Method of conducting secure operations on an uncontrolled network

US 5,548,721 A
Filed: 04/28/1994
Issued: 08/20/1996
Est. Priority Date: 04/28/1994
Status: Expired due to Term

First Claim

Patent Images

1. A method of conducting secure operations on an uncontrolled network of computer workstations that has a network manager for authorizing conduct of secure operations on the network and plural secure computer workstations, each for communicating with the network manager and with other workstations in the network, the method comprising the steps of:

establishing a personal identifier for a first authorized network user;

providing the first authorized user with a cryptographic ignition key (CIK) card that contains an electronically readable, randomly selected portion of an authorization record, wherein the authorization record is a combination of the personal identifier and a system key created by a first workstation;

providing each of the secure workstations with a secure network access port (SNAP) that includes,a reader for reading the CIK card, andmeans for storing the portion of the system key not stored on the CIK card and for storing a workstation-unique initialization key for enabling encrypted communication with the network manager but not with other secure workstations in the network;

storing the complete authorization record and system key for the first authorized user in the network manager;

requesting access to the network from the first workstation by providing the first authorized user'"'"'s personal identifier to the SNAP of the first workstation and reading the first authorized user'"'"'s CIK card at the reader of the first workstation;

evaluating at the SNAP of the first workstation whether the received personal identifier and portions of the system key from the CIK card and from the SNAP identify the first authorized user, and if the first authorized user is identified,providing the authorization record and system key of the first authorized user to the network manager in an encrypted communication from the first workstation using the first workstation'"'"'s initialization key for validation that the first authorized user is to be given access to the network; and

in the event the first authorized user is validated by the network manager, providing an operational key from the network manager to the SNAP of the first workstation using the first workstation'"'"'s initialization key, wherein the operational key enables secure operations from the first workstation on the network.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of conducting secure operations on an uncontrolled network in which authorized users are provided with a personal identifier and with a portable, electronically readable card with part of a system key thereon. The system key is created by a secure network access port (SNAP) at the workstation, and, when used in combination with the persona identifier, uniquely identifies the user so that the card and identifier may be used to conduct secure operations from any workstation in the network. Operational keys for conducting the secure operations are provided from a network security manager to a workstation in response to a validated request for access. The operational keys are provided in an encrypted communication using an initialization key unique to the workstation and known to the manager.

Citations

11 Claims

1. A method of conducting secure operations on an uncontrolled network of computer workstations that has a network manager for authorizing conduct of secure operations on the network and plural secure computer workstations, each for communicating with the network manager and with other workstations in the network, the method comprising the steps of:
- establishing a personal identifier for a first authorized network user;
  
  providing the first authorized user with a cryptographic ignition key (CIK) card that contains an electronically readable, randomly selected portion of an authorization record, wherein the authorization record is a combination of the personal identifier and a system key created by a first workstation;
  
  providing each of the secure workstations with a secure network access port (SNAP) that includes,a reader for reading the CIK card, andmeans for storing the portion of the system key not stored on the CIK card and for storing a workstation-unique initialization key for enabling encrypted communication with the network manager but not with other secure workstations in the network;
  
  storing the complete authorization record and system key for the first authorized user in the network manager;
  
  requesting access to the network from the first workstation by providing the first authorized user'"'"'s personal identifier to the SNAP of the first workstation and reading the first authorized user'"'"'s CIK card at the reader of the first workstation;
  
  evaluating at the SNAP of the first workstation whether the received personal identifier and portions of the system key from the CIK card and from the SNAP identify the first authorized user, and if the first authorized user is identified,providing the authorization record and system key of the first authorized user to the network manager in an encrypted communication from the first workstation using the first workstation'"'"'s initialization key for validation that the first authorized user is to be given access to the network; and
  
  in the event the first authorized user is validated by the network manager, providing an operational key from the network manager to the SNAP of the first workstation using the first workstation'"'"'s initialization key, wherein the operational key enables secure operations from the first workstation on the network.
- View Dependent Claims (2)
- - 2. The method of claim 1 wherein the first authorized user is authorized to conduct secure operations on the network from a second workstation by the method further comprising the steps of:
    - requesting access to the network from the second workstation by providing the first authorized user'"'"'s personal identifier to the SNAP of the second workstation and reading the first authorized user'"'"'s CIK card at the reader of the second workstation;
      
      recognizing at the second workstation that the first authorized user is not authorized access to the network from the second workstation;
      
      assigning at the SNAP of the second workstation a second system key for the first authorized user;
      
      providing the first authorized user'"'"'s authorization record, personal identifier and second system key to the network manager in an encrypted communication from the second workstation using the second workstation'"'"'s initialization key for determination whether the first authorized user is to be given access to the network;
      
      in the event the network manager determines that the first authorized user is to be given access to the network, providing an operational key from the network manager to the SNAP of the second workstation using the second workstation'"'"'s initialization key, wherein the operational key enable secure operations from the second workstation to the network; and
      
      storing a randomly selected portion of the second system key in the first authorized user'"'"'s CIK card and the remainder of the second system key in the SNAP of the second workstation.

3. A method of conducting secure operations on an uncontrolled network of workstations that has a network manager for authorizing conduct of secure operations on the network, the method comprising the steps of:
- providing each authorized user with a portable recording device that contains an electronically readable portion of an authorization record, wherein the authorization record includes a personal identifier for the user;
  
  storing at a first workstation the portion of the authorization record not stored on the recording device and providing the first workstation with means for reading the recording device; and
  
  storing the entire authorization record at the network manager,wherein the authorization of the user to conduct secure operations on the network is validated at the first workstation and at the manager by evaluating the combined portions of the authentication record.
- View Dependent Claims (4, 5, 6, 7, 8, 9, 10)
- - 4. The method of claim 3 wherein the authorization record further includes a system key created by the first workstation, and wherein the combination of the personal identifier and the system key is user unique.
  - 5. The method of claim 3 wherein the personal identifier is user unique and the authorization record includes only the personal identifier.
  - 6. The method of claim 3 wherein the authorization record is encrypted before being stored.
  - 7. The method of claim 3 wherein the authorization record of a user is provided to the network manager in an encrypted communication from the first workstation using an initialization key known to the first workstation and the manager.
  - 8. The method of claim 7 where in the event the user is validated by the network manager, an operational key is provided from the network manager to the first workstation using the first workstation'"'"'s initialization key, the operational key enabling secure operations on the network.
  - 9. The method of claim 3 wherein the user may be authorized to conduct secure operations on the network from a second workstation by the method further comprising the steps of:
    - storing on the recording device a portion of a second authorization record, wherein the second authorization record includes the personal identifier of the user;
      
      storing at the second workstation the portion of the second authorization record not stored on the recording device; and
      
      storing the entire second authorization record at the network manager.
  - 10. The method of claim 9 wherein the second authorization record further includes a second system key created by the second workstation.

11. A method of conducting secure operations on an uncontrolled network of plural workstations that has a network manager for authorizing conduct of secure operations on the network, the method comprising the steps of:
- (a) providing each authorized user with a portable recording device that contains, for each of plural first workstations at which the user is authorized, an electronically readable portion of an authorization record, wherein the authorization record includes a personal identifier for the user and a different key for each of the plural first workstations;
  
  (b) storing at each of the plural first workstations the portion of the respective authorization record not stored on the recording device; and
  
  (c) storing the entire authorization record for each of the plural first workstations at the network manager,wherein the authorization of the user to conduct secure operations on the network is validated at each of the plural first workstations and at the manager by evaluating the combined portions of the respective authentication record.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Wd Burgeon LLC (Intellectual Ventures LLC)
Original Assignee
Harris Corporation (L3Harris Technologies, Inc.)
Inventors
Denslow, David L.
Primary Examiner(s)
Beausoliel, Jr., Robert W.
Assistant Examiner(s)
Decady, Albert

Application Number

US08/234,947
Time in Patent Office

845 Days
Field of Search

395/186, 395/187.01, 395/188.01, 380/21, 380/24, 380/23, 380/25, 380/30
US Class Current

726/9
CPC Class Codes

G06F 21/34   involving the use of extern...

G06F 2211/007   Encryption, En-/decode, En-...

H04L 63/04   for providing a confidentia...

H04L 63/0853   using an additional device,...

H04L 9/40   Network security protocols

Method of conducting secure operations on an uncontrolled network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Method of conducting secure operations on an uncontrolled network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links