System and method for transmitting and receiving secure data in a virtual private group

US 7,231,664 B2
Filed: 09/04/2002
Issued: 06/12/2007
Est. Priority Date: 09/04/2002
Status: Active Grant

First Claim

Patent Images

1. A method for transmitting secure data from a first node to a second node, the method comprising:

modifying the network stack below the application layer to include virtual private group functionality;

accessing a group membership table with a process functioning below the application layer in the network stack on the first node, the group membership table having group membership information for each group, including a first group, to which the first node belongs and group security information associated with each group, wherein the first group has two or more members;

checking the group membership table with a process functioning below the application layer in the network stack to determine if the second node is a member of the first group; and

if the second node is a member of the first group, encrypting a data packet using the group security information associated with the first group, processing the encrypted data packet, and transmitting the encrypted data packet from the first node to the second node.

View all claims

15 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A novel system and method for transmitting and receiving secure data in a virtual private group (VPG). In one embodiment, a method for transmitting secure data from a first node to a second node includes accessing a group membership table on the first node, the group membership table having group membership information for each group, including a first group, to which the first node belongs and group security information associated with each group, wherein the first group has two or more members, and checking the group membership table to determine if the second node is a member of the first group. If the second node is a member of the first group, the method further includes encrypting a data packet using the group security information associated with the first group, processing the encrypted data packet, and transmitting the encrypted data packet from the first node to the second node.

63 Citations

View as Search Results

35 Claims

1. A method for transmitting secure data from a first node to a second node, the method comprising:
- modifying the network stack below the application layer to include virtual private group functionality;
  
  accessing a group membership table with a process functioning below the application layer in the network stack on the first node, the group membership table having group membership information for each group, including a first group, to which the first node belongs and group security information associated with each group, wherein the first group has two or more members;
  
  checking the group membership table with a process functioning below the application layer in the network stack to determine if the second node is a member of the first group; and
  
  if the second node is a member of the first group, encrypting a data packet using the group security information associated with the first group, processing the encrypted data packet, and transmitting the encrypted data packet from the first node to the second node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the accessing of the group membership table includes adding a group member to one of the groups.
  - 3. The method of claim 1, wherein the accessing of the group membership table includes removing a group member from one of the groups.
  - 4. The method of claim 1, wherein the accessing of the group membership table includes managing a plurality of group member entries for each group in the group membership table, each group member entry having a node address and group security association information.
  - 5. The method of claim 1, wherein the accessing of the group membership table includes managing a plurality of group member entries for each group in the group membership table, each group member entry having an Internet Protocol address and group security association information.
  - 6. The method of claim 5, wherein the checking of the group membership table includes checking the group membership table to determine if one of the group member entries for the first group includes the Internet Protocol address of the second node.
  - 7. The method of claim 1, wherein the encrypting of the data packet includes encrypting the data packet using a symmetric encryption algorithm.
  - 8. The method of claim 1, wherein the encrypting of the data packet includes encapsulating the data packet using an Encapsulating Security Payload header.
  - 9. The method of claim 1, wherein the processing of the encrypted data packet includes adding an Internet Protocol header to the encrypted data packet.

10. A method for transmitting secure data from a first node in a virtual private group to other nodes in the virtual private group, the method comprising:
- modifying the network stack below the application layer to include virtual private group functionality;
  
  accessing a group membership table with a process functioning below the application layer in the network stack on the first node, the group membership table having group security information associated with the virtual private group;
  
  checking the group membership table with a process functioning below the application layer in the network stack to verify that the other nodes are members of the virtual private group; and
  
  upon such verification, encrypting data using the group security information associated with the virtual private group, processing the encrypted data packet, and transmitting the encrypted data packet from the first node to each of the other nodes in the virtual private group.

11. A method for receiving secure data on a first node that is sent from a second node, the method comprising:
- modifying the network stack below the application layer to include virtual private group functionality;
  
  accessing a group membership table with a process functioning below the application layer in the network stack on the first node, the group membership table having group membership information for each group, including a first group, to which the first node belongs and group security information associated with each group, wherein the first group has two or more members;
  
  checking the group membership table with a process functioning below the application layer in the network stack to determine if the second node is a member of the first group; and
  
  if the second node is a member of the first group, validating an encrypted data packet that has been sent from the second node, decrypting the encrypted data packet using the group security information associated with the first group, and processing the decrypted data packet.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, wherein the accessing of the group membership table includes adding a group member to one of the groups.
  - 13. The method of claim 11, wherein the accessing of the group membership table includes removing a group member from one of the groups.
  - 14. The method of claim 11, wherein the accessing of the group membership table includes managing a plurality of group member entries for each group in the group membership table, each group member entry having a node address and group security association information.
  - 15. The method of claim 11, wherein the accessing of the group membership table includes managing a plurality of group member entries for each group in the group membership table, each group member entry having an Internet Protocol address and group security association information.
  - 16. The method of claim 15, wherein the checking of the group membership table includes checking the group membership table to determine if one of the group member entries for the first group includes the Internet Protocol address of the second node.
  - 17. The method of claim 11, wherein the validating of the encrypted data packet includes authenticating the encrypted data packet using the group security information associated with the first group.
  - 18. The method of claim 11, wherein the decrypting of the encrypted data packet includes decrypting the encrypted data packet using a symmetric encryption algorithm.
  - 19. The method of claim 11, wherein the decrypting of the encrypted data packet includes decrypting the encrypted data packet using an Encapsulating Security Payload header.
  - 20. The method of claim 11, wherein the processing of the decrypted data packet includes filtering the decrypted data packet to detect unauthorized packets.

21. A node for transmitting secure data to a device, the node comprising:
- a processor;
  
  a memory; and
  
  a computer-readable medium having computer-executable instructions stored thereon, the computer-executable instructions to be executed by the processor from the memory to;
  
  modify the network stack below the application layer to include virtual private group functionality;
  
  access a group membership table with a process functioning below the application layer in the network stack on the node, the group membership table having group membership information for each group, including a first group, to which the node belongs and group security information associated with each group, wherein the first group has two or more members;
  
  verify from the group membership table with a process functioning below the application layer in the network stack that the device is also a member of the first group;
  
  encrypt a data packet using the group security information associated with the first group;
  
  process the encrypted data packet; and
  
  transmit the encrypted data packet to the device.
- View Dependent Claims (22, 23)
- - 22. The node of claim 21, wherein the group membership table includes a plurality of group member entries for each group, and wherein each group member entry includes a node address and group security association information.
  - 23. The node of claim 21, wherein the group membership table includes a plurality of group member entries for each group, and wherein each group member entry includes an Internet Protocol address and group security association information.

24. A node for transmitting secure data to a device, the node comprising:
- a processing unit; and
  
  a network interface device coupled to the processing unit, the network interface device having a processor, a memory, and a computer-readable medium containing computer-executable instructions stored thereon, the computer-executable instructions to be executed by the processor from the memory to;
  
  modify the network stack below the application layer to include virtual private group functionality;
  
  access a group membership table with a process functioning below the application layer in the network stack on the node, the group membership table having group membership information for each group, including a first group, to which the node belongs and group security information associated with each group, wherein the first group has two or more members;
  
  verify from the group membership table with a process functioning below the application layer in the network stack that the device is also a member of the first group;
  
  encrypt a data packet using the group security information associated with the first group;
  
  process the encrypted data packet; and
  
  transmit the encrypted data packet to the device.
- View Dependent Claims (25, 26)
- - 25. The node of claim 24, wherein the group membership table includes a plurality of group member entries for each group, and wherein each group member entry includes a node address and group security association information.
  - 26. The node of claim 24, wherein the group membership table includes a plurality of group member entries for each group, and wherein each group member entry includes an Internet Protocol address and group security association information.

27. A node for receiving secure data from a device, the node comprising:
- a processor;
  
  a memory; and
  
  a computer-readable medium having computer-executable instructions stored thereon, the computer-executable instructions to be executed by the processor from the memory to;
  
  modify the network stack below the application layer to include virtual private group functionality;
  
  access a group membership table with a process functioning below the application layer in the network stack on the node, the group membership table having group membership information for each group, including a first group, to which the node belongs and group security information associated with each group, wherein the first group has two or more members;
  
  verify from the group membership table with a process functioning below the application layer in the network stack that the device is also a member of the first group;
  
  validate an encrypted data packet that has been sent from the device;
  
  decrypt the encrypted data packet using the group security information associated with the first group; and
  
  process the decrypted data packet.
- View Dependent Claims (28, 29)
- - 28. The node of claim 27, wherein the group membership table includes a plurality of group member entries for each group, and wherein each group member entry includes a node address and group security association information.
  - 29. The node of claim 27, wherein the group membership table includes a plurality of group member entries for each group, and wherein each group member entry includes an Internet Protocol address and group security association information.

30. A node for receiving secure data from a device, the node comprising:
- a processing unit; and
  
  a network interface device coupled to the processing unit, the network interface device having a processor, a memory, and a computer-readable medium containing computer-executable instructions stored thereon, the computer-executable instructions to be executed by the processor from the memory to;
  
  modify the network stack below the application layer to include virtual private group functionality;
  
  access a group membership table with a process functioning below the application layer in the network stack on the node, the group membership table having group membership information for each group, including a first group, to which the node belongs and group security information associated with each group, wherein the first group has two or more members;
  
  verify from the group membership table with a process functioning below the application layer in the network stack that the device is also a member of the first group;
  
  validate an encrypted data packet that has been sent from the device;
  
  decrypt the encrypted data packet using the group security information associated with the first group; and
  
  process the decrypted data packet.
- View Dependent Claims (31, 32)
- - 31. The node of claim 30, wherein the group membership table includes a plurality of group member entries for each group, and wherein each group member entry includes a node address and group security association information.
  - 32. The node of claim 30, wherein the group membership table includes a plurality of group member entries for each group, and wherein each group member entry includes an Internet Protocol address and group security association information.

33. A system for secure group communications, ;
- the system comprising;
  
  a policy server;
  
  a first communication network connected to a public communications network by a first firewall;
  
  a second communication network connected to the public communications network by a second firewall;
  
  a first virtual private group member node including a network interface device connected to the first communication network;
  
  a second virtual private group member node including a network interface device connected to the second communication network;
  
  wherein the first and second virtual private group member node'"'"'s network interface device includes a processor, a memory, a network stack modified below the application layer to include virtual private group functionality, and a computer-readable medium having computer-executable instructions stored thereon, the computer-executable instructions to be executed by the processor form the memory on the first virtual private group member node to;
  
  receive from the policy server a group membership table, the group membership table having group membership information for each group, including a first group, to which the first virtual private group member node belongs and group security information associated with each group, wherein the first group has two or more members;
  
  access the group membership table with a process functioning below the application layer in the network stack on the first virtual private group member node;
  
  verify from the group membership table with a process functioning below the application layer in the network stack that the second virtual private group member node is also a member of the first group;
  
  encrypt a data packet using the group security information associated with the first group;
  
  process the encrypted data packet; and
  
  transmit the encrypted data packet to the second virtual private group member node.
- View Dependent Claims (34, 35)
- - 34. The system of claim 33 wherein the computer-executable instructions to be executed by the processor form the memory on the second virtual private group member node to:
    - receive from the policy server a group membership table, the group membership table having group membership information for each group, including a first group, to which the second virtual private group member node belongs and group security information associated with each group, wherein the first group has two or more members;
      
      access the group membership table with a process functioning below the application layer in the network stack on the second virtual private group member node;
      
      verify from the group membership table with a process functioning below the application layer in the network stack that the first virtual private group member node is also a member of the first group;
      
      receive the encrypted data packet sent from the first virtual private group member;
      
      decrypt the encrypted data packet using the group security information associated with the first group; and
      
      process the decrypted data packet.
  - 35. The system of claim 33 further comprising:
    - a third virtual private group member node including a network interface device connected to the first communication network;
      
      wherein the third virtual private group member node'"'"'s network interface device includes a processor, a memory, a network stack modified below the application layer to include virtual private group functionality, and a computer-readable medium having computer-executable instructions stored thereon, the computer-executable instructions to be executed by the processor form the memory to;
      
      receive from the policy server a group membership table, the group membership table having group membership information for each group, including a second group, to which the third virtual private group member node belongs and group security information associated with each group, wherein the second group has two or more members;
      
      access the group membership table with a process functioning below the application layer in the network stack on the third virtual private group member node;
      
      verify from the group membership table with a process functioning below the application layer in the network stack that the first virtual private group member node is also a member of the second group;
      
      encrypt a data packet using the group security information associated with the second group;
      
      process the encrypted data packet; and
      
      transmit the encrypted data packet to the first virtual private group member node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
Secure Computing Corporation (McAfee, LLC)
Inventors
Markham, Thomas R., Meredith, Lynn Marquette, Lowe, Geoffrey A., Hanzlik, Robert Otto
Primary Examiner(s)
Arani; Taghi T.

Application Number

US10/234,224
Publication Number

US 20040044908A1
Time in Patent Office

1,742 Days
Field of Search

726/15, 726/27, 713/163, 709/229, 705/59, 455/445
US Class Current

726/15
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0435   wherein the sending and rec...

H04L 63/065   for group communications cr...

H04L 63/20   for managing network securi...

System and method for transmitting and receiving secure data in a virtual private group

First Claim

15 Assignments

0 Petitions

Accused Products

Abstract

63 Citations

35 Claims

Specification

Use Cases

Quick Links

Others

System and method for transmitting and receiving secure data in a virtual private group

First Claim

15 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

35 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others