Transporting keys between security protocols

US 8,046,820 B2
Filed: 09/29/2006
Issued: 10/25/2011
Est. Priority Date: 09/29/2006
Status: Active Grant

First Claim

Patent Images

1. A method for providing network security given a remote network of a plurality of devices configured to engage in network security negotiation with a local network, the method comprising:

by a key authorization point (KAP) located within the local network;

exchanging network security negotiating communications with each of the plurality of devices to establish a network security negotiation between each of the plurality of devices and the KAP;

creating a respective security policy in response to each network security negotiation established by the KAP; and

for each of the plurality of devices, deploying the respective security policy to a policy enforcement point (PEP) located within the local network and in a path between the KAP and each of the plurality of devices and to other PEPs located within the local network, so that each of the PEPs passes security negotiating communications being exchanged between the KAP and the plurality of devices, and encrypts and decrypts communications between the plurality of devices and the local network according to the deployed security policies.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for providing network security comprising a step of configuring a remote network to engage network security negotiation with a local network. The method includes a step of configuring a first security policy of a security component within the local network to pass through a network security negotiating communication between the local network and the remote network, and a step of establishing a network security negotiation between the remote network and a security parameter generator via the security component. The security parameter generator can be located within the local network and configured to provide secure communication with the remote network.

45 Citations

17 Claims

1. A method for providing network security given a remote network of a plurality of devices configured to engage in network security negotiation with a local network, the method comprising:
- by a key authorization point (KAP) located within the local network;
  
  exchanging network security negotiating communications with each of the plurality of devices to establish a network security negotiation between each of the plurality of devices and the KAP;
  
  creating a respective security policy in response to each network security negotiation established by the KAP; and
  
  for each of the plurality of devices, deploying the respective security policy to a policy enforcement point (PEP) located within the local network and in a path between the KAP and each of the plurality of devices and to other PEPs located within the local network, so that each of the PEPs passes security negotiating communications being exchanged between the KAP and the plurality of devices, and encrypts and decrypts communications between the plurality of devices and the local network according to the deployed security policies.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the remote network includes a legacy device.
  - 3. The method of claim 1, wherein the step of exchanging network security negotiating communications to establish a security negotiation between each of the plurality of devices and the KAP includes negotiating a secure association between each of the plurality of devices and the KAP;
    - wherein the secure association is negotiated by the KAP exchanging the network security negotiating communication with each of the plurality of devices; and
      
      wherein the security negotiating communication being exchanged is passed through the PEP.
  - 4. The method of claim 1, wherein the step of exchanging network security negotiating communications to establish a security negotiation between each of the plurality of devices and the KAP-includes performing an Internet Key Exchange (IKE) negotiation between the KAP and each of the plurality of devices;
    - wherein the IKE negotiation is performed by the KAP exchanging user datagram protocol (UDP) messages with each of the plurality of devices, the (UDP) messages having source and destination UDP ports set to 500; and
      
      wherein the (UDP) messages being exchanged are passed through the PEP.
  - 5. The method of claim 3, wherein the step of negotiating the secure association between each of the plurality of devices and the KAP includes one or more authentication mechanisms.
  - 6. The method of claim 5, wherein the authentication mechanisms include one or more of the following mechanisms:
    - pre-shared keys exchange, certification, nonce, Kerberos token, hash/notification, and signature.
  - 7. The method of claim 1, wherein the respective security policy defines traffic to be secured by any one of:
    - local remote IP addresses or ranges for an encrypted traffic from the remote network, remote tunnel IP address, selector settings, security policy setting, encryption, authentication keys, security parameter index and tunnel termination.
  - 8. The method of claim 1 further include the following steps:
    - i) establishing a secure tunnel for exchanging an encrypted packet between the local network and each of the plurality of devices;
      
      ii) decrypting the encrypted packet according to the respective security policy; and
      
      iii) optionally conducting an additional security negotiation between each of the plurality of devices and the KAP via the PEP.
  - 9. The method of claim 8, wherein the step of decrypting the encrypted packet according to the respective security policy includes stripping an IP (internet protocol) header of the encrypted packet to route the encrypted packet to a device within the local network.

10. A system for providing network security given a remote network of a plurality of devices configured to engage in network security negotiation with a local network, the system comprising:
- a policy enforcement point (PEP) located within the local network configured to pass security negotiating communications from the plurality of devices, and to encrypt and decrypt communications between the plurality of devices and the local network according to security policies, anda key authorization point (KAP) configured to;
  
  i) exchange network security negotiating communications with each of the plurality of devices to establish a network security negotiation between each of the plurality of devices and the KAP;
  
  ii) create a respective security policy in response to each network security negotiation established by the KAP, andiii) deploy the respective security policy to the PEP in a path between the KAP and each of the plurality of devices and to other PEPs located within the local network, so that each of the PEPs encrypts and decrypts communications between the plurality of devices and the local network according to the respective security policy.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The network security system of claim 10, wherein the remote network includes a legacy device.
  - 12. The network security system of claim 10, wherein the KAP is configured to perform an Internet Key Exchange (IKE) negotiation with each of the plurality of devices;
    - andwherein the IKE negotiation is performed by the KAP exchanging user datagram protocol (UDP) messages with each of the plurality of devices, the (UDP) messages having source and destination UDP ports set to 500; and
      
      wherein the (UDP) messages being exchanged are passed through the PEP.
  - 13. The network security system of claim 10 wherein the KAP is configured to negotiate a secure association between each of the plurality of devices and the KAP;
    - andwherein the secure association is negotiated by the KAP exchanging the network security negotiating communication with each of the plurality of devices; and
      
      wherein the security negotiating communication being exchanged is passed through the PEP.
  - 14. The network security system of claim 13, wherein negotiating the secure association between each of the plurality of devices and the local network includes one or more authentication mechanisms.
  - 15. The network security system of claim 14, wherein the authentication mechanisms include one or more of the following mechanisms:
    - pre-shared keys exchange, certification, nonce, Kerberos token, hash/notification, and signature.
  - 16. The network security system of claim 10, wherein the respective security policy defines traffic to be secured by any one of the following security parameters:
    - local remote IP addresses or ranges for an encrypted traffic from the remote network, remote tunnel IP address, selector settings, security policy setting, encryption, authentication keys, security parameter index and tunnel termination.
  - 17. The network security system of claim 10, wherein the PEP is configured to:
    - i) establish a secure tunnel for exchanging an encrypted packet between the local network and each of the plurality of devices;
      
      ii) decrypt the encrypted packet according to the respective security policy; and
      
      iii) optionally conduct an additional security negotiation between each of the plurality of devices and the KAP via the PEP.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Certes Networks, Inc.
Original Assignee
Certes Networks, Inc.
Inventors
McAlister, Donald
Primary Examiner(s)
TRAN, ELLEN C

Application Number

US11/541,387
Publication Number

US 20080104693A1
Time in Patent Office

1,852 Days
Field of Search

713150-154, 726 10- 15, 726/1, 380/277, 380/278, 380/279
US Class Current

726/1
CPC Class Codes

H04L 61/2564   for a higher-layer protocol...

H04L 61/2578   without involvement of the ...

H04L 63/0435   wherein the sending and rec...

H04L 63/06   for supporting key manageme...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Transporting keys between security protocols

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

45 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Transporting keys between security protocols

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

45 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links