Secure transport for mobile communication network

US 7,827,597 B2
Filed: 10/19/2007
Issued: 11/02/2010
Est. Priority Date: 01/08/2002
Status: Expired due to Term

First Claim

Patent Images

1. A method for encrypting channels of data in a transaction comprising:

encryption of a first data channel in the transaction using a first security association known by a network intermediary device;

encryption of a second data channel in the transaction using a second securityassociation known by a network endpoint device but unknown to the network intermediary device,wherein the first data channel consists of control data and the second data channel consists of payload data.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A communication network encrypts a first portion of a transaction associated with point-to-point communications using a point-to-point encryption key. A second portion of the transaction associated with end-to-end communications is encrypted using an end-to-end encryption key.

250 Citations

19 Claims

1. A method for encrypting channels of data in a transaction comprising:
- encryption of a first data channel in the transaction using a first security association known by a network intermediary device;
  
  encryption of a second data channel in the transaction using a second securityassociation known by a network endpoint device but unknown to the network intermediary device,wherein the first data channel consists of control data and the second data channel consists of payload data.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method according to claim 1 wherein the first data channel consists of point-to-point data and the second data channel consists of end-to-end data.
  - 3. The method according to claim 1 wherein the control data in the first data channel includes transaction authentication and routing information and the payload data in the second data channel includes the contents of email messages or electronic files.
  - 4. The method according to claim 1 further comprising:
    - negotiating a first encryption key with the network intermediary device, the first encryption key used for encrypting/decrypting the control data in the first data channel; and
      
      negotiating a second encryption key with the network endpoint device, the second encryption key used for encrypting/decrypting the payload data in the second data channel.
  - 5. The method according to claim 1 further comprising leaving a third data channel in the transaction unencrypted.
  - 6. The method according to claim 1 further comprising:
    - separating different items in the transaction into different data channels;
      
      assigning different security associations to the different data channels;
      
      encoding the separated items into data groups;
      
      encrypting some or all of the data groups according to the security associations assigned to the data channels; and
      
      encoding the processed data groups into one or more packets.
  - 7. The method according to claim 1 further comprising:
    - encoding a first set of packets containing the control data in the first channel;
      
      encoding a second set of packets containing the payload data in the second channel; and
      
      encoding a packet header that contains unencrypted data, the packet header used for transporting the first and second set of packets to the network intermediary device and at least partially used to transport at least the second set of packets from the network intermediary device to the network endpoint device.

8. A network processing device, comprising:
- one or more processors configured to;
  
  receive a transaction from a first network device containing a first portion of data encrypted using a first known encryption key and a second portion of data encrypted using a second unknown encryption key;
  
  decrypt the first portion of data using the first encryption key while the second portion of data remains encrypted;
  
  using the decrypted first portion of data to authenticate the transaction; and
  
  forwarding at least a portion of the transaction to a second network device when the transaction is authenticated.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The network processing device according to claim 8 wherein the one or more processors are further configured to negotiate the first encryption key with the first network device.
  - 10. The network processing device according to claim 9 wherein the one or more processors are further configured to negotiate a third encryption key with the second network device, the first encryption key unknown to the second network device and the third encryption key unknown to the first network device.
  - 11. The network processing device according to claim 10 wherein the one or more processors are further configured to re-encrypt at least some of the decrypted first portion of data using the third encryption key, and send both the re-encrypted first portion of data with the encrypted second portion of data to the second network device.
  - 12. The network processing device according to claim 11 wherein the transaction includes a third unencrypted portion of data, the one or more processors further configured to combine at least some of the decrypted first portion of data with the third unencrypted portion of data and send the combined first and third portion of data to the second network device.

13. A method for encrypting information, comprising:
- negotiating a first encryption key with a first endpoint;
  
  receiving a transaction from the first endpoint containing control data encrypted using the first encryption key and payload data encrypted using a second unknown encryption key; and
  
  decrypting the control data to determine how to process and relay the transaction over a network to a second endpoint while the payload data remains encrypted.
- View Dependent Claims (14, 15)
- - 14. The method according to claim 13 further comprising:
    - negotiating a third encryption key with the second endpoint;
      
      re-encrypting at least some of the decrypted control data into new encrypted control data using the third encryption key; and
      
      relaying both the re-encrypted control data and the encrypted payload data to the second endpoint.
  - 15. The method according to claim 13 further comprising:
    - receiving unencrypted data in the transaction;
      
      re-encrypting the control data using a third encryption keycombining the re-decrypted control data with the unencrypted data; and
      
      relaying the re-encrypted control data, unencrypted data, and encrypted payload data to the second endpoint.

16. An apparatus comprising a non-transitory computer-readable medium having instructions, when executed by a processor or multiple communicating processors, perform a method comprising:
- negotiating a first encryption key with a first endpoint;
  
  negotiating a second encryption key with a second endpoint;
  
  receiving a transaction from the first endpoint directed to the second endpoint, the transaction including a first portion of data encrypted using the first encryption key and including a second portion of data encrypted using an unknown encryption key;
  
  decrypting the first portion of data using the first encryption key;
  
  re-encrypting at least some of the first portion of decrypted data using the second encryption key; and
  
  forwarding the re-encrypted data and the encrypted second portion of data to the second endpoint.
- View Dependent Claims (17, 18, 19)
- - 17. The apparatus according to claim 16 further comprising:
    - separating items in the received transactions into channels associated with different security associations;
      
      encoding the items in each channel into bit arrays; and
      
      encrypting or decrypting the bit arrays for each channel according to the associated security associations.
  - 18. The apparatus according to claim 16 further comprising:
    - using an encryption schema to associate different types of items in the transactions with different security associations;
      
      encrypting or decrypting items in various received or transmitted transactions according to the encryption schema.
  - 19. The apparatus according to claim 16 further comprising:
    - receiving a third portion of data in the transaction that is unencrypted; and
      
      forwarding the third portion of unencrypted data to the second endpoint.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Seven Networks LLC (SoftBank Group Corp.)
Original Assignee
Seven Networks Inc
Inventors
Boynton, Lee R., Burke, Scott M., Fiatal, Trevor A., Sikes, Mark
Primary Examiner(s)
SMITHERS, MATTHEW

Application Number

US11/875,785
Publication Number

US 20080037787A1
Time in Patent Office

1,110 Days
Field of Search

726/11
US Class Current

726/4
CPC Class Codes

H04B 7/04   using two or more spaced in...

H04B 7/0417   Feedback systems

H04B 7/0617   for beam forming

H04L 2209/80   Wireless network architectu...

H04L 51/58   Message adaptation for wire...

H04L 63/0272   Virtual private networks

H04L 63/0281   Proxies

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/0428   wherein the data content is...

H04L 63/0464   using hop-by-hop encryption...

H04L 63/0471   applying encryption by an i...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 67/04   specially adapted for termi...

H04L 67/1095   Replication or mirroring of...

H04L 67/14   Session management for real...

H04L 69/329   in the application layer [O...

H04L 9/3226   using a predetermined code,...

H04W 12/03   Protecting confidentiality,...

H04W 12/04   Key management, e.g. using ...

H04W 4/12 : Messaging; Mailboxes; Annou...

H04W 52/0261 : managing power supply deman...

H04W 76/10 : Connection setup

H04W 88/06 : adapted for operation in mu...

Y02D 10/00 : Energy efficient computing,...

Y02D 30/70 : in wireless communication n...

View All

Secure transport for mobile communication network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

250 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Secure transport for mobile communication network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

250 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links