Distributed information system having automatic invocation of key management negotiations protocol and method
First Claim
1. In a distributed information system which includes a plurality of end-systems each of which includes data unit transmitting and receiving means having a security protocol and a corresponding security protocol key from one end-system to another end-system, the improvement comprising:
- secure address storage means for storing a set of end-system addresses and corresponding end-system security protocol keys;
protocol address storage means for storing a set of end-system addresses requiring security protocol data transfers;
data unit receiver means for receiving a data unit and for generating a data unit transfer request signal which includes an end-system address and data unit security protocol;
intermediate storage means for storing a received data unit in response of a data transfer request signal and outputting the stored data unit to the end-system transmitting and receiving means in response to a transfer enable signal;
automatic key management processor means responsive to the data unit transfer request signal for comparing the received data unit security key and end-system address to the set of end system address and security protocol keys, and for generating the transfer enable signal in response to a match therebetween, and in the absence of a match therebetween, comparing the received data unit address to the end-system addresses from the protocol address storage means and generating a security key protocol request signal in response to a match therebetween, and for generating the transfer enable signal in response to the absence of a match between the data unit address and an address in the set of addresses stored in the protocol address storage means;
security key negotiating means responsive to the security key protocol request signal for negotiating a security key with another end-system and for generating a security key negotiation confirm signal upon completion of a negotiation;
means responsive to the security key negotiation confirm signal for storing the security key for the another end-system in the one system secure address store storage means;
and wherein each end-system is responsive to the security key negotiation confirm signal and is adapted to generate the transfer enable signal, and wherein the end-system data unit transmitting and receiving means are responsive to the transfer enable signal and are adapted to transfer the data unit corresponding to the security protocol of the received data unit, and wherein the security key negotiation comprises a fully encrypted negotiation exchange.
18 Assignments
0 Petitions
Accused Products
Abstract
The invention is an improved distributed information system which automatically provides for the transmission of security protocol data units between end-users of a distributed information system. The invention compares the address and security key of a received security protocol data unit to stored end-system addresses and security key information and, in the absence of an existing end-system address and security key, automatically initiates negotiation of a security key between end-systems and then confirms the negotiated security key and initiates a security protocol transmission of the data unit. A method af automatic invoking secure communications between end-systems of a distributed information system is also disclosed.
-
Citations
4 Claims
-
1. In a distributed information system which includes a plurality of end-systems each of which includes data unit transmitting and receiving means having a security protocol and a corresponding security protocol key from one end-system to another end-system, the improvement comprising:
-
secure address storage means for storing a set of end-system addresses and corresponding end-system security protocol keys; protocol address storage means for storing a set of end-system addresses requiring security protocol data transfers; data unit receiver means for receiving a data unit and for generating a data unit transfer request signal which includes an end-system address and data unit security protocol; intermediate storage means for storing a received data unit in response of a data transfer request signal and outputting the stored data unit to the end-system transmitting and receiving means in response to a transfer enable signal; automatic key management processor means responsive to the data unit transfer request signal for comparing the received data unit security key and end-system address to the set of end system address and security protocol keys, and for generating the transfer enable signal in response to a match therebetween, and in the absence of a match therebetween, comparing the received data unit address to the end-system addresses from the protocol address storage means and generating a security key protocol request signal in response to a match therebetween, and for generating the transfer enable signal in response to the absence of a match between the data unit address and an address in the set of addresses stored in the protocol address storage means; security key negotiating means responsive to the security key protocol request signal for negotiating a security key with another end-system and for generating a security key negotiation confirm signal upon completion of a negotiation; means responsive to the security key negotiation confirm signal for storing the security key for the another end-system in the one system secure address store storage means; and wherein each end-system is responsive to the security key negotiation confirm signal and is adapted to generate the transfer enable signal, and wherein the end-system data unit transmitting and receiving means are responsive to the transfer enable signal and are adapted to transfer the data unit corresponding to the security protocol of the received data unit, and wherein the security key negotiation comprises a fully encrypted negotiation exchange. - View Dependent Claims (2, 3)
-
-
4. A method of automatic invoking secure communications between end-systems of a distributed information system, said method comprising the steps of;
-
(a) storing a set of end-system addresses and corresponding security keys and security protocol specifications; (b) storing a set of end-system addresses that includes the addresses of all end-systems requiring security protocols for a secure data transfer; (c) generating a data that includes an end-system address and security protocol specification, and generating a data transfer request signal in response thereto; (d) comparing the generated end-system address and protocol specification to the set of end-system addresses and protocol specifications in response to the data transfer signal, and generating a transmit enable signal in response to a match therebetween; (e) comparing the data unit specification to the set of end-system addresses requiring a security protocol; (f) generating an automatic invocation of key management request signal in response to the absence of a match between the data unit specification to the set of end-system addresses requiring a security protocol; (g) performing an encrypted security key negotiation between the end-systems in response to the invocation of the key management request signal and generating a security key confirm signal in response to completion thereof; (h) generating a transfer enable signal a response to the security key confirm signal; (i) performing a security protocol data transfer in accordance with the appropriate security protocol specification in response to the transfer enable signal; (j) generating the transfer enable signal in the absence of a match between the data unit address and an end-system address for which a security protocol is required; (k) storing a negotiated security key in the set of stored end-system addresses and corresponding security keys and protocol specifications in response to the security key negotiation confirm signal; and (l) storing a received data unit in an intermediate storage means during the performance of steps (b) through (g).
-
Specification