Methods for providing security for ad hoc networked computerized devices
First Claim
1. A method of providing security for portable computerized devices, comprising:
- providing a first, substantially portable computerized device;
placing a second, substantially portable computerized device in data communication with said first device via an ad hoc communications link;
running a first computer program on said first computerized device to obtain at least one temporary address for said first computerized device;
running a second computer program on said first computerized device to establish a non-permanent security association between said first and second devices, said second computer program comprising a cryptographic data exchange algorithm adapted to cause said first computerized device and said second device to exchange cryptographic data, said data being substantially unique to said security association; and
running a third computer program on said first computerized device to seal or encrypt data sent from said first device using at least one cryptographic key, said sealed or encrypted data also being integrity protected for the purpose of verifying that data sent from said first device has not been modified en route;
wherein said first device comprises an untrusted operating system, and is physically non-secure; and
wherein said second device comprises an untrusted operating system, and is physically non-secure.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods for providing communication security between computerized devices in, for example, an ad hoc or temporary networked environment. In one embodiment, the network comprises an untrusted network, and the method includes providing network security apparatus adapted to create security associations between devices on the network, including mutual authentication. The method further may comprise encrypting traffic between the associated devices for e.g., data confidentiality and integrity protection by running one or more computer programs on the respective devices. In one variant, the network security apparatus comprises a software entity disposed at least partly within the software stack of the devices. The associated devices may be for example fixed or portable, and may be untrusted (e.g., have an untrusted operating systems).
-
Citations
38 Claims
-
1. A method of providing security for portable computerized devices, comprising:
-
providing a first, substantially portable computerized device; placing a second, substantially portable computerized device in data communication with said first device via an ad hoc communications link; running a first computer program on said first computerized device to obtain at least one temporary address for said first computerized device; running a second computer program on said first computerized device to establish a non-permanent security association between said first and second devices, said second computer program comprising a cryptographic data exchange algorithm adapted to cause said first computerized device and said second device to exchange cryptographic data, said data being substantially unique to said security association; and running a third computer program on said first computerized device to seal or encrypt data sent from said first device using at least one cryptographic key, said sealed or encrypted data also being integrity protected for the purpose of verifying that data sent from said first device has not been modified en route; wherein said first device comprises an untrusted operating system, and is physically non-secure; and wherein said second device comprises an untrusted operating system, and is physically non-secure. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A security method adapted to establish ad hoc security associations between first and second portable computerized devices that may or may not have communicated previously, the method comprising:
-
running first computer programs on respective ones of said first and second computerized devices to establish an ad hoc security association between said first and second devices, said first computer programs each comprising a cryptographic data exchange algorithm adapted to cause said first and second devices to exchange respective cryptographic data generated substantially under control of respective ones of said devices while establishing said association; running second computer programs on respective ones of said first and second devices to encrypt data sent to the other device using at least one cryptographic key; and running third computer programs on respective ones of said first and second devices for evaluating said encrypted data sent from the other device for at least data integrity using an appended message element generated by both of said devices; wherein said first device comprises an untrusted operating system, and is physically non-secure; and wherein said second device comprises an untrusted operating system, and is physically non-secure. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
-
-
33. A method of providing data security between a first computerized device comprising an untrusted operating system and a second computerized device comprising an untrusted operating system, the method comprising:
-
executing a first routine on said first computerized device to obtain at least one address for said first computerized device after said first computerized device is placed in data communication with at least one another via an untrusted medium; executing a second routine on said first computerized device to establish a security association between said first and second devices, said second computer program comprising an authentication algorithm adapted to cause said first computerized device and said second device to exchange cryptographic data, said data being substantially unique to said association and comprising at least one random number; executing a third routine on said first computerized device to seal or encrypt data sent from said first device using at least one cryptographic key; executing a fourth routine on said second computerized device to seal or encrypt data sent from said second device using at least one cryptographic key; and executing a fifth routine on said first computerized device to evaluate said encrypted data sent from said second device for at least data integrity; wherein said method further comprises said first and second devices mutually authenticating one another and further utilizing cryptographic residues exchanged between said first and second computerized devices. - View Dependent Claims (34, 35, 36)
-
-
37. A method of providing security including establishing at least one temporary and ad hoc security association between portable computerized devices that may or may not have communicated previously, said portable devices comprising a first, substantially portable computerized device having an untrusted operating system, and a second, substantially portable computerized device having an untrusted operating system, the method comprising:
-
running first computer programs on respective ones of said first and second computerized devices to establish an ad hoc and temporary security association between said first and second devices, said first computer programs each comprising an authentication algorithm causing said first and second devices to exchange respective cryptographic data generated substantially under control of respective ones of said devices while establishing said association; running second computer programs on respective ones of said first and second devices to encrypt data sent to the other device using at least one cryptographic key; and running third computer programs on respective ones of said first and second devices to evaluate said encrypted data sent from the other device for at least data integrity using an appended message element generated by both of said devices; wherein said method further comprises said first and second substantially portable devices mutually authenticating one another, decrypting the other'"'"'s transmitted encrypted data, and evaluating the integrity of said transmitted encrypted data, without having to access a device or entity other than said first or second device. - View Dependent Claims (38)
-
Specification