodes, and (ii) an external DNS address to point to another one of the at least two nodes;
  
  establishing a communication link between one of the at least two nodes and the agent;
  
  signing a payload containing data using a private key to produce an envelope; and
  
  encrypting the envelope using a public key associated with one of the at least two nodes and the agent,wherein the at least two nodes are configured to authenticate the agent when establishing the communication link between the one of the at least two nodes and the agent.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The method of claim 1, further comprising compressing the data prior to signing the payload.
  - 3. The method of claim 1, further comprising providing the public key by the agent.
  - 4. The method of claim 1, wherein executing the agent further comprises configuring and authenticating the agent using a certificate.
  - 5. The method of claim 1, wherein executing the agent further comprises assigning one or more unique identifiers to the agent.
  - 6. The method of claim 1, further comprising utilizing, by the at least two nodes, a root certificate to communicate with agent.
  - 7. The method of claim 1, further comprising providing the agent with information associated with the at least two nodes, wherein the information associated with the at least two nodes includes an IP address and DNS information.
  - 8. The method of claim 1, wherein at least one of the at least two nodes comprises a provisioning node configured to certify the agent.
  - 9. The method of claim 1, further comprising using at least one of a certified authority (CA) certificate or a simple certificate enrollment protocol (SCEP) for authentication of the agent.
  - 10. The method of claim 1, wherein the authentication of the agent comprises a two-way authentication process between the agent and the at least two nodes.
  - 11. The method of claim 1, further comprising:
    - initiating a poll, via the agent, by generating and transmitting a signal across the system and to the at least two nodes in attempt to identify a task.
  - 12. The method of claim 11, wherein the signal is sent to only one of the at least two nodes at a time.
  - 13. The method of claim 11, further comprising transmitting the poll periodically or aperiodically and encrypting the envelope across the system at intervals alternating between the at least two nodes.
  - 14. The method of claim 11, wherein when the task is not identified, repeating, by the agent, initiating the poll after a predetermined time period has elapsed.
  - 15. The method of claim 11, further comprising determining, by the agent, that the task has been identified when the agent receives at least one item detailing the task in response to the poll initiated by the agent.
  - 16. The method of claim 11, wherein when the task is identified, (i) locating and retrieving, by the agent, data associated with the task, (ii) decrypting the data, (iii) generating an output associated with the data, and (iv) transmitting the output.
  - 17. The method of claim 11, further comprising compressing, signing, and encrypting the output generated by the agent.
  - 18. The method of claim 11, further comprising when the task is not identified, repeating initiating of the poll at a specified rate according to whether the system is experiencing a data breach.
  - 19. The method of claim 18, further comprising resetting the rate so that polls are initiated at a quicker rate when the system is experiencing the data breach.
  - 20. The method of claim 18, further comprising resetting, by at least one of the two nodes, the polling rate based on whether the system is experiencing the data breach.
  - 21. The method of claim 16, further comprising locating, by the agent, the data associated with the task via a uniform resource indicator (URI).
  - 22. The method of claim 16, further comprising:
    - retrieving, by the agent, the information associated with the task via an SSL connection; and
      
      decrypting, by the agent, the information associated with the task via at least one of the public key and the private key.

23. A communication system comprising:
- at least one memory storing instructions, that when executed by at least one processor are configured to (i) compress data, (ii) sign the data using a private key, and (iii) encrypt the data using a public key to form a data payload;
  
  an agent configured to establish a communication link and transmit the data payload using the communication link; and
  
  a node configured to (i) receive the data payload, and (ii) process metadata associated with the data payload to determine whether an entirety of the data payload was transmitted successfully from the processor to the node.
- View Dependent Claims (24, 25, 26, 27)
- - 24. The system of claim 23, wherein the processor includes (i) a compressor configured to compress the data, (ii) an authenticator configured to sign the data, and (iii) an encryptor configured to encrypt the data.
  - 25. The system of claim 23, further comprising:
    - a buffered memory associated with the node for use to determine whether an entirety of the data payload was received by the node from the processor.
  - 26. The system of claim 23, wherein the metadata includes offset/length data related to subsets of the data to enable the data to be reconstructed when a transmission event occurs.
  - 27. The system of claim 26, wherein the processor is configured to compress, sign, and encrypt the metadata simultaneously with the data.

28. A communication node comprising:
- a memory configured to store an agent; and
  
  a processor configured to execute the agent to(a) establish a communication link with another node,(b) authenticate the other node to obtain a public key,(c) encrypt a specified amount of data using the public key to form a data envelope, and(d) transmit the data envelope to the other node.
- View Dependent Claims (29)
- - 29. The communication node of claim 28, wherein the processor is further configured to execute the agent to compress the data and sign the data using the private key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Cunningham, Sean

Granted Patent

US 9,912,644 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 2209/24   Key scheduling, i.e. genera...

H04L 2209/64   Self-signed certificates

H04L 41/22   comprising specially adapte...

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/0823   using certificates cryptogr...

H04L 63/166   at the transport layer

H04L 9/0825   using asymmetric-key encryp...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3263   involving certificates, e.g...

SYSTEM AND METHOD TO COMMUNICATE SENSITIVE INFORMATION VIA ONE OR MORE UNTRUSTED INTERMEDIATE NODES WITH RESILIENCE TO DISCONNECTED NETWORK TOPOLOGY

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

194 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD TO COMMUNICATE SENSITIVE INFORMATION VIA ONE OR MORE UNTRUSTED INTERMEDIATE NODES WITH RESILIENCE TO DISCONNECTED NETWORK TOPOLOGY

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

194 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links