Communications security methods for supporting end-to-end security associations

US 7,937,578 B2
Filed: 10/15/2003
Issued: 05/03/2011
Est. Priority Date: 11/14/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A communications method for use in a system comprising a first, second and third nodes, and a first secret, said first secret being shared between the first and second nodes to secure communications between said first and second nodes, the method comprising:

operating the first node to establish a secure communications session with said second node using the first shared secret to secure the contents of packets communicated from the first node that are directed to the second node as part of the secure communications session, packets communicated from the first node that are directed to the second node being addressed to said second node by use of a second node destination address;

operating a third node which is coupled to said first and second nodes to maintain in memory a copy of said first shared secret; and

operating the third node to receive a secure flow of packets from the first node that are directed to said second node as part of the secure communications session.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus facilitating mobile node paging in a system where a mobile node is able to hand off application processing to an application proxy are described. Paging determinations are made based on application processing results corresponding to processing the content of multiple packet payloads. In some cases paging determinations are made based on processing the payload of a single packet in conjunction with information received from a mobile node, e.g., intermediate application processing results, mobile node state information, etc. To facilitate application processing handoffs in a manner that is transparent to a peer node involved in an ongoing communications session with the mobile node, security information may be passed between the mobile node and the application proxy node in a manner that is transparent to the peer node allowing an end to end security association to be maintained throughout the communications session with the peer node.

61 Citations

View as Search Results

51 Claims

1. A communications method for use in a system comprising a first, second and third nodes, and a first secret, said first secret being shared between the first and second nodes to secure communications between said first and second nodes, the method comprising:
- operating the first node to establish a secure communications session with said second node using the first shared secret to secure the contents of packets communicated from the first node that are directed to the second node as part of the secure communications session, packets communicated from the first node that are directed to the second node being addressed to said second node by use of a second node destination address;
  
  operating a third node which is coupled to said first and second nodes to maintain in memory a copy of said first shared secret; and
  
  operating the third node to receive a secure flow of packets from the first node that are directed to said second node as part of the secure communications session.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 42)
- - 2. The method of claim 1, further comprising:
    - operating the third node to receive from said second node the first shared secret and to store the first shared secret in memory, said received first, shared secret being encrypted using a second shared secret known to the second and third nodes.
  - 3. The method of claim 2, further comprising:
    - operating said third node to receive and process packets sent from said first node as part of said established communications session, said third node sending a message to the first node indicating successful receipt of packets by said second node.
  - 4. The method of claim 3, wherein said third node uses said first shared secret to secure the message to the first node.
  - 5. The method of claim 4, wherein said third node operates as an application proxy for said second node during said secure communications session without informing said first node that the third node is acting as a proxy in the place of said second node.
  - 6. The method of claim 5, further comprising:
    - operating the third node to transmit information obtained from said communications session while said third node was acting as a proxy for said second node to said second node; and
      
      operating the second node to continue the secure communications session with the first node.
  - 7. The method of claim 1, further comprising:
    - operating the third node to inspect the secure packet flow from the first node, said step of inspecting said secure packet flow including performing at least one of a group of security steps which use the first shared secret, said group of security steps comprising;
      
      decrypting a packet, integrity checking contents of a packet, and authenticating a sender of a packet.
  - 8. The method of claim 7, further comprising:
    - operating the third node to drop the packet from the packet flow if the performed at least one of the group of security checks fails.
  - 9. The method of claim 7, further comprising:
    - operating the third node to additionally process the packets from the packet flow if no performed security check in said group of security checks fails.
  - 10. The method of claim 9, further comprising:
    - operating the third node to identify a packet with a disallowed packet payload by comparing at least a portion of the payload of each packet in the packet flow to information indicating allowed packet payloads, payloads of a type which are not indicated by said information being disallowed packet payloads.
  - 11. The method of claim 10, further comprising:
    - operating the third node to drop an identified packet with a disallowed packet payload.
  - 12. The method of claim 10, further comprising:
    - operating the third node to modify the packet payload of packets identified to include a disallowed packet payload based on stored information indicating payload modifications to be made to disallowed packet payloads.
  - 13. The method of claim 12, wherein the modified payload generated by modifying a packet payload includes a message indicating that an erroneous payload was detected at the third node.
  - 14. The method of claim 10, further comprising:
    - operating the third node to process at least two packets in the packet flow to produce at least a third packet.
  - 15. The method of claim 9, further comprising;
    - operating the third node to generate an additional packet flow from the received packet flow directed to the second node and to forward the additional packet flow to the second node, packets in said additional packet flow having a source address corresponding to the first node and a destination address corresponding to the second node, said step of generating an additional packet flow including at least one of a group of security steps which use the first shared secret, the group of security steps consisting of;
      
      encrypting a packet, adding an integrity check for the contents of the packet, and adding an authenticator check for the packet sender.
  - 16. The method of claim 1, wherein the second and third nodes each include a second secret used to secure communications between the third node and the second node, the method further comprising:
    - operating the third node to generate an additional packet flow from the received packet flow directed to the second node and to forward the additional packet flow to the second node, packets in said additional packet flow having a source address corresponding to the third node and a destination address corresponding to the second node, said step of generating an additional packet flow including at least one of a group of security steps which use the second shared secret, the group of security steps consisting of;
      
      encrypting a packet, adding an integrity check for the contents of the packet, and adding an authenticator check for the packet sender.
  - 17. The method of claim 16, further comprising:
    - operating the second node to communicate the first shared secret to the third node, the first shared secret being encrypted using the second shared secret.
  - 18. The method of claim 17, further comprising:
    - mutually authenticating the second and third nodes prior to the second node transmitting the first shared secret to the third node.
  - 42. The method of claim 1, wherein the second node destination address is a Home Address of the second node.

19. A communications system, comprising:
- a first node including a first shared secret and a communications application for establishing a secure communications session using said first shared secret to secure packets communicated as part of said secure communications session;
  
  a mobile node including said first shared secret, a second shared secret, and at least one communications application for maintaining a secure communications session with said first node using said first shared secret;
  
  an intermediate node, coupled to said first node and said mobile node, said intermediate node including said first shared secret and said second shared secret, said intermediate node including;
  
  means for processing packets re-directed away from said mobile node to said intermediate node, said redirected packets being packets which were originally directed by said first node towards said mobile node as part of a secure communications session using said first shared secret; and
  
  means for sending a message to said first node secured by said first shared secret indicating successful receipt of said packets by said mobile node.
- View Dependent Claims (20, 21)
- - 20. The communication system of claim 19, wherein said intermediate node further includes:
    - means for communicating information generated by processing packets directed to said mobile node to said mobile node in packets secured using said second shared secret, said information being the result of application processing performed on the payload of at least two data packets to generate information not present in either of the two data packets.
  - 21. The communication system of claim 20, wherein the mobile node includes means for sending said first shared secret to said intermediate node in an encrypted format resulting encryption processing using said second shared secret.

22. A communications system for use with a second node, said communications system comprising:
- a first node including;
  
  memory means for storing a first secret, said first secret being shared between the first node and the second node to secure communications between said first and second nodes; and
  
  means for establishing a secure communications session with said second node using the first shared secret to secure the contents of packets communicated from the first node that are directed to the second node as part of a secure communications session;
  
  a third node, coupled to said first and second nodes, the third node including;
  
  means for storing a copy of said first shared secret; and
  
  means for receiving a secure flow of packets from the first node that are re-directed away from said second node to said third node, said redirected packets being packets which were originally directed to said second node as part of the secure communications session.
- View Dependent Claims (23, 24)
- - 23. The communication system of claim 22, wherein said third node further includes:
    - means for receiving from said second node the first shared secret; and
      
      means for storing the first shared secret in memory, said received first shared secret being encrypted using a second shared secret known to the second and third nodes.
  - 24. The communications system of claim 22, wherein said first node is a mobile node.

25. A method of operating a third node in a system comprising a first node, a second node and said third node, a first secret being shared between the first and second nodes to secure communications between said first and second nodes, the method comprising:
- receiving from said second node the first shared secret;
  
  storing said first shared secret in memory; and
  
  receiving a secure flow of packets from the first node that are re-directed away from said second node to said third node, said redirected packets being packets which were originally directed to said second node as part of the secure communications session.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33)
- - 26. The method of claim 25, wherein said received first shared secret is received in an encrypted form, said first shared secret having been encrypted using a second shared secret known to the second and third nodes.
  - 27. The method of claim 25, further comprising:
    - processing packets received from said first node which are part of said established communications session; and
      
      sending a message to the first node indicating successful receipt of packets by said second node.
  - 28. The method of claim 27, wherein said third node uses said first shared secret to secure the message to the first node.
  - 29. The method of claim 28, wherein said third node operates as an application proxy for said second node during a portion of said secure communications session without informing said first node that the third node is acting as a proxy in the place of said second node.
  - 30. The method of claim 29, further comprising:
    - transmitting information obtained from said communications session while said third node was acting as a proxy for said second node to said second node.
  - 31. The method of claim 25, further comprising:
    - using said first shared secret to decrypt a packet included in said secure flow of packets.
  - 32. The method of claim 31, further comprising:
    - processing said decrypted packet; and
      
      communicating the result of processing said decrypted packet to said second node in an encrypted packet.
  - 33. The method of claim 25, further comprising:
    - processing at least two packets in the secure flow of packets to produce at least a third packet; and
      
      communicating the third packet to the second node.

34. A third node in a system comprising a first node, a second node and said third node, a first secret being shared between the first and second nodes to secure communications between said first and second nodes, the third node comprising:
- a receiver for receiving from said second node the first shared secret;
  
  memory in which said first shared secret is stored; and
  
  an agent module for receiving a secure flow of packets from the first node that are re-directed away from said second node to said third node, said redirected packets being packets which were originally directed to said second node as part of the secure communications session.
- View Dependent Claims (35, 36)
- - 35. The third node of claim 34, wherein said received first shared secret is received in an encrypted form, said first shared secret having been encrypted using a second shared secret known to the second and third nodes.
  - 36. The third node of claim 34, wherein said agent module includes:
    - a proxy module for processing packets received from said first node which are part of said established communications session and sending a message to the first node indicating successful receipt of packets by said second node.

37. A third node in a system comprising a first node, a second node and said third node, a first secret being shared between the first and second nodes to secure communications between said first and second nodes, the third node comprising:
- means for receiving from said second node the first shared secret;
  
  means for storing said first shared secret; and
  
  means for receiving a secure flow of packets from the first node that are re-directed away from said second node to said third node, said redirected packets being packets which were originally directed to said second node as part of the secure communications session.
- View Dependent Claims (38, 39)
- - 38. The third node of claim 37, wherein said received first shared secret is received in an encrypted form, said first shared secret having been encrypted using a second shared secret known to the second and third nodes.
  - 39. The third node of claim 37, wherein said means fore receiving a secure flow of packets includes:
    - means for processing packets received from said first node which are part of said established communications session; and
      
      means for sending a message to the first node indicating successful receipt of packets by said second node.

40. A non-transitory machine readable medium including computer executable instructions for controlling a third node in a system comprising a first node, a second node and said third node, a first secret being shared between the first and second nodes to secure communications between said first and second nodes, to perform a communications method including the steps of:
- receiving from said second node the first shared secret;
  
  storing said first shared secret in memory; and
  
  receiving a secure flow of packets from the first node that are re-directed away from said second node to said third node, said redirected packets being packets which were originally directed to said second node as part of the secure communications session.
- View Dependent Claims (41)
- - 41. The machine readable medium of claim 40, wherein said received first shared secret is received in an encrypted form, said first shared secret having been encrypted using a second shared secret known to the second and third nodes.

43. A communications method for use in a system comprising a first node, a second node and a third node, and a first secret, said first secret being shared between the first and second nodes to secure communications between said first and second nodes, the method comprising:
- operating the first node to establish a secure communications session with said second node using the first shared secret to secure the contents of packets communicated from the first node that are directed to the second node as part of the secure communications session;
  
  operating a third node which is coupled to said first and second nodes to maintain in memory a copy of said first shared secret; and
  
  operating the third node to receive a secure flow of packets from the first node that are re-directed away from said second node to said third node, said redirected packets being packets which were originally directed to said second node as part of the secure communications session.
- View Dependent Claims (44, 45, 46)
- - 44. The method of claim 43, wherein packets communicated from the first node that are directed to the second node as part of the secure communications session include a Home Address of the second node as a destination address prior to said re-direction.
  - 45. The method of claim 43, further comprising:
    - operating the third node to receive from said second node the first shared secret and to store the first shared secret in memory, said received first shared secret being encrypted using a second shared secret known to the second and third nodes.
  - 46. The method of claim 43, further comprising:
    - operating said third node to send a message to the first node indicating successful receipt of packets by said second node, in response to received redirected packets.

47. A communications method for use in a system comprising a first node, a second node and a third node, and a first secret, said first secret being shared between the first and second nodes to secure communications between said first and second nodes, the third node being on a communications path extending between said first and second nodes, the method comprising:
- operating the first node to establish a secure communications session with said second node using the first shared secret to secure the contents of packets communicated from the first node that are directed to the second node as part of the secure communications session;
  
  operating a third node which is coupled to said first and second nodes to maintain in memory a copy of said first shared secret;
  
  operating the third node to receive a secure flow of packets from the first node that are directed to said second node as part of the secure communications session; and
  
  operating the third node to intercept and process said received secure flow of packets from the first node.
- View Dependent Claims (48, 49, 50, 51)
- - 48. The method of claim 47 wherein packets directed to said second node include as a destination address a Home Address of the second node.
  - 49. The method of claim 47, further comprising:
    - operating the third node to transmit another packet flow, said another packet flow including as a source address an address corresponding to the second node and including packets generated from said intercepted packets.
  - 50. The method of claim 47, further comprising:
    - operating the third node to receive from said second node the first shared secret and to store the first shared secret in memory, said received first shared secret being encrypted using a second shared secret known to the second and third nodes.
  - 51. The method of claim 47, further comprising:
    - operating said third node, in response to receiving packets in said secure flow of packets, to send a message to the first node indicating successful receipt of packets by said second node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
O'Neill, Alan
Primary Examiner(s)
CERVETTI, DAVID GARCIA

Application Number

US10/685,720
Publication Number

US 20040098622A1
Time in Patent Office

2,757 Days
Field of Search

713/150, 713/151, 713/153, 713/160
US Class Current

713/151
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0281   Proxies

H04L 63/04   for providing a confidentia...

H04L 63/0428   wherein the data content is...

H04L 63/123   received data contents, e.g...

H04L 67/14   Session management for real...

H04L 69/16   Implementation or adaptatio...

H04L 69/167   Adaptation for transition b...

H04L 69/329   in the application layer [O...

H04L 9/40   Network security protocols

H04W 12/03   Protecting confidentiality,...

H04W 12/08   Access security

H04W 12/10   Integrity

H04W 64/00   Locating users or terminals...

H04W 80/04   Network layer protocols, e....

Communications security methods for supporting end-to-end security associations

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

61 Citations

51 Claims

Specification

Solutions

Use Cases

Quick Links

Communications security methods for supporting end-to-end security associations

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

61 Citations

51 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links