Method and system for network security capable of doing stronger encryption with authorized devices

US 6,965,992 B1
Filed: 02/24/2000
Issued: 11/15/2005
Est. Priority Date: 02/24/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A system for network security comprising:

a first network device having a first encryption key, the first encryption key including a first base key and a key extension in addition to the first base key, the key extension being based on a hash function of an internal key and a network device identifier;

a second network device having the first encryption key and a second encryption key, the second encryption key including a second base key, wherein the second network device is capable of communicating with the first network device using security determined by the first encryption key; and

a third network device having the second encryption key, wherein the third network device is capable of communicating with the second network device using security determined by the second encryption key;

wherein the first encryption key is used to encrypt and decrypt communications between the first and second network devices, and the second encryption key is used to encrypt and decrypt communications between the second and third network devices; and

wherein the security determined by the first encryption key is stronger than the security determined by the second encryption key.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for network security includes a first network device having a first set of key material with a base key and a key extension, and a second network device also having the first set of key material and a second set of key material with a second base key. The second network device is capable of communicating with the first network device using security determined by the first set of key material. The method and system for network security may further include a third network device having the second set of key material. The third network device is capable of communicating with the second network device using security determined by the second set of key material. For the present method and system, security determined by the first set of key material is stronger than security determined by the second set of key material.

114 Citations

32 Claims

1. A system for network security comprising:
- a first network device having a first encryption key, the first encryption key including a first base key and a key extension in addition to the first base key, the key extension being based on a hash function of an internal key and a network device identifier;
  
  a second network device having the first encryption key and a second encryption key, the second encryption key including a second base key, wherein the second network device is capable of communicating with the first network device using security determined by the first encryption key; and
  
  a third network device having the second encryption key, wherein the third network device is capable of communicating with the second network device using security determined by the second encryption key;
  
  wherein the first encryption key is used to encrypt and decrypt communications between the first and second network devices, and the second encryption key is used to encrypt and decrypt communications between the second and third network devices; and
  
  wherein the security determined by the first encryption key is stronger than the security determined by the second encryption key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1 wherein the first encryption key has a bit length that is longer than a bit length of the second encryption key.
  - 3. The system of claim 2 wherein the first encryption key has a length of greater than a threshold number of bits, and the second encryption key has a length of no greater than the threshold number of bits.
  - 4. The system of claim 3 wherein the threshold is 64 bits.
  - 5. The system of claim 1 wherein the first network device is located in a first jurisdiction, and the second network device is located in a second jurisdiction outside of the first jurisdiction.
  - 6. The system of claim 1 wherein the first and second base keys are each based on at least a pro-shared key and a computed private key.
  - 7. The system of claim 6 wherein the computed private key is a Diffie-Hellman key.
  - 8. The system of claim 1 wherein the network device identifier is a software serial number.

9. A system for network security comprising:
- a first network device having a first encryption key, the first encryption key including a first base key and a first key extension in addition to the first base key, and a second encryption key, the second encryption key including a second base key and a second key extension in addition to the second base key, each of the first and second key extensions being based on a hash function of an internal key and a network device identifier;
  
  a second network device having the first encryption key and a third encryption key, the third encryption key including a third base key, wherein the second network device is capable of communicating with the first network device using security determined by the first encryption key; and
  
  a third network device having the second encryption key and the third encryption key, the third network device being capable of communicating with the first network device using security determined by the second encryption key, and the third network device also being capable of communicating with the second network device using security determined by the third encryption key;
  
  wherein the first encryption key is used to encrypt and decrypt communications between the first and second network devices, the second encryption key is used to encrypt and decrypt communications between the first and third network devices, and the third encryption key is used to encrypt and decrypt communications between the second and third network devices;
  
  wherein the security determined by the first encryption key is stronger than the security determined by the third encryption key; and
  
  wherein the security determined by the second encryption key is stronger than the security determined by the third encryption key.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9 wherein the first and second encryption keys each have a bit length that is longer than a bit length of the third encryption key.
  - 11. The system of claim 10 wherein the first and second encryption keys each have a length of greater than a threshold number of bits, and the third encryption key has a length of no greater than the threshold number of bits.
  - 12. The system of claim 11 wherein the threshold is 64 bits.
  - 13. The system of claim 9 wherein the first network device is located in a first jurisdiction, and the second network device is located in a second jurisdiction outside of the first jurisdiction.
  - 14. The system of claim 9 wherein the first, second, and third base keys are each based on at least a pre-shared key and a computed private key.
  - 15. The system of claim 14 wherein the computed private key is a Diffie-Hellman key.
  - 16. The system of claim 9 wherein the network device identifier is a software serial number.

17. A method for network security comprising the steps of:
- providing a first network device, a second network device, and a third network device;
  
  establishing a first secure communication between the first and second network devices based on a first encryption key, the first encryption key having a base key and a key extension in addition to the base key;
  
  establishing a second secure communication between the second and third network devices based on a second encryption key;
  
  basing each of the base key and the second encryption key on at least a pre-shared key and a computed private key;
  
  basing the key extension on a hash function of an internal key and a network device identifier; and
  
  using a stronger security for the first secure communication than the second secure communication;
  
  wherein using the stronger security for the first secure communication than the second secure communication comprises using security determined by the first encryption key for the first secure communication, the first encryption key being used to encrypt and decrypt communications between the first and second network devices, and using security determined by the second encryption key for the second secure communication, the second key being used to encrypt and decrypt communications between the second and third network devices; and
  
  wherein the security determined by the first encryption key is stronger than the security determined by the second encryption key.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The method of claim 17 wherein the second encryption key is identical to the base key.
  - 19. The method of claim 17 further comprising the steps of using a length of greater than a threshold number of bits for the first encryption key, and using a length of no greater than the threshold number of bits for the second encryption key.
  - 20. The method of claim 19 wherein the threshold is 64 bits.
  - 21. A computer readable medium having stored therein instructions for causing at least one central processing unit to execute the method of claim 17.

22. A method for network security comprising the steps of:
- providing a first network device, a second network device, and a third network device;
  
  negotiating a first secure communication between the first and second network devices based on a first authentication key, the first authentication key having a base key and a key extension in addition to the base key;
  
  deriving a first encryption key from the negotiation of the first secure communication;
  
  negotiating a second secure communication between the second and third network devices based on a second authentication key;
  
  deriving a second encryption key from the negotiation of the second secure communication;
  
  basing each of the base key and the second authentication key on at least a pre-shared key and a computed private key;
  
  basing the key extension on a hash function of an internal key and a network device identifier; and
  
  using a stronger security for the first secure communication than the second secure communication;
  
  wherein using the stronger security for the first secure communication than the second secure communication comprises using security determined by the first encryption key for the first secure communication, the first encryption key being used to encrypt and decrypt communications between the first and second network devices, and using security determined by the second encryption key for the second secure communication, the second encryption key being used to encrypt and decrypt communications between the second and third network devices; and
  
  wherein the security determined by the first encryption key is stronger than the security determined by the second encryption key.
- View Dependent Claims (23, 24, 25, 26)
- - 23. The method of claim 22 wherein the second authentication key is identical to the base key.
  - 24. The method of claim 22 further comprising the steps of using a length of greater than a threshold number of bits for the first encryption key and using a length of no greater than the threshold number of bits for the second encryption key.
  - 25. The method of claim 24 wherein the threshold is 64 bits.
  - 26. A computer readable medium having stored therein instructions for causing at least one central processing unit to execute the method of claim 22.

27. A system for network security comprising:
- a first network device having a first authentication key, the first authentication key including a first base key and a key extension in addition to the first base key, the key extension being based on a hash function of an internal key and a network device identifier;
  
  a second network device having the first authentication key and a second authentication key, the second authentication key including a second base key, wherein the first and second devices are capable of using the first authentication key to negotiate a first encryption key so as to communicate using security determined by the first encryption key; and
  
  a third network device having the second authentication key, wherein the second and third network devices are capable of using the second authentication key to negotiate a second encryption key so as to communicate using security determined by the second encryption key;
  
  wherein the first encryption key is used to encrypt and decrypt communications between the first and second network devices, and the second encryption key is used to encrypt and decrypt communications between the second and third network devices; and
  
  wherein the security determined by the first encryption key is stronger than the security determined by the second encryption key.
- View Dependent Claims (28, 29)
- - 28. The system of claim 27 wherein the first encryption key has a length of greater than a threshold number of bits, and the second encryption key has a length of no greater than a threshold number of bits.
  - 29. The system of claim 28 wherein the threshold is 64 bits.

30. A system for network security comprising:
- a first network device having a first authentication key, the first authentication key including a first base key and a first key extension in addition to the first base key, and a second authentication key, the second authentication key including a second base key and a second key extension in addition to the second base key, each of the first and second key extensions being based on a hash function of an internal key and a network device identifier;
  
  a second network device having the first authentication key and a third authentication key, the third authentication key including a third base key, wherein the first and second network devices are capable of using the first authentication key to negotiate a first encryption key so as to communicate using security determined by the first encryption key; and
  
  a third network device having the second authentication key and the third authentication key, the first and third network devices being capable of using the second authentication key to negotiate a second encryption key so as to communicate using security determined by the second encryption key, and the second and third network devices being capable of using the third authentication key to negotiate a third encryption key so as to communicate using security determined by the third encryption key;
  
  wherein the first encryption key is used to encrypt and decrypt communications between the first and second network devices, the second encryption key is used to encrypt and decrypt communications between the first and third network devices, and the third encryption key is used to encrypt and decrypt communication between the second and third network devices, andwherein the security determined by the first encryption key is stronger than the security determined by the third encryption key; and
  
  wherein the security determined by the second encryption key is stronger than security determined by the third encryption key.
- View Dependent Claims (31, 32)
- - 31. The system of claim 30 wherein the first and second encryption keys each have a length of greater than a threshold number of bits, and the third encryption key has a length of no greater than a threshold number of bits.
  - 32. The system of claim 31 wherein the threshold is 64 bits.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
3Com Corporation (HP Inc.)
Inventors
Joseph, Boby, Freed, Michael, Borella, Michael S.
Primary Examiner(s)
Barron, Gilberto
Assistant Examiner(s)
Lanier, Benjamin E.

Application Number

US09/511,751
Time in Patent Office

2,091 Days
Field of Search

713/153, 380/281, 380/284
US Class Current

713/153
CPC Class Codes

H04L 2463/062   applying encryption of the ...

H04L 63/0428   wherein the data content is...

H04L 63/0823   using certificates cryptogr...

H04L 63/164   at the network layer

H04L 9/0841   involving Diffie-Hellman or...

H04L 9/0866   involving user or device id...

H04L 9/088   Usage controlling of secret...

Method and system for network security capable of doing stronger encryption with authorized devices

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

114 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for network security capable of doing stronger encryption with authorized devices

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

114 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links