System and method for negotiating security services and algorithms for communication across a computer network

US 5,784,566 A
Filed: 01/11/1996
Issued: 07/21/1998
Est. Priority Date: 01/11/1996
Status: Expired due to Term

First Claim

Patent Images

1. In a networked computer environment, a process for determining whether a security service will be used for communication between a first node and a second node, comprising the steps of:

selecting in the first node, a first preference value for the security service;

selecting in the second node, a second preference value for the security service, at least one of the first or second preference values being selected from a set of values comprising a value representing that the security service is required, a value representing that the security service is rejected, a first intermediate value representing that the security service is preferred but is not essential, and a second intermediate value representing that the security service is not preferred but will be tolerated;

communicating between the first and second node at least one of the first or second preference values;

comparing the first preference value with the second preference value;

determining that the security service will be used when neither the first or second preference values represent that the security service is rejected and both preference values do not include the second intermediate value;

determining that the security service will not be used and that communication between the first and second nodes should proceed when both preference values include the second intermediate value, or when one preference value represents that the security service is rejected and the other preference value does not represent that the security service is required; and

determining that communication between the first and second nodes should not proceed when one of the preference values includes the value representing that the security service is required and the other preference value includes the value representing that the security service is rejected.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and a method are described for selecting and initiating security services for communication across computer networks. Negotiation is facilitated between nodes of a computer network to determine whether a security service is to be used, and if so, what particular method of providing the security service will be used. Communication with a wide range of different computer systems using different methods of providing various security services is thereby facilitated.

Citations

28 Claims

1. In a networked computer environment, a process for determining whether a security service will be used for communication between a first node and a second node, comprising the steps of:
- selecting in the first node, a first preference value for the security service;
  
  selecting in the second node, a second preference value for the security service, at least one of the first or second preference values being selected from a set of values comprising a value representing that the security service is required, a value representing that the security service is rejected, a first intermediate value representing that the security service is preferred but is not essential, and a second intermediate value representing that the security service is not preferred but will be tolerated;
  
  communicating between the first and second node at least one of the first or second preference values;
  
  comparing the first preference value with the second preference value;
  
  determining that the security service will be used when neither the first or second preference values represent that the security service is rejected and both preference values do not include the second intermediate value;
  
  determining that the security service will not be used and that communication between the first and second nodes should proceed when both preference values include the second intermediate value, or when one preference value represents that the security service is rejected and the other preference value does not represent that the security service is required; and
  
  determining that communication between the first and second nodes should not proceed when one of the preference values includes the value representing that the security service is required and the other preference value includes the value representing that the security service is rejected.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 18, 19)
- - 2. The process of claim 1, further comprising the steps of:
    - creating in the first node a first preference list;
      
      creating in the second node a second preference list, the first and second preference lists including one or more acceptable methods for the security service;
      
      communicating between the first and second node at least one of the first and second preference lists; and
      
      selecting a method for the security service by comparing the first preference list with the second preference list.
  - 3. The process of claim 2, wherein the first preference value is included in the first preference list and the second preference value is included in the second preference list.
  - 4. The process of claim 3, wherein the first preference value is included in the first preference list by selecting members of the first preference list from a set which includes a null value, and by ordering the preference list according to priority, and wherein the null value represents not using the security service, and the position of the null value in the ordered preference list indicates the first preference value.
  - 5. The process of claim 1, further comprising the step of deactivating the security service in response to an instruction from one of the first or second nodes.
  - 6. The process of claim 5, further comprising the step of re-activating the security service in response to an instruction from one of the first or second nodes.
  - 7. The process of claim 1, further comprising the steps of:
    - encrypting a set of data and the length of the set of data;
      
      creating a data packet including the encrypted form of the set of data and the length of the set of data; and
      
      communicating the data packet between the first and second nodes.
  - 8. The process of claim 1, wherein the security service is an authentication process and further comprising the steps of:
    - communicating from the first node to the second node authentication data;
      
      verifying in the second node the identity of the first node using the authentication process; and
      
      communicating from the second node to the first node a response representing the result of said step of verifying.
  - 18. The process of claim 4, wherein the first preference value represents that the security service is required when the null value is not present in the preference list, the first preference value represents that the security service is rejected when the null value is the only method present in the preference list, the first preference value is the first intermediate value when the null value is positioned as the highest priority method in the preference list, and the first preference value is the second intermediate value when the null value is positioned as the lowest priority method in the preference list.
  - 19. The process of claim 18 wherein the security service is encryption and the methods for the security service comprise algorithms for encryption.

9. In a networked computer environment including multiple nodes, a process for selecting whether a security service will be used during communication between a first node and a second node and for selecting a method for the security service, said process comprising the steps of:
- creating in the first node a first preference list;
  
  creating in the second node a second preference list, the first and second preference lists including acceptable methods for the security service, each of the first and second preference lists being ordered by priority and includes a null value when the security service is not essential, wherein the null value represents not using the security service, and the position of the null value in each ordered preference list indicates strength of preference for not using the security service;
  
  communicating between the first and second node at least one of the first and second preference lists;
  
  comparing the first preference list with the second preference list;
  
  determining that the security service will be used when both the first and second preference lists include methods other than the null value, both preference lists do not indicate that the security service is not preferred but will be tolerated, and a match is found between the first and second preference lists; and
  
  selecting a method for the security service by selecting a method contained in both preference lists.
- View Dependent Claims (10, 20, 21, 22, 23)
- - 10. The process of claim 9, wherein said step of selecting a method comprises determining that no further communication should take place between the first and second nodes when no match is found between the first preference list and the second preference list.
  - 20. The process of claim 9 wherein the first preference list includes the null value and includes no other methods for the security service when the security service must not be used by the first node.
  - 21. The process of claim 20 wherein the first preference list includes the null value in the highest priority position and includes one or more methods for the security service in lower priority positions when the security service is not essential but is preferred by the first node.
  - 22. The process of claim 21 wherein the first preference list includes the null value in the lowest priority position and includes one or more methods for the security service in higher priority positions when the security service is not preferred but will be tolerated by the first node.
  - 23. The process of claim 22 wherein the security service is encryption and the methods for the security service comprise algorithms for encryption.

11. An apparatus for determining whether a security service will be used in a networked computer environment comprising:
- a first node configured to select a first preference value for the security service;
  
  a second node configured to select a second preference value for the security service;
  
  at least one of the first or second preference values being selected from a set comprising a value representing that the security service is required, a value representing that the security service is rejected. a first intermediate value representing that the security service is preferred but is not essential, and a second intermediate value representing that the security service is not preferred but will be tolerated, said second node further configured to receive the first preference value and determine whether the security service will be used by comparing the first preference value with the second preference value, to determine that the security service will be used when neither the first or second preference values represents that the security service is rejected and both preference values do not include the second intermediate value, to determine that the security service will not be used and that communication between the first and second nodes should proceed when both preference values include the second intermediate value, or when one preference value represents that the security service is rejected and the other preference value does not represent that the security service is required, and to determine that communication between the first and second nodes should not proceed when one of the preference values includes the value representing that the security service is required and the other preference value includes the value representing that the security service is rejected; and
  
  a network connecting said first node and said second node, and adapted to transmit from said first node to said second node the first preference value.
- View Dependent Claims (12, 13, 24)
- - 12. The apparatus of claim 11, wherein:
    - the first node is further configured to create a first preference list including one or more acceptable methods for the security service, the first preference list including the first preference value;
      
      the second node is further configured to create a second preference list including one or more acceptable methods for the security service, the second preference list including the second preference value; and
      
      the second node is further configured to receive the first preference list from the network and to select a method for the security service by comparing the first preference list with the second preference list.
  - 13. The apparatus of claim 12, wherein the first preference value is included in the first preference list by selecting members of the first preference list from a set which includes a null value, and by ordering the first preference list according to priority, and wherein the null value represents not using the security service, and the position of the null value in the ordered preference list indicates the first preference value.
  - 24. The apparatus of claim 13 wherein the first preference value represents that the security service is required when the null value is not present in the preference list, the first preference value represents that the security service is rejected when the null value is the only method present in the preference list, the first preference value is the first intermediate value when the null value is positioned as the highest priority method in the preference list, and the first preference value is the second intermediate value when the null value is positioned as the lowest priority method in the preference list.

14. A computer-readable medium which can be used to direct a computer node in a networked computer environment to determine whether a security service will be used for communication between a first node and a second node, comprising:
- means for directing the first node to select a first preference value;
  
  means for directing a second node to select a second preference value, at least one of the first or second preference values being selected from a set comprising a value representing that the security service is required, a value representing that the security service is rejected, a first intermediate value representing that the security service is preferred but is not essential, and a second intermediate value representing that the security service is not preferred but will be tolerated;
  
  means for directing the first node to transmit the first preference value to the second node;
  
  means for directing the second node to determine whether the security service will be used by comparing the first preference value with the second preference value, to determine that the security service will be used when neither the first or second preference values represent that the security service is rejected and both preference values do not include the second intermediate value, and to determine that the security service will not be used and that communication between the first and second nodes should proceed when both preference values include the second intermediate value, or when one preference value represents that the security service is rejected and the other preference value does not represent that the security service is required; and
  
  means for directing the second node to find that communication between the first and second nodes should not proceed when one of the preference values includes the value representing that the security service is required and the other Preference value includes the value representing that the security service is rejected.
- View Dependent Claims (15, 16, 17)
- - 15. The computer-readable medium of claim 14, further comprising:
    - means for directing the first node to create a first preference list including one or more acceptable methods for the security service, the first preference list including the first preference value;
      
      means for directing the second node to create a second preference list including one or more acceptable methods for the security service, the second preference list including the second preference value;
      
      means for directing the network to transmit the first preference list to the second node; and
      
      means for directing the second node to select a method for the security service by comparing the first preference list with the second preference list.
  - 16. The apparatus of claim 15, wherein the first preference value is included in the first preference list by selecting members of the first preference list from a set which includes a null value, and by ordering the preference list according to priority, and wherein the null value represents not using the security service, and the position of the null value in the ordered preference list indicates the first preference value.
  - 17. The process of claim 16, wherein the first preference value represents that the security service is required when the null value is not present in the preference list, the first preference value represents that the security service is rejected when the null value is the only method present in the preference list, the first preference value is the first intermediate value when the null value is positioned as the highest priority method in the preference list, and the first preference value is the second intermediate value when the null value is positioned as the lowest priority method in the preference list.

25. An apparatus for determining whether a security service will be used in a networked computer environment comprising:
- a first node configured to create a first preference list;
  
  a second node configured to create a second preference list, wherein the first and second preference lists include acceptable methods for the security service, each of the first and second preference lists being ordered by priority and includes a null value when the security service is not essential, the null value representing not using the security service, and the position of the null value in each ordered preference list indicates strength of preference for not using the security service; and
  
  a network connecting said first and second nodes, and adapted to communicate between the first and second node at least one of the first and second preference lists, wherein said second node is further configured to compare the first preference list with the second preference list, to determine that the security service will be used when both the first and second preference lists include methods other than the null value, both preference lists do not indicate that the security service is not preferred but will be tolerated, and a match is found between the first and second preference lists; and
  
  to select a method for the security service by selecting a method contained in both preference lists.
- View Dependent Claims (26)
- - 26. The apparatus of claim 25, wherein said second node is further configured to determine that no further communication should take place between the first and second nodes when no match is found between the first preference list and the second preference list.

27. A computer-readable medium which can be used to direct a computer node in a networked computer environment to determine whether a security service will be used during communication between a first node and a second node and to select a method for the security service, comprising:
- means for directing the first node to create a first preference list;
  
  means for directing the second node to create a second preference list, the first and second preference lists including acceptable methods for the security service, each of the first and second preference lists being ordered by priority and includes a null value when the security service is not essential, wherein the null value represents not using the security service, and the position of the null value in each ordered preference list indicates strength of preference for not using the security service;
  
  means for directing the first node to communicate the first preference list to the second node;
  
  means for directing the second node to compare the first preference list with the second preference list;
  
  means for directing the second node to determine that the security service will be used when both the first and second preference lists include methods other than the null value, both preference lists do not indicate that the security service is not preferred but will be tolerated, and a match is found between the first and second preference lists; and
  
  means for directing the second node to select a method for the security service by selecting a method contained in both preference lists.
- View Dependent Claims (28)
- - 28. The computer-readable medium of claim 27 further comprising means for directing the second node to determine that no further communication should take place between the first and second nodes when no match is found between the first preference list and the second preference list.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle Corporation
Inventors
Viavant, Steven, Wessman, Richard R., Gleckler, Arthur A.
Primary Examiner(s)
Rinehart, Mark H.
Assistant Examiner(s)
KAMINER, MATTHE

Application Number

US08/583,890
Time in Patent Office

922 Days
Field of Search

380/21, 380/23, 380/24, 380/25, 380/49, 395/200.06, 395/200.55, 395/200.57, 395/200.58, 395/200.59, 395/186, 395/187.01, 340/825.34
US Class Current

709/229
CPC Class Codes

G06F 21/31   User authentication

G06F 21/606   by securing the transmissio...

G06F 2221/2113   Multi-level security, e.g. ...

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/205   involving negotiation or de...

H04L 9/3236   using cryptographic hash fu...

H04L 9/40   Network security protocols

System and method for negotiating security services and algorithms for communication across a computer network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for negotiating security services and algorithms for communication across a computer network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links