Methods for providing security for ad hoc networked computerized devices

US 7,979,556 B2
Filed: 07/11/2007
Issued: 07/12/2011
Est. Priority Date: 07/30/1996
Status: Expired due to Fees

First Claim

Patent Images

1. A method of providing security for portable computerized devices, comprising:

providing a first, substantially portable computerized device;

placing a second, substantially portable computerized device in data communication with said first device via an ad hoc communications link;

running a first computer program on said first computerized device to obtain at least one temporary address for said first computerized device;

running a second computer program on said first computerized device to establish a non-permanent security association between said first and second devices, said second computer program comprising a cryptographic data exchange algorithm adapted to cause said first computerized device and said second device to exchange cryptographic data, said data being substantially unique to said security association; and

running a third computer program on said first computerized device to seal or encrypt data sent from said first device using at least one cryptographic key, said sealed or encrypted data also being integrity protected for the purpose of verifying that data sent from said first device has not been modified en route;

wherein said first device comprises an untrusted operating system, and is physically non-secure; and

wherein said second device comprises an untrusted operating system, and is physically non-secure.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods for providing communication security between computerized devices in, for example, an ad hoc or temporary networked environment. In one embodiment, the network comprises an untrusted network, and the method includes providing network security apparatus adapted to create security associations between devices on the network, including mutual authentication. The method further may comprise encrypting traffic between the associated devices for e.g., data confidentiality and integrity protection by running one or more computer programs on the respective devices. In one variant, the network security apparatus comprises a software entity disposed at least partly within the software stack of the devices. The associated devices may be for example fixed or portable, and may be untrusted (e.g., have an untrusted operating systems).

Citations

38 Claims

1. A method of providing security for portable computerized devices, comprising:
- providing a first, substantially portable computerized device;
  
  placing a second, substantially portable computerized device in data communication with said first device via an ad hoc communications link;
  
  running a first computer program on said first computerized device to obtain at least one temporary address for said first computerized device;
  
  running a second computer program on said first computerized device to establish a non-permanent security association between said first and second devices, said second computer program comprising a cryptographic data exchange algorithm adapted to cause said first computerized device and said second device to exchange cryptographic data, said data being substantially unique to said security association; and
  
  running a third computer program on said first computerized device to seal or encrypt data sent from said first device using at least one cryptographic key, said sealed or encrypted data also being integrity protected for the purpose of verifying that data sent from said first device has not been modified en route;
  
  wherein said first device comprises an untrusted operating system, and is physically non-secure; and
  
  wherein said second device comprises an untrusted operating system, and is physically non-secure.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein said second device is configured not to pass data from said first device over said network until said first device is properly authenticated to said second device.
  - 3. The method of claim 2, further comprising mutually authenticating said first and second devices with one another.
  - 4. The method of claim 1, further comprising dynamically generating at least one encryption key for each security association using said first device, said act of generating not requiring intervention by a network administrator.
  - 5. The method of claim 1, further comprising running a fourth computer program on said second computerized device to seal or encrypt data sent from said second device using at least one cryptographic key generated by said second device.
  - 6. The method of claim 1, wherein said second and third computer programs are disposed logically within a software stack of said first device above the Physical Layer thereof.
  - 7. The method of claim 6, wherein said second and third computer programs are disposed logically within a software stack of said first device below the Network Layer thereof.
  - 8. The method of claim 6, wherein said second and third computer programs are disposed logically within a software stack of said first device below the Transport Layer thereof.
  - 9. The method of claim 1, wherein said act of establishing an association comprises a multi-way authentication process, wherein said first device is adapted to authenticate said second device, and further adapted to authenticate itself to said second device.
  - 10. The method of claim 1, wherein said second device comprises at least one interface port, access to which is based at least in part on identifying a user of said first device.
  - 11. The method of claim 10, wherein said act of identifying a user is accomplished based at least in part on a cryptographic element associated with said first device.
  - 12. The method of claim 1, wherein said method further comprises using said first device to generate and transmit random data to said second device.
  - 13. The method of claim 12, wherein said transmitting said random data is performed as part of said data exchange algorithm that permits both said first and second devices to possess encryption keys that permit the two devices to decrypt encrypted data sent by the other.
  - 14. The method of claim 1, wherein said first and second devices each comprise a network interface, said interfaces communicating with one another over an untrusted network.
  - 15. The method of claim 14, wherein said devices communicate with one another over said untrusted network without using an intermediary entity or apparatus.
  - 16. The method of claim 1, wherein said method further comprises said first and second devices establishing said association between themselves without accessing any other entity.
  - 17. The method of claim 1, wherein said method further comprises said first and second devices establishing said association between themselves without accessing any other entity for cryptographic information.

18. A security method adapted to establish ad hoc security associations between first and second portable computerized devices that may or may not have communicated previously, the method comprising:
- running first computer programs on respective ones of said first and second computerized devices to establish an ad hoc security association between said first and second devices, said first computer programs each comprising a cryptographic data exchange algorithm adapted to cause said first and second devices to exchange respective cryptographic data generated substantially under control of respective ones of said devices while establishing said association;
  
  running second computer programs on respective ones of said first and second devices to encrypt data sent to the other device using at least one cryptographic key; and
  
  running third computer programs on respective ones of said first and second devices for evaluating said encrypted data sent from the other device for at least data integrity using an appended message element generated by both of said devices;
  
  wherein said first device comprises an untrusted operating system, and is physically non-secure; and
  
  wherein said second device comprises an untrusted operating system, and is physically non-secure.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 19. The method of claim 18, wherein said evaluating comprises comparing a first of said appended message element generated by a receiving one of said devices to a second of said appended message element generated by a sending one of said devices.
  - 20. The method of claim 19, wherein said second of said appended message element is included within a message sent from said sending one of said devices, said message further comprising said encrypted data encrypted by at least one cryptographic key.
  - 21. The method of claim 19, wherein said establishing an association comprises performing a mutual authentication procedure, said mutual authentication based on evaluating respective ones of information uniquely associated with said devices.
  - 22. The method of claim 18, wherein said method further comprises preventing said second device from passing data from said first device over said network until said first device is properly authenticated to said second device based on one or more cryptographic data elements.
  - 23. The method of claim 22, wherein said first and second devices are mutually authenticated with one another.
  - 24. The method of claim 18, further comprising dynamically generating at least one encryption key for each security association using said first device, said act of generating not requiring intervention by a network administrator or other entity.
  - 25. The method of claim 18, wherein said second and third computer programs are disposed logically within a software stack of said first device below the Network Layer thereof.
  - 26. The method of claim 18, wherein said establishing an association comprises establishing a multi-way authentication process, wherein said first device is adapted to authenticate said second device, and further adapted to authenticate itself to said second device or another entity.
  - 27. The method of claim 18, wherein said method further comprises performing, using at least said first device, a cryptographic element exchange algorithm to generate and transmit random data to said second device.
  - 28. The method of claim 27, wherein said transmitting of said random data is associated with performing a procedure that permits both said first and second devices to possess encryption keys that permit the two devices to decrypt encrypted data sent by the other.
  - 29. The method of claim 18, wherein said first and second devices each comprise a network interface, said interfaces communicating with one another over an untrusted medium.
  - 30. The method of claim 29, wherein said devices communicate with one another over said untrusted medium without using an intermediary entity or apparatus.
  - 31. The method of claim 18, wherein said first and second devices are establishing said association between themselves without accessing any other entity.
  - 32. The method of claim 18, wherein said first and second devices are mutually authenticating one another without accessing any third entity for cryptographic information.

33. A method of providing data security between a first computerized device comprising an untrusted operating system and a second computerized device comprising an untrusted operating system, the method comprising:
- executing a first routine on said first computerized device to obtain at least one address for said first computerized device after said first computerized device is placed in data communication with at least one another via an untrusted medium;
  
  executing a second routine on said first computerized device to establish a security association between said first and second devices, said second computer program comprising an authentication algorithm adapted to cause said first computerized device and said second device to exchange cryptographic data, said data being substantially unique to said association and comprising at least one random number;
  
  executing a third routine on said first computerized device to seal or encrypt data sent from said first device using at least one cryptographic key;
  
  executing a fourth routine on said second computerized device to seal or encrypt data sent from said second device using at least one cryptographic key; and
  
  executing a fifth routine on said first computerized device to evaluate said encrypted data sent from said second device for at least data integrity;
  
  wherein said method further comprises said first and second devices mutually authenticating one another and further utilizing cryptographic residues exchanged between said first and second computerized devices.
- View Dependent Claims (34, 35, 36)
- - 34. The method of claim 33, wherein said first computerized device, as part of establishing said association, utilizes random data that is transmitted from said second computerized device.
  - 35. The method of claim 34, wherein said second computerized device comprises a cryptographic element algorithm, and said method comprises using said algorithm to generate and transmit random data to said first computerized device as part of a mutual authentication.
  - 36. The method of claim 33, where said first and second devices each perform identifying or validating a user based on at least one of:
    - (i) a password;
      
      or (ii) a unique identifier, input by the user via a user interface.

37. A method of providing security including establishing at least one temporary and ad hoc security association between portable computerized devices that may or may not have communicated previously, said portable devices comprising a first, substantially portable computerized device having an untrusted operating system, and a second, substantially portable computerized device having an untrusted operating system, the method comprising:
- running first computer programs on respective ones of said first and second computerized devices to establish an ad hoc and temporary security association between said first and second devices, said first computer programs each comprising an authentication algorithm causing said first and second devices to exchange respective cryptographic data generated substantially under control of respective ones of said devices while establishing said association;
  
  running second computer programs on respective ones of said first and second devices to encrypt data sent to the other device using at least one cryptographic key; and
  
  running third computer programs on respective ones of said first and second devices to evaluate said encrypted data sent from the other device for at least data integrity using an appended message element generated by both of said devices;
  
  wherein said method further comprises said first and second substantially portable devices mutually authenticating one another, decrypting the other'"'"'s transmitted encrypted data, and evaluating the integrity of said transmitted encrypted data, without having to access a device or entity other than said first or second device.
- View Dependent Claims (38)
- - 38. The method of claim 37, where said first and second devices each identify or validate a user based on at least one of:
    - (i) a password;
      
      or (ii) a unique identifier, input by the user via a user interface.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Round Rock Research LLC
Original Assignee
Round Rock Research LLC
Inventors
Holden, James M, Levin, Stephen E, Nickel, James O, Wrench, Edwin H
Primary Examiner(s)
VU, VIET DUY

Application Number

US11/776,417
Publication Number

US 20080028212A1
Time in Patent Office

1,462 Days
Field of Search

709/217, 709/219, 709/227, 709/228, 709/237, 709/250
US Class Current

709/227
CPC Class Codes

G06F 21/31   User authentication

G06F 21/606   by securing the transmissio...

G06F 21/85   interconnection devices, e....

G06F 2211/001   In-Line Device

G06F 2211/005   Network, LAN, Remote Access...

G06F 2211/007   Encryption, En-/decode, En-...

G06F 2211/009   Trust

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

G06F 2221/2153   Using hardware token as a s...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/02   for separating internal fro...

H04L 63/0218   Distributed architectures, ...

H04L 63/0442   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0869   for achieving mutual authen...

H04L 63/101   Access control lists [ACL]

H04L 63/105   Multiple levels of security

H04L 63/126   the source of the received ...

H04L 63/14 : for detecting or protecting...

H04L 67/141 : Setup of application sessio...

H04L 67/563 : Data redirection of data ne...

H04L 9/3247 : involving digital signatures

H04L 9/3268 : using certificate validatio...

H04L 9/3273 : for mutual authentication n...

H04L 9/40 : Network security protocols

H04W 12/069 : using certificates or pre-s...

View All

Methods for providing security for ad hoc networked computerized devices

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Methods for providing security for ad hoc networked computerized devices

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links