Method to use a virtual private network using a public network

US 7,251,825 B2
Filed: 07/29/2002
Issued: 07/31/2007
Est. Priority Date: 07/30/2001
Status: Active Grant

First Claim

Patent Images

1. A method to use a virtual private network (VPN) having a plurality of units connected to a public network, each unit having a security device which includes at least a unique number UA, said virtual private network including a first unit generating a right Dn associated to the unique number UAn and at least one second unit Um, the security device of the at least one second unit receiving the right Dn from said first unit, the method comprising:

encrypting the data sent by unit Un and a description of the right Dn necessary for the decryption of the data, by an encryption data key KS,creating a control data block that includes the encryption data key KS and the description of the right necessary for the decryption of the data,receiving the encrypted data and the description of the right Dn by the at least one second unit Um, and receiving the control data block by the at least one second unit Um, andpresenting the encrypted control data block to the security device of the at least one second unit Um to verify if the right Dn is present in the security module of the at least one second unit,wherein if the right Dn is present, then using the encryption data key KS to decrypt the encrypted data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Example embodiments relate to exchanging data between several computers or multimedia units through a public network while guaranteeing at the same time the confidentiality of these data. Specifically, the creation and use of a virtual private network (VPN) is disclosed. The virtual private network (VPN) may have a plurality of units connected to a public network, each unit having a security device which may have a unique number UA1. The method may include generating a right Dn associated to the unique number UAn, by the security device of a unit Un, transferring the right Dn to the security device of at least one second unit Um, encrypting the data sent by unit Un and the description of the Dn right by a encryption data key KS, and receiving the encrypted data by the second unit Um, wherein the encrypted data is presented to the security device of the second unit Um to verify if the right Dn is present, and if the right Dn is present, then decrypting the data by the encryption data key KS.

16 Citations

View as Search Results

19 Claims

1. A method to use a virtual private network (VPN) having a plurality of units connected to a public network, each unit having a security device which includes at least a unique number UA, said virtual private network including a first unit generating a right Dn associated to the unique number UAn and at least one second unit Um, the security device of the at least one second unit receiving the right Dn from said first unit, the method comprising:
- encrypting the data sent by unit Un and a description of the right Dn necessary for the decryption of the data, by an encryption data key KS,creating a control data block that includes the encryption data key KS and the description of the right necessary for the decryption of the data,receiving the encrypted data and the description of the right Dn by the at least one second unit Um, and receiving the control data block by the at least one second unit Um, andpresenting the encrypted control data block to the security device of the at least one second unit Um to verify if the right Dn is present in the security module of the at least one second unit,wherein if the right Dn is present, then using the encryption data key KS to decrypt the encrypted data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method according to claim 1, wherein the right Dn is associated to an identifier of the at least one second unit Um, and the security device of the second unit verifies if the right Dn is destined for the second unit.
  - 3. The method according to claim 1, wherein a network index Ra is associated with the right Dn by the unit Un, and affiliation of another second unit Um is based on a criteria of the right Dn and the network index Ra.
  - 4. The method according to claim 2, wherein a network index Ra is associated with the right Dn by the unit Un, and affiliation of another second unit Um is based on a criteria of the right Dn and the network index Ra.
  - 5. The method according to claim 1, wherein the encryption data key KS is a session key of symmetrical type and randomly generated, the session key being encrypted by a first key Kn, and the encryption session key KS being transmitted to the at least one second unit Um.
  - 6. The method according to claim 1, wherein the encryption data key KS is a first key Kn common to a set of security device.
  - 7. The method according to claim 5, wherein the first key Kn is generated with the right Dn and transmitted to participating units by a secret service key K0 common to the units.
  - 8. The method according to claim 6, wherein the first key Kn is generated with the right Dn and transmitted to participating units by a secret service key K0 common to the units.
  - 9. The method according to claim 1, wherein the right Dn has a validity field, and further comprises:
    - adding, by the unit Un, an indication of a present date in encrypted form to a description of the right Dn, andreceiving the indication by the at least one second unit Um and verifying by the security device of the at least one second unit Um if the date is within the validity range of the right Dn.
  - 10. The method according to claim 2, wherein the right Dn has a validity field, and further comprises:
    - adding, by the unit Un, an indication of a present date in encrypted form to a description of the right Dn, andreceiving the indication by the at least one second unit Um and verifying by the security device of the at least one second unit Um if the date is within the validity range of the right Dn.
  - 11. The method according to claim 5, wherein the right Dn has a validity field, and further comprises:
    - adding, by the unit Un, an indication of a present date in encrypted form to a description of the right Dn, andreceiving the indication by the at least one second unit Um and verifying by the security device of the at least one second unit Um if the date is within the validity range of the right Dn.

12. A method to use of a virtual private network (VPN) including a plurality of units connected to a managing center (MC) through a public network, each unit having a security device which includes at least a unique number UA, said virtual private network being created by requesting the creation of a network Rn through a unit Un at the managing center (MC), by sending a right Dn and a key Kn representing the network Rn to unit Un by the managing center (MC), by requesting the registration of at least a second unit Um as part of the network Rn, at the managing center (MC), by transmitting the right Dn and the key Kn to the second unit Um, the method comprising:
- encrypting the data sent by the unit Un and the description of the right Dn necessary for the decryption of the data by an encryption data key KS,creating a control data block that includes the encryption data key KS and the description of the right Dn necessary for the decryption of the data,receiving the encrypted data and the description of the right Dn by the at least one second unit Um, and receiving the encrypted control data block by said at least one second unit Um, anddecrypting the control data block and presenting said control data block to the security device of the at least one second unit Um to verify if the right Dn is present, and if the right Dn is present, then decrypting the control data block to obtain the encryption data key KS and then decrypt the data with the encryption data key Ks.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The method according to claim 12, wherein the encryption data key KS is of a symmetrical type and is generated randomly, the key being encrypted by the first Kn key, and the encrypted session key being transmitted to the second unit Um.
  - 14. The method according to claim 12, wherein the request of the registration of the second unit Um further comprises:
    - transmitting a part representing the right Dn by unit Un,presenting the part of the right Dn at the managing center by unit Um,verifying the managing center (MC) that the part corresponds to the right Dn, andtransmitting the right Dn and the key Kn to the second unit Um if the right Dn is verified.
  - 15. The method according to claim 13, wherein the request of the registration of the second unit Um further comprises:
    - transmitting a part representing the right Dn by unit Un,presenting the part of the right Dn at the managing center by unit Um,verifying the managing center (MC) so that the part corresponds to the right Dn, andtransmitting the right Dn and the key Kn to the second unit Um if the right Dn is verified.
  - 16. The method according to claim 12, wherein the request of the registration of the unit Um further comprises:
    - transmitting an identifier of the second unit Um to the managing center (MC) by the second unit Um, andtransmitting the right Dn and the key Kn to the second unit Um by the managing center.
  - 17. The method according to claim 12, wherein the managing center (MC) sends a new key Kn′
    - to members of the same network Rn at a pseudo-random interval.
  - 18. The method according to one of the claim 13, wherein the managing center (MC) sends a new key Kn′
    - to members of the same network Rn at a pseudo-random interval.
  - 19. The method according to claim 14, wherein the managing center (MC) sends a new key Kn′
    - to members of the same network Rn at a pseudo-random interval.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nagravision SA (Kudelski SA)
Original Assignee
Nagravision SA (Kudelski SA)
Inventors
Collet, Daniel
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Tran, Tongoc

Application Number

US10/206,363
Publication Number

US 20030021422A1
Time in Patent Office

1,828 Days
Field of Search

713/165, 713/156, 713/163, 713/161, 713/173, 713/176, 380201-203, 380/25, 380/282, 726 1- 7, 726 27- 32
US Class Current

726/5
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/065   for group communications cr...

H04L 63/104   Grouping of entities

Method to use a virtual private network using a public network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

16 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Method to use a virtual private network using a public network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others