System for providing security for ad hoc networked computerized devices
First Claim
1. A system, comprising:
- a first, substantially portable and physically non-secure computerized device;
a second, substantially portable and physically non-secure computerized device in data communication with said first device;
a first computer program operative to run on said first computerized device and to obtain at least one temporary address for said first computerized device;
a second computer program operative to run on said first computerized device and adapted to establish a non-permanent security association between said first and second devices, said second computer program comprising a cryptographic data exchange algorithm adapted to cause said first computerized device and said second device to exchange cryptographic data, said data being substantially unique to said security association; and
a third computer program operative to run on said first computerized device and adapted to seal or encrypt data sent from said first device using at least one cryptographic key;
wherein said at least one cryptographic key is derived based at least in part on first data that is uniquely associated with one of said first and second substantially portable and physically non-secure computerized devices.
2 Assignments
0 Petitions
Accused Products
Abstract
A system adapted to provide communication security between computerized devices in, for example, an ad hoc or temporary networked environment. In one embodiment, the network comprises an untrusted network, and the system includes network security apparatus adapted to create security associations between devices on the network, including mutual authentication. Traffic between the associated devices may be encrypted for e.g., data confidentiality and integrity protection. In one variant, the network security apparatus comprises a software entity disposed at least partly within the software stack of the devices. The associated devices may be for example fixed or portable, and may be untrusted (e.g., have an untrusted operating system).
-
Citations
65 Claims
-
1. A system, comprising:
-
a first, substantially portable and physically non-secure computerized device; a second, substantially portable and physically non-secure computerized device in data communication with said first device; a first computer program operative to run on said first computerized device and to obtain at least one temporary address for said first computerized device; a second computer program operative to run on said first computerized device and adapted to establish a non-permanent security association between said first and second devices, said second computer program comprising a cryptographic data exchange algorithm adapted to cause said first computerized device and said second device to exchange cryptographic data, said data being substantially unique to said security association; and a third computer program operative to run on said first computerized device and adapted to seal or encrypt data sent from said first device using at least one cryptographic key; wherein said at least one cryptographic key is derived based at least in part on first data that is uniquely associated with one of said first and second substantially portable and physically non-secure computerized devices. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A security system adapted to permit ad hoc security associations to exist between portable computerized devices that may or may not have communicated previously, comprising:
-
a first, substantially portable computerized device; a second, substantially portable computerized device; first computer programs operative to run on respective ones of said first and second computerized devices to establish an ad hoc security association between said first and second devices, said first computer programs each comprising a cryptographic data exchange algorithm adapted to cause said first and second devices to exchange respective cryptographic data generated substantially under control of respective ones of said devices while establishing said association; second computer programs operative to run on respective ones of said first and second devices and adapted to encrypt data sent to the other device using at least one cryptographic key; and third computer programs operative to run on respective ones of said first and second devices and each adapted to evaluate said encrypted data sent from the other device for at least data integrity using an appended message element generated by both of said devices; wherein said first, second and third computer programs comprise a security perimeter for end-to-end communications between said first, substantially portable communications device and said second, substantially portable communications device over a physically non-secure network. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
-
-
39. A network security system, comprising:
-
a first computerized device comprising an untrusted operating system; a second computerized device comprising an untrusted operating system; a first routine operative to run on said first computerized device and to obtain at least one address for said first computerized device after said first computerized device is placed in data communication with at least one another via an untrusted medium; a second routine operative to run on said first computerized device and establish a security association between said first and second devices, said second computer program comprising an authentication algorithm adapted to cause said first computerized device and said second device to exchange cryptographic data, said data being substantially unique to said association and comprising at least one random number; a third routine operative to run on said first computerized device and adapted to seal or encrypt data sent from said first device using at least one cryptographic key; a fourth routine operative to run on said second computerized device and adapted to seal or encrypt data sent from said second device using at least one cryptographic key; and a fifth routine operative to run on said first computerized device and adapted to evaluate said encrypted data sent from said second device for at least data integrity; wherein said first and second devices are mutually authenticated with one another and further utilize cryptographic residues exchanged between said first and second computerized devices; and wherein the first, second, third, fourth and fifth routines provide for end-to-end communications between said first computerized device and said second computerized device over a physically non-secure network. - View Dependent Claims (40, 41, 42)
-
-
43. A security system adapted to permit at least one temporary and ad hoc security association to exist between portable computerized devices that may or may not have communicated previously, comprising:
-
a first, substantially portable computerized device having an untrusted operating system; a second, substantially portable computerized device having an untrusted operating system; first computer programs operative to run on respective ones of said first and second computerized devices to establish an ad hoc and temporary security association between said first and second devices, said first computer programs each comprising an authentication algorithm adapted to cause said first and second devices to exchange respective cryptographic data generated substantially under control of respective ones of said devices while establishing said association; second computer programs operative to run on respective ones of said first and second devices and adapted to encrypt data sent to the other device using at least one cryptographic key; and third computer programs operative to run on respective ones of said first and second devices and each adapted to evaluate said encrypted data sent from the other device for at least data integrity using an appended message element generated by both of said devices; wherein said first and second substantially portable devices can mutually authenticate one another, decrypt the other'"'"'s transmitted encrypted data, and evaluate the integrity of said transmitted encrypted data, without having to access a device or entity other than said first or second device. - View Dependent Claims (44)
-
-
45. A system for communication between devices, the system comprising:
-
a first, substantially portable and physically non-secure computerized device; a second, substantially portable and physically non-secure computerized device capable of data communication with said first device; a first computer program operative to run on said first computerized device and to obtain a temporary address for said first computerized device; a second computer program operative to run on said first computerized device and adapted to establish a non-permanent security association between said first and second devices, said second computer program comprising a cryptographic data exchange algorithm adapted to cause said first computerized device to exchange cryptographic data with said second device, said data being substantially unique to said security association; a third computer program operative to run on said first computerized device and adapted to encrypt data sent from said first device using at least one cryptographic key; and a fourth computer program operative to perform an authentication function based at least in part on device-specific information that is unique to said first, substantially portable and physically non-secure computerized device. - View Dependent Claims (46, 47, 48, 49, 50, 51, 52, 53, 54, 55)
-
-
56. A system for enabling communication, the system comprising:
-
a first, substantially portable and physically non-secure computerized device; a second, substantially portable and physically non-secure computerized device capable of data communication with said first device; a first computer program operative to run on said first computerized device and to obtain a temporary address for said first computerized device; a second computer program operative to run on said first computerized device and adapted to establish a non-permanent security association between said first and second devices, said second computer program comprising a cryptographic data transfer algorithm adapted to cause said first computerized device to transmit cryptographic data to said second device, said data being substantially unique to said security association; a third computer program operative to run on said first computerized device and adapted to encrypt data sent from said first device using at least one cryptographic key; and a fourth computer program operative to perform an authentication function based at least in part on unique device-specific information for either said first, substantially portable and physically non-secure computerized device or said second, substantially portable and physically non-secure computerized device. - View Dependent Claims (57, 58, 59, 60, 61, 62, 63, 64, 65)
-
Specification