Trusted communications system

US 7,367,045 B2
Filed: 08/14/2002
Issued: 04/29/2008
Est. Priority Date: 03/16/2002
Status: Active Grant

First Claim

Patent Images

1. An authentication system, the system comprising:

a first computing subsystem providing execution of a first application and, providing generation of security tags responsive to authenticating the execution of the first application;

a second computing subsystem;

wherein the security tags are transmitted to the second computing subsystem;

wherein the second computing subsystem receives the security tags and locally generates local security tags and provides validation of the authenticating of the execution of the first application, by comparing the locally generated security tags with the security tags received from the first computing subsystem;

wherein the execution of the first application further comprises sending trusted data packets to the second computing subsystem, independently of the generation of the security tags; and

wherein the second computing subsystem determines which further processing to do to the received trusted data packets, responsive to the validation by the second computing subsystem of the authenticating of the execution of the first application.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This invention discloses a method and system for communication that consist of an end station and a network interface, such that, the network interface is capable of determining the authenticity of the program used by the end station to generate and send data packets. The method is based on using a hidden program that was obfuscated and encrypted within the program that is used to generate and send data packets from the end station. The hidden program is being updated dynamically and it includes the functionality for generating a pseudo random sequence of security signals. Only the network interface knows how the pseudo random sequence of security signals were generated, and therefore, the network interface is able to check the validity of the pseudo random sequence of security signals, and thereby, verify the authenticity of the programs used to generate and send data packets. The method further comprises of means for coordinating the initialization of the end station and network interface.

221 Citations

41 Claims

1. An authentication system, the system comprising:
- a first computing subsystem providing execution of a first application and, providing generation of security tags responsive to authenticating the execution of the first application;
  
  a second computing subsystem;
  
  wherein the security tags are transmitted to the second computing subsystem;
  
  wherein the second computing subsystem receives the security tags and locally generates local security tags and provides validation of the authenticating of the execution of the first application, by comparing the locally generated security tags with the security tags received from the first computing subsystem;
  
  wherein the execution of the first application further comprises sending trusted data packets to the second computing subsystem, independently of the generation of the security tags; and
  
  wherein the second computing subsystem determines which further processing to do to the received trusted data packets, responsive to the validation by the second computing subsystem of the authenticating of the execution of the first application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system as in claim 1, wherein the second computing subsystem is further comprised of mapping logic for further processing of the received tasted data packets;
    - andwherein the mapping logic is further comprised of at least one of;
      
      a mapping table, decision-tree, a processing logic, a data packet processing logic, a data packet header processing decision-tree, a security tag processing logic, a data packet identification processing logic, a data packet priority processing logic, a data packet class of service processing logic, and a secure time-stamp processing logic.
  - 3. The system as in claim 1, further comprising:
    - a communications service network for coupling the first computing subsystem to a server; and
      
      wherein at least one of the first application, the generation of security tags, and the sending trusted data packets are provided via the communications service network from the server.
  - 4. The system as in claim 2, wherein the second computing subsystem provides forwarding of respective ones of the trusted data packets responsive to the mapping logic.
  - 5. The system as in claim 1, wherein the sending trusted data packets is further characterized as defining at least one of:
    - transmission rate, maximum window size, port number, destination IP, source IP, data packet priority, transmission time, authentication signature, encryption, and transmission schedule.
  - 6. The system as in claim 1, wherein the sending trusted data packets is further responsive to at least one of:
    - a predefined schedule, a secure time-stamp, renewable codes and parameters, and update codes and parameters.
  - 7. The system as in claim 1, further comprising;
    - an update controller providing update codes and parameters to the first computing subsystem; and
      
      wherein the update codes and parameters can be utilized for at least one of;
      
      modifying the first application, modifying the generation of security tags, and modifying of the trusted data packets.
  - 8. The system as in claim 7, further comprising:
    - a security management server (SMS) for providing update information to the update controller to modify at least one of;
      
      the update codes and the parameters.
  - 9. The system as in claim 1, wherein the first computing subsystem is further comprised of at least one of:
    - cryptographic modules and a smart card; and
      
      wherein said at least one of the cryptographic modules and the smart card provide for at least one of;
      
      program authentication, user authentication, cryptographic authentication, application authentication, encryption, secure time-stamp, secure execution and digital signature.
  - 10. The system as in claim 1, wherein the second computing subsystem is further comprised of validation modules;
    - andwherein the validation modules further provide for at least one of;
      
      program authentication checking, user authentication checking, cryptographic authentication checking, application authentication checking, decryption, secure time-stamp, and digital signature validation.

11. An authentication method, the method comprising:
- executing a first application on a first computing subsystem;
  
  authenticating the execution of the first application;
  
  providing generation of security tags responsive to the authenticating of the executing of the first application;
  
  transmitting the security tags to a second computing subsystem;
  
  generating local security tags at the second computing subsystem;
  
  validating, at the second computing subsystem, the authenticating by comparing the transmitted security tags with the local security tags;
  
  sending trusted data packets to the second computing subsystem independently of the generation of security tags by executing of the first application; and
  
  determining, at the second computing subsystem, which further processing to do to the trusted data packets responsive to the validating at the second computing subsystem of the authenticating of the execution of the first application.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method as in claim 11, further comprising:
    - mapping, at the second computing subsystem, the transmitted trusted data packets responsive to mapping logic; and
      
      wherein the mapping logic is further comprised of at least one of;
      
      a mapping table, decision-tree, a processing logic, a data packet processing logic, a data packet header processing decision-free, a security tag processing logic, a data packet identification processing logic, a data packet priority processing logic, a data packet class of service processing logic, and a secure time-stamp processing logic.
  - 13. The method as in claim 11, further comprising:
    - coupling the first computing subsystem to a server via a communications network; and
      
      providing at least one of the first application, the generation of security tags, and the sending the trusted data packets via the communications network from the server.
  - 14. The method as in claim 12, further comprising:
    - forwarding selected ones of the trusted data packets via the second computing subsystem responsive to the mapping logic.
  - 15. The method as in claim 11, further comprising:
    - defining of at least one of;
      
      transmission rate, maximum window size, port number, destination IP, source IP, data packet, priority, transmission time, and transmission schedule, wherein the defining is utilized in the sending of trusted data packets.
  - 16. The method as in claim 11, wherein the sending trusted data packets is further characterized as responsive to at least one of:
    - a predefined schedule, a secure time-stamp, renewable codes and parameters, and update codes and parameters.
  - 17. The method as in claim 11, further comprising:
    - providing update codes and parameters to the first computing subsystem via an update controller; and
      
      wherein the update codes and parameters can be utilized for at least one of;
      
      modifying the first application, modifying the generation of security tags, and modifying of the trusted data packets.
  - 18. The method as in claim 17, further comprising:
    - providing an update information to the update controller via a security management server (SMS) to modify at least one of;
      
      the update codes and the parameter.
  - 19. The method as in claim 11, further comprising:
    - providing, at the first computing subsystem, at least one of;
      
      cryptographic modules and a smart card, to provide at least one of;
      
      program authentication, user authentication, cryptographic authentication, application authentication, encryption, secure execution, secure time-stamp, and digital signature.
  - 20. The method as in claim 11, wherein the second computing subsystem is further comprised of validation modules;
    - andwherein the validation modules provide at least one of;
      
      program authentication checking, user authentication checking, cryptographic authentication checking, application authentication checking, decryption, secure time-stamp, and digital signature validation.

21. A method of authentication utilized between at least two computing elements, the method comprising:
- generating a unique sequence of security tags, at a first computing element, responsive to authenticating executing a first application at the first computing element;
  
  sending a data package, from the first computing element to a second computing element, independently of the generating the unique sequence of security tags;
  
  wherein the data packet includes a security portion comprising at least one of;
  
  none of the security tags and at least one of the security tags in the unique sequence of security tags;
  
  controlling communications data flow over a communications path responsive to the first computing element, to provide transmitting the data packet over the communications path;
  
  receiving the data packet and the security tags at the second computing element;
  
  authenticating the first application remotely in the second computing element responsive to validating the unique sequence of security tags received from the first computing element responsive to a compliance logic;
  
  wherein the compliance logic is responsive to the controlling of the communications data flow at the first computing element;
  
  processing the data packet at the second computing element to provide a validation result by authenticating the compliance logic by validating the respective security portion of the data packet responsive to analysis of the respective security portion and at least a portion of the data packet; and
  
  controlling communications data flow by controlling the transmitting of the data packet responsive to the validation result.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The method as in claim 21, further comprising:
    - transmitting the data packet from the second computing element for further processing at least a third computing element responsive to the validation result.
  - 23. The method as in claim 22, wherein the communications path comprises at least the first computing element, the second computing element and the third computing element.
  - 24. The method as in claim 23, wherein the transmitting is responsive to the processing by at least one of:
    - the second computing clement and the third computing element.
  - 25. The method as in claim 24, wherein the processing is by at least one of:
    - the second computing element and the third computing element wherein the processing is utilized in computing of additional security tags.

26. An authentication system the system, comprising:
- a plurality of individual computing elements, wherein at least a first one of the individual computing elements provides processing of data packets in accordance with a processing protocol;
  
  wherein each of the data packets has a defined payload;
  
  a tag generator providing security tag generation comprised of operating from an initial generator state to generate a unique sequence of security tags and providing association of respective ones of the security tags each with respective ones of the data packets for transmission;
  
  wherein the security tag generation is independent of the defined payload and is responsive to the processing of the data packets in accordance with the processing protocol;
  
  means providing for transmission of the data packets with the respective associated security tags;
  
  a tag verifier, operating responsive to the respective associated security tags, from an initial verification state, to generate a unique sequence of comparison security tags which are provided for selective comparison to the respective associated security tags;
  
  wherein the tag verifier provides for authenticating at a second one of the individual computing elements that the security tag generation in the first individual computing element is properly responsive to the processing of the data packets in accordance with the processing protocol at the first one of the individual computing elements;
  
  means for coordinating the initial generator state and the initial verifier state, prior to transmission of any of the data packets;
  
  wherein the tag verifier provides the unique sequence of comparison tags responsive to the means for coordinating; and
  
  wherein further data packet processing is provided at the second one of the individual computing elements responsive to the authenticating by the tag verifier.
- View Dependent Claims (27, 28, 29, 30, 31)
- - 27. The system as in claim 26, wherein the tag generator provides a sequence number as part of the security tag.
  - 28. The system as in claim 27, wherein the tag verifier generates a comparison sequence number for selective comparison to the sequence number that is the part of the security tag.
  - 29. The system as in claim 27, wherein the sequence number is used at least to detect data packet loss.
  - 30. The system as in claim 26, wherein the tag generator provides a secure time-stamp as part of the security tag.
  - 31. The system as in claim 30, wherein the tag verifier generates a comparison secure time-stamp utilized to provide a selective comparison to the secure time-stamp that is the part of the security tag.

32. A method providing authentication among a plurality of computing subsystems, the method comprising:
- processing of data packets, in accordance with a first processing protocol, in at least a first one of the computing subsystems, wherein the data rackets are comprised of defined payloads;
  
  operating, from an initial generator state, for generating in the at least a first one of the computing subsystems, a unique sequence of generated security tags associated with respective ones of the data packets for transmission;
  
  wherein the generating of the unique sequence of security tags is responsive to the processing protocol, utilized in processing of the data packets with defined payloads, independently of the defined payloads;
  
  providing transmission of the data packets combined with associated ones of the generated security tags;
  
  operating from an initial verification state within at least a second one of the computing subsystems, to generate a sequence of comparison security tags;
  
  coordinating the initial generator state; and
  
  the initial verifier stateproviding the comparison security tags responsive to the coordinating;
  
  comparing a respective one of the security tags with a respective one of the comparison security tags, to provide a comparison result; and
  
  selectively processing the data packets with the defined payloads on the second one of the computing subsystems responsive to the comparison result.
- View Dependent Claims (33, 34, 35, 36, 37)
- - 33. The method as in claim 32, further comprising:
    - including a sequence number as a part of the generated security tag.
  - 34. The method as in claim 33, further comprising:
    - generating a comparison sequence number for selective comparison to the sequence number that is the part of the generated security tag.
  - 35. The method as in claim 33, further comprising:
    - utilizing the sequence number at least to detect data packet loss.
  - 36. The method as in claim 32, further comprising:
    - providing a secure time-stamp as part of the generated security tag.
  - 37. The method as in claim 36, further comprising:
    - generating a comparison secure time-stamp; and
      
      comprising the comparison secure time-stamp to the secure time-stamp that is part of the generated security tag, as a part of providing the comparison result.

38. A system providing authenticating, the system comprising:
- a first computing subsystem providing processing of data packets in accordance with a first processing protocol;
  
  wherein each of the data packets is comprised of a corresponding payload and a corresponding header;
  
  a tag generator, operating from an initial generator state, and responsive to the processing of the data packets independent of the corresponding payload, and in accordance with the first processing protocol, to provide security tag generation of a unique sequence of security tags and related information associated with respective ones of the corresponding headers of the respective data packets;
  
  means providing transmission of the data packets with the respective associated security tags;
  
  a tag verifier operating within a second computing subsystem, providing authentication that the security tag generation was properly responsive to the first processing protocol at the first computing subsystem, the tag verifier operating from an initial verification state to generate a unique sequence of comparison tags for selective comparison to respective ones of the security tags, responsive to the respective related information; and
  
  wherein the tag verifier provides authentication by comparing the respective comparison tags and the respective security tags for the respective data packets.
- View Dependent Claims (39)
- - 39. The system as in claim 38, wherein the related information is at least of:
    - program authentication, user authentication, cryptographic authentication, application authentication, encryption, secure time-stamp, time-stamp, clock reading, and digital signature.

40. A method for providing authentication the method comprising:
- processing data packets in a first computing subsystem in accordance with a first processing protocol;
  
  wherein each data packet is comprised of a corresponding payload and a corresponding header;
  
  operating, from an initial generator state, to generate, independent of the corresponding payload, a sequence of security tags and related information responsive to the processing of the data packets;
  
  providing transmission of the data packets with the respective associated security tags;
  
  operating, from an initial verification states to generate, in a second computing subsystem, a unique sequence of comparison tags, responsive to the respective related information;
  
  providing synchronization of the initial generator state and the initial verification state;
  
  providing a validation result authenticating that the processing at the first computing subsystem was done in accordance with the first processing protocol, responsive to comparing the respective comparison tags and the respective associated security tags for the respective data packets; and
  
  controlling the transmission responsive to the validation result.
- View Dependent Claims (41)
- - 41. The method as in claim 40, wherein the related information is at least one of:
    - program authentication, user authentication, cryptographic authentication, application authentication, encryption, secure time-stamp, time-stamp, clock reading, and digital signature.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Attestwave LLC (Jeffrey M. Gross)
Original Assignee
Trustedflow Systems, Inc.
Inventors
Ofek, Yoram, Yung, Marcel Mordechay, Baldi, Mario
Primary Examiner(s)
Smithers; Matthew
Assistant Examiner(s)
Fields; Courtney D

Application Number

US10/218,993
Publication Number

US 20030177381A1
Time in Patent Office

2,085 Days
Field of Search

726/2, 726/13, 713/164, 380/255, 380/270, 380/280, 380/279, 707/9, 709/224, 709/238
US Class Current

726/2
CPC Class Codes

G06F 21/14   against software analysis o...

H04L 47/10   Flow control; Congestion co...

H04L 47/193   at the transport layer, e.g...

H04L 47/27   Evaluation or update of win...

H04L 47/283   in response to processing d...

H04L 63/0227   Filtering policies mail mes...

H04L 63/10   for controlling access to d...

H04L 69/16   Implementation or adaptatio...

H04L 69/161   Implementation details of T...

H04L 69/163   In-band adaptation of TCP d...

Y04S 40/20   Information technology spec...

Y10S 707/99939   Privileged access

Trusted communications system

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

221 Citations

41 Claims

Specification

Solutions

Use Cases

Quick Links

Trusted communications system

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

221 Citations

41 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links