System and method for negotiating security services and algorithms for communication across a computer network
First Claim
Patent Images
1. In a networked computer environment, a process for determining whether a security service will be used for communication between a first node and a second node, comprising the steps of:
- selecting in the first node, a first preference value for the security service;
selecting in the second node, a second preference value for the security service, at least one of the first or second preference values being selected from a set of values comprising a value representing that the security service is required, a value representing that the security service is rejected, a first intermediate value representing that the security service is preferred but is not essential, and a second intermediate value representing that the security service is not preferred but will be tolerated;
communicating between the first and second node at least one of the first or second preference values;
comparing the first preference value with the second preference value;
determining that the security service will be used when neither the first or second preference values represent that the security service is rejected and both preference values do not include the second intermediate value;
determining that the security service will not be used and that communication between the first and second nodes should proceed when both preference values include the second intermediate value, or when one preference value represents that the security service is rejected and the other preference value does not represent that the security service is required; and
determining that communication between the first and second nodes should not proceed when one of the preference values includes the value representing that the security service is required and the other preference value includes the value representing that the security service is rejected.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and a method are described for selecting and initiating security services for communication across computer networks. Negotiation is facilitated between nodes of a computer network to determine whether a security service is to be used, and if so, what particular method of providing the security service will be used. Communication with a wide range of different computer systems using different methods of providing various security services is thereby facilitated.
-
Citations
28 Claims
-
1. In a networked computer environment, a process for determining whether a security service will be used for communication between a first node and a second node, comprising the steps of:
-
selecting in the first node, a first preference value for the security service; selecting in the second node, a second preference value for the security service, at least one of the first or second preference values being selected from a set of values comprising a value representing that the security service is required, a value representing that the security service is rejected, a first intermediate value representing that the security service is preferred but is not essential, and a second intermediate value representing that the security service is not preferred but will be tolerated; communicating between the first and second node at least one of the first or second preference values; comparing the first preference value with the second preference value; determining that the security service will be used when neither the first or second preference values represent that the security service is rejected and both preference values do not include the second intermediate value; determining that the security service will not be used and that communication between the first and second nodes should proceed when both preference values include the second intermediate value, or when one preference value represents that the security service is rejected and the other preference value does not represent that the security service is required; and determining that communication between the first and second nodes should not proceed when one of the preference values includes the value representing that the security service is required and the other preference value includes the value representing that the security service is rejected. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 18, 19)
-
-
9. In a networked computer environment including multiple nodes, a process for selecting whether a security service will be used during communication between a first node and a second node and for selecting a method for the security service, said process comprising the steps of:
-
creating in the first node a first preference list; creating in the second node a second preference list, the first and second preference lists including acceptable methods for the security service, each of the first and second preference lists being ordered by priority and includes a null value when the security service is not essential, wherein the null value represents not using the security service, and the position of the null value in each ordered preference list indicates strength of preference for not using the security service; communicating between the first and second node at least one of the first and second preference lists; comparing the first preference list with the second preference list; determining that the security service will be used when both the first and second preference lists include methods other than the null value, both preference lists do not indicate that the security service is not preferred but will be tolerated, and a match is found between the first and second preference lists; and selecting a method for the security service by selecting a method contained in both preference lists. - View Dependent Claims (10, 20, 21, 22, 23)
-
-
11. An apparatus for determining whether a security service will be used in a networked computer environment comprising:
-
a first node configured to select a first preference value for the security service; a second node configured to select a second preference value for the security service;
at least one of the first or second preference values being selected from a set comprising a value representing that the security service is required, a value representing that the security service is rejected. a first intermediate value representing that the security service is preferred but is not essential, and a second intermediate value representing that the security service is not preferred but will be tolerated, said second node further configured to receive the first preference value and determine whether the security service will be used by comparing the first preference value with the second preference value, to determine that the security service will be used when neither the first or second preference values represents that the security service is rejected and both preference values do not include the second intermediate value, to determine that the security service will not be used and that communication between the first and second nodes should proceed when both preference values include the second intermediate value, or when one preference value represents that the security service is rejected and the other preference value does not represent that the security service is required, and to determine that communication between the first and second nodes should not proceed when one of the preference values includes the value representing that the security service is required and the other preference value includes the value representing that the security service is rejected; anda network connecting said first node and said second node, and adapted to transmit from said first node to said second node the first preference value. - View Dependent Claims (12, 13, 24)
-
-
14. A computer-readable medium which can be used to direct a computer node in a networked computer environment to determine whether a security service will be used for communication between a first node and a second node, comprising:
-
means for directing the first node to select a first preference value; means for directing a second node to select a second preference value, at least one of the first or second preference values being selected from a set comprising a value representing that the security service is required, a value representing that the security service is rejected, a first intermediate value representing that the security service is preferred but is not essential, and a second intermediate value representing that the security service is not preferred but will be tolerated; means for directing the first node to transmit the first preference value to the second node; means for directing the second node to determine whether the security service will be used by comparing the first preference value with the second preference value, to determine that the security service will be used when neither the first or second preference values represent that the security service is rejected and both preference values do not include the second intermediate value, and to determine that the security service will not be used and that communication between the first and second nodes should proceed when both preference values include the second intermediate value, or when one preference value represents that the security service is rejected and the other preference value does not represent that the security service is required; and means for directing the second node to find that communication between the first and second nodes should not proceed when one of the preference values includes the value representing that the security service is required and the other Preference value includes the value representing that the security service is rejected. - View Dependent Claims (15, 16, 17)
-
-
25. An apparatus for determining whether a security service will be used in a networked computer environment comprising:
-
a first node configured to create a first preference list; a second node configured to create a second preference list, wherein the first and second preference lists include acceptable methods for the security service, each of the first and second preference lists being ordered by priority and includes a null value when the security service is not essential, the null value representing not using the security service, and the position of the null value in each ordered preference list indicates strength of preference for not using the security service; and a network connecting said first and second nodes, and adapted to communicate between the first and second node at least one of the first and second preference lists, wherein said second node is further configured to compare the first preference list with the second preference list, to determine that the security service will be used when both the first and second preference lists include methods other than the null value, both preference lists do not indicate that the security service is not preferred but will be tolerated, and a match is found between the first and second preference lists; and
to select a method for the security service by selecting a method contained in both preference lists. - View Dependent Claims (26)
-
-
27. A computer-readable medium which can be used to direct a computer node in a networked computer environment to determine whether a security service will be used during communication between a first node and a second node and to select a method for the security service, comprising:
-
means for directing the first node to create a first preference list; means for directing the second node to create a second preference list, the first and second preference lists including acceptable methods for the security service, each of the first and second preference lists being ordered by priority and includes a null value when the security service is not essential, wherein the null value represents not using the security service, and the position of the null value in each ordered preference list indicates strength of preference for not using the security service; means for directing the first node to communicate the first preference list to the second node; means for directing the second node to compare the first preference list with the second preference list; means for directing the second node to determine that the security service will be used when both the first and second preference lists include methods other than the null value, both preference lists do not indicate that the security service is not preferred but will be tolerated, and a match is found between the first and second preference lists; and means for directing the second node to select a method for the security service by selecting a method contained in both preference lists. - View Dependent Claims (28)
-
Specification