Private network communication system

US 7,769,996 B2
Filed: 06/15/2005
Issued: 08/03/2010
Est. Priority Date: 05/25/2000
Status: Expired due to Term

First Claim

Patent Images

1. A method for facilitating private communication between a first node on a first network and a second node on a second network via an administrative network separately connected to each of the first and second network, the administrative network comprising additional nodes that are connectable to the first and second networks, the method comprising the steps of:

a) providing each node with a gateway, each gateway connecting the node to the node'"'"'s respective network, each gateway comprising a request microprocessor, a service invoker, a service implementation, a resource adapter, a data access layer and a security layer;

b) the administrative network and the gateway of the second node authorizing the first node to access a service requested by the first node and provided by the second node;

c) the administrative network transmitting from the first node a message, processed in through the gateway connected to the second node, that includes at least i) a unique name identifier assigned to the services interface of the second node, ii) a request universal identifier that uniquely identifies a request processed through the second node gateway, and iii) a unique identifier for a participant originating the request indicating that the first node desires to access the service;

d) at least one of the administrative network and the gateway of the second node confirming the identity of the first node;

e) at least one of the administrative network and the gateway of the first node confirming the identity of the second node;

f) the administrative network establishing an encrypted private connection between the gateway at the first node and the gateway at the second node through the administrative network following the successful confirmation of the identity of the first node and the identity of the second node;

g) the administrative network transmitting a request for the service from the first node to the second node;

h) the administrative network controlling the encrypted private connection to allow the first node to access services for which the first node is authorized and to prevent access by the first node to services for which the first node is not authorized; and

i) the administrative network logging activity of the first node and the second node;

wherein the administrative network determines a relationship between the first node and the second node based on each node'"'"'s domain and its given role in at least one of that domain and an additional domain to calculate a level of risk associated with allowing access by the first node to a requested service at the second node based on the type of requested service;

wherein the services for which the first node is authorized are determined based on the relationship between the first node and the second node based on the domain of each node, and the level of risk associated with allowing access by the first node to a requested service in the second node.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure gateway is disclosed which facilitates communication between a first network and a second network through an intermediate network. The secure gateway, when operated in conjunction with at least one other secure gateway, supports secure peer to peer connectivity with integral security features such as mutual authentication, authorization specific access, and end to end auditing. An authorized service can be served securely through this gateway, across the open network, to a known requester, without fear of compromising the security or privacy of the server'"'"'s or requesters networks.

75 Citations

View as Search Results

21 Claims

1. A method for facilitating private communication between a first node on a first network and a second node on a second network via an administrative network separately connected to each of the first and second network, the administrative network comprising additional nodes that are connectable to the first and second networks, the method comprising the steps of:
- a) providing each node with a gateway, each gateway connecting the node to the node'"'"'s respective network, each gateway comprising a request microprocessor, a service invoker, a service implementation, a resource adapter, a data access layer and a security layer;
  
  b) the administrative network and the gateway of the second node authorizing the first node to access a service requested by the first node and provided by the second node;
  
  c) the administrative network transmitting from the first node a message, processed in through the gateway connected to the second node, that includes at least i) a unique name identifier assigned to the services interface of the second node, ii) a request universal identifier that uniquely identifies a request processed through the second node gateway, and iii) a unique identifier for a participant originating the request indicating that the first node desires to access the service;
  
  d) at least one of the administrative network and the gateway of the second node confirming the identity of the first node;
  
  e) at least one of the administrative network and the gateway of the first node confirming the identity of the second node;
  
  f) the administrative network establishing an encrypted private connection between the gateway at the first node and the gateway at the second node through the administrative network following the successful confirmation of the identity of the first node and the identity of the second node;
  
  g) the administrative network transmitting a request for the service from the first node to the second node;
  
  h) the administrative network controlling the encrypted private connection to allow the first node to access services for which the first node is authorized and to prevent access by the first node to services for which the first node is not authorized; and
  
  i) the administrative network logging activity of the first node and the second node;
  
  wherein the administrative network determines a relationship between the first node and the second node based on each node'"'"'s domain and its given role in at least one of that domain and an additional domain to calculate a level of risk associated with allowing access by the first node to a requested service at the second node based on the type of requested service;
  
  wherein the services for which the first node is authorized are determined based on the relationship between the first node and the second node based on the domain of each node, and the level of risk associated with allowing access by the first node to a requested service in the second node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein the steps of confirming the identity of the first node and confirming the identity of the second node are performed by at least one of the additional nodes located on the administrative network.
  - 3. The method of claim 2 wherein access control is implemented by the second node through an access control list limiting the encrypted private connection only to any first node that is included in a designated category within the list.
  - 4. The method of claim 2 wherein access control comprises fine grained domain partitioning limiting access of the first node to the second node only to a defined set of activities that are available in the second network.
  - 5. The method of claim 2 wherein an access control list defines a hierarchy of multiple levels based on predetermined criteria and a first node'"'"'s access to a given second node'"'"'s service is determined by status of the first node within a hierarchical level.
  - 6. The method of claim 1 including access control located within the gateway associated with the first node allowing and disallowing to the first node certain of operations available on the second network.
  - 7. The method of claim 1 wherein confirming the identity of the first node and confirming the identity of the second node comprises at least one of confirming the identity of the participant associated with the respective node, confirming the identity of a digital device associated with the respective node, an verifying a location of a digital device associated with the respective node.
  - 8. The method of claim 1 further comprising the steps ofthe administrative network establishing an encrypted private connection through the gateway at the first node and the gateway at the second node following successful confirmation of the identity of the first node and the identity of the second node;
9. The method of claim 2 wherein at least one of the additional nodes comprises directory of available services provided by the second node.
10. The method of claim 1 further comprising the step of the gateway associated with the second node terminating the encrypted private connection between the first node and the second node following the conclusion of the first node'"'"'s access to the authorized service.

11. A system for facilitating private communication between a first node on a first network and a second node on a second network that is not the first network, wherein the first node and the second node are each connected to a gateway, the system comprising:
- a service administrative network intermediate the first network and the second network via a provided at the second node on the second network, the second node gateway configured to control access to the second node and facilitate communications from the second node;
  
  a requester generated at the first node on the first network, the gateway configured to (i) control access to the first node, (ii) facilitate communications from the first node, and (iii) transmit the request to the service provider;
  
  a first digital microprocessor located on the gateway associated with the first node that confirms an identity of the first node;
  
  a second digital microprocessor located on the gateway associated with the second node that confirms an identity of the second node;
  
  a third digital microprocessor located on the administrative network that prevents the first node from accessing an unauthorized service at the second node, wherein an encrypted private connection between the first node gateway and the second node gateway is established upon the confirmation of the identity of the first node and the confirmation of the identity of the second node in response to the request for the service from the first node, and wherein the third digital microprocessor prevents the first node from accessing an unauthorized service at the second node by controlling the encrypted private connection, the first and second digital microprocessors including a service invoker, a service implementation, a resource adapter, a data access layer and a security layer;
  
  the third digital microprocessor including a data access layer and a security layer interconnected with the first and second digital microprocessors and controlling access by the first node to services offered by allowing or disallowing to the first node certain services available from within the second node dependent upon the first node'"'"'s status as indicated in an access control list, the access control list being associated with one or more of the first digital microprocessor, the second digital microprocessor and third digital microprocessor; and
  
  a memory associated with one or more of the first digital microprocessor, the second digital microprocessor and third digital microprocessor that stores a log of activities between the first node and the second node;
  
  wherein the administrative network further comprising a risk microprocessor associated with the access control list that determines a relationship between the first node and the second node based on each node'"'"'s domain and its given role in at least one of that domain and an additional domain to calculate a level of risk associated with allowing access by the first node to a requested service at the second node based on the type of requested service;
  
  wherein the certain services available from within the second node for which the first node is allowed or disallowed are determined based on the relationship between the first node and the second node based on the domain of each node, and the level of risk associated with allowing access by the first node to a requested service in the second node.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 12. The system of claim 11 wherein the third processor is located on either the first network or the second network wherein the system includes a fourth processor that shares control over the encrypted private connection with the third processor and a third node is located on the security layer interconnecting the first network and the second network.
  - 13. The system of claim 11 wherein the system includes at least one of:
    - the first processor confirming the identity of a device at the first node;
      
      the second processor confirming the identity of a user at the second node; and
      
      either the first processor or the second processor confirming the identity of a device at the second node.
  - 14. The system of claim 11 wherein the request for the service is outputted to a location based upon a location message that is received in response to the request to access an authorized service, and the location message is transmitted from the first node or from a third node not located on the first network or the second network.
  - 15. The system of claim 11 wherein the encrypted private connection between the first node and the second node is terminated following a provision of the requested service to the first node.
  - 16. The system of claim 11 further comprising a memory at a third node for storing a directory of available services provided by the second node, wherein the third node is not located on the first network or the second network.
  - 17. The system of claim 11 wherein the first node or the second node is implemented in software comprising a program that comprises the steps of:
    - (a) transmitting a message indicating that access to the service is desired;
      
      (b) participating in a mutual authentication process;
      
      (c) transmitting a request for the service; and
      
      (d) interacting with the service through an encrypted private connection that is established after the mutual authentication process is successfully concluded, wherein the encrypted private connection is controlled to allow access to authorized services and prevent access to unauthorized services.
  - 18. The system of claim 11 wherein the first node or the second node is implemented as a plug-in to a browser.
  - 19. The system of claim 11 wherein the first node or the second node is implemented in one of:
    - a circuit board card for a personal computer a circuit board card for a server;
      
      a chip;
      
      or stand-alone hardware.
  - 20. The system of claim 11 wherein at least one of the first node and the second node comprises an out of band output to support an out of band communication.
  - 21. The system of claim 20 wherein the out of band output is at least one of a Universal Serial Bus (USB) output, a serial bus IEEE 1394 interface output, an Ethernet data link output, and a wireless data link output.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Randall E. Orkis, William M. Randle
Original Assignee
Randall E. Orkis, William M. Randle
Inventors
Orkis, Randall E., Randle, William M.
Primary Examiner(s)
Homayounmehr; Farid

Application Number

US11/154,033
Publication Number

US 20060053290A1
Time in Patent Office

1,875 Days
Field of Search

713/153, 709238-244, 705/79
US Class Current

713/153
CPC Class Codes

G06Q 20/027   involving a payment switch ...

G06Q 20/04   Payment circuits

G06Q 20/388   using mutual authentication...

G06Q 30/04   Billing or invoicing

G06Q 40/02   Banking, e.g. interest calc...

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 9/3268   using certificate validatio...

H04L 9/3273   for mutual authentication n...

Private network communication system

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

75 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Private network communication system

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

75 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links