System for providing security in a network comprising computerized devices
First Claim
1. A security system adapted to permit ad hoc and temporary security associations to exist between portable computerized devices that may or may not have communicated previously, comprising:
- a first, substantially portable computerized device having a first communications and security card received substantially therein;
a second, substantially portable computerized device having a second communications and security card received substantially therein;
first computer programs operative to run on respective ones of said first and second computerized devices to establish a temporary ad hoc security association between said first and second devices, said first computer programs each comprising a key exchange algorithm that causes said first and second devices to exchange respective cryptographic keys over a physically non-secure network and generated substantially under control of respective ones of said cards while establishing said association, said keys being substantially unique to said association;
second computer programs operative to run on respective ones of said first and second devices and adapted to encrypt data sent to the other device using at least one of said cryptographic keys; and
third computer programs operative to run on respective ones of said first and second devices and each adapted to evaluate said encrypted data sent from the other device for at least data integrity using cryptographic residues generated by both of said devices.
2 Assignments
0 Petitions
Accused Products
Abstract
A system useful within a network and adapted to provide communication security. In one embodiment, the network comprises an untrusted network, and the system includes network security apparatus adapted to create security associations between devices on the network, including mutual authentication. Traffic between the associated devices may be encrypted for e.g., data confidentiality and integrity protection. In one variant, the network security apparatus comprises a software entity disposed at least partly within the software stack of the devices. The associated devices may be for example fixed or portable, and may also act as a gateway to other networks (including the Internet). The portable devices may be untrusted (e.g., have an untrusted operating system).
-
Citations
64 Claims
-
1. A security system adapted to permit ad hoc and temporary security associations to exist between portable computerized devices that may or may not have communicated previously, comprising:
-
a first, substantially portable computerized device having a first communications and security card received substantially therein; a second, substantially portable computerized device having a second communications and security card received substantially therein; first computer programs operative to run on respective ones of said first and second computerized devices to establish a temporary ad hoc security association between said first and second devices, said first computer programs each comprising a key exchange algorithm that causes said first and second devices to exchange respective cryptographic keys over a physically non-secure network and generated substantially under control of respective ones of said cards while establishing said association, said keys being substantially unique to said association; second computer programs operative to run on respective ones of said first and second devices and adapted to encrypt data sent to the other device using at least one of said cryptographic keys; and third computer programs operative to run on respective ones of said first and second devices and each adapted to evaluate said encrypted data sent from the other device for at least data integrity using cryptographic residues generated by both of said devices. - View Dependent Claims (2, 3, 4)
-
-
5. A security system comprising:
-
a network access portal; one or more portable computerized devices having a first communications and security card received substantially therein; first computer programs operative to run on respective ones of said one or more computerized devices to establish an ad hoc security association between said one or more devices and said access portal, said first computer programs each comprising a key exchange algorithm that has said respective device and said portal exchange respective cryptographic keys via an unsecure transmission, with said cryptographic keys generated substantially while establishing said association, said keys being substantially unique to said association, said establishment of said association further comprising at least authentication of said one or more devices to said portal; second computer programs operative to run on respective ones of said one or more devices and adapted to encrypt data sent to the portal using at least one of said cryptographic keys; and a third computer program operative to run on said portal and adapted to evaluate said encrypted data sent from the one or more devices for at least data integrity using cryptographic residues generated by both of said devices. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A security system, comprising:
-
a first computerized device comprising a first network security apparatus; and a second computerized device, remote from said first computerized device, and comprising a second network security apparatus; wherein said first network security apparatus is adapted to communicate data with said second network security apparatus resident on said second computerized device over a data network through association establishment, said association comprising a non-permanent trusted communications channel between and unique to said first network security apparatus and said second network security apparatus of said second computerized device, and where said first network security apparatus is configured to; receive a message sent from said second network security apparatus of said second computerized device; determine whether an association between said first network security apparatus and said second network security apparatus exists; execute a mutual authentication process, wherein said first network security apparatus is adapted to authenticate said second network security apparatus, and further adapted to authenticate itself to said second network security apparatus; convert at least a portion of said received message to a format utilized by said network; and transmit said message received from said second network security apparatus to a third network security apparatus when said association does exist; wherein said association between said first network security apparatus and said second network security apparatus is based at least in part on the execution of a key exchange algorithm in which said first and second computerized devices remotely exchange cryptographic keys; and wherein said first network security apparatus is adapted to dynamically generate at least one encryption key for each association, said at least one key being specific to a particular session between said first network security apparatus and said second network security apparatus, said generation not requiring either (i) intervention by a network administrator;
or (ii) intervention by a user of either of said computerized devices.
-
-
19. A network security system, comprising:
-
a first, substantially portable computerized device; a second, substantially fixed computerized device; a first computer program operative to run on said first computerized device and to obtain at least one network address for said first computerized device when placed in data communication with a network; a second computer program operative to run on said first computerized device and establish a non-permanent security association between said first and second devices, said second computer program comprising a key exchange algorithm that causes said first computerized device and said second device to exchange cryptographic keys over a physically non-secure network while establishing said association, said keys being substantially unique to said association; and a third computer program operative to run on said first computerized device and adapted to seal or encrypt data sent from said first device using at least one of said cryptographic keys; wherein said first device comprises a network communications interface, and a card-like structure adapted to fit at least partly within a receptacle of said first device, said card-like structure adapted to generate at least one of said cryptographic keys. - View Dependent Claims (20)
-
-
21. A network security system, comprising:
-
a first, substantially portable computerized device comprising a first network security apparatus; a substantially fixed computerized device adapted to provide network security functions and bridging between two physically unsecure networks, said substantially fixed computerized device comprising; a software stack operative to run on said substantially fixed computerized device; and a second network security apparatus for use with said stack, said second network security apparatus adapted to communicate data with said first network security apparatus over at least one of first and second physically unsecure data networks in data communication with said fixed computerized device by establishing an association, and where said second network security apparatus is configured to; determine whether an association between said first network security apparatus and said second network security apparatus in communication with said at least one network exists; convert at least a portion of a received message to a format utilized by said at least one network; transmit at least portions of said message to said first network security apparatus when said association does exist; and establish an association with said first network security apparatus if said association does not exist by dynamically generating at least one encryption key for each association, said act of generating not requiring intervention by an external entity other then said first, substantially portable computerized device and said substantially fixed computerized device, said at least one key being specific to a particular session between said first network security apparatus and said second network security apparatus; wherein said substantially fixed computerized device provides said network security functions while being directly coupled only to unsecure networks. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46)
-
-
47. A security system comprising:
-
a network access portal having a first communications and network security apparatus disposed therein; one or more portable computerized devices having respective second communications and network security apparatus disposed therein; first computer programs operative to run on respective ones of said one or more portable computerized devices to establish a security association between said one or more devices and said network access portal, said first computer programs each comprising a key information exchange algorithm that has said respective device and said portal dynamically generate respective cryptographic keys via information exchanged over an unsecure transmission, with said cryptographic keys generated substantially while establishing said association and said keys being substantially unique to said association, said establishment of said association further comprising at least authentication of said one or more devices to said portal; second computer programs operative to run on respective ones of said one or more devices to encrypt data sent to the network access portal using at least one of said cryptographic keys; and a third computer program operative to run on respective ones of said one or more devices to evaluate encrypted data received from the network access portal for at least data integrity using integrity information that accompanies the encrypted data received from the network access portal; wherein said network access portal and said one or more portable computerized devices are capable of providing said network security functions while being directly coupled only to unsecure networks. - View Dependent Claims (48, 49, 50, 51, 52, 53, 54, 55)
-
-
56. A security system comprising:
-
a network access apparatus having a first communications apparatus and a first network security apparatus disposed therein; a portable computerized device having respective second communications and network security apparatus disposed therein; a first computer program operative to run on said portable computerized device to establish a security association between said device and said network access apparatus, said first computer program comprising an information exchange algorithm that enables said portable computerized device and said network access apparatus to dynamically generate respective cryptographic keys via information exchanged between them, with said cryptographic keys generated substantially pursuant to establishing said association, said keys being substantially unique to said association, said establishment of said association further comprising at least authentication of said portable computerized device to said network access apparatus; a second computer program operative to run on said portable computerized device to encrypt data sent to the network access apparatus using at least one of said cryptographic keys; and a third computer program operative to run on said portable computerized device to evaluate encrypted data received from the network access apparatus for at least data integrity using integrity information that accompanies the encrypted data received from the network access apparatus; wherein said network access apparatus and said portable computerized device are capable of providing said network security functions while being directly coupled to unsecure networks. - View Dependent Claims (57, 58, 59, 60, 61, 62, 63, 64)
-
Specification