System, method and apparatus for securely exchanging security keys and monitoring links in a IP communications network

US 8,185,947 B2
Filed: 07/11/2007
Issued: 05/22/2012
Est. Priority Date: 07/12/2006
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring two or more secure communications between a trusted local network device and two or more remote devices via a set of first secure communication channels, comprising the steps of:

receiving a security key associated with any of the secure communication(s) between the trusted local network device and the two or more remote devices at a security device via a second secure communication channel whenever the trusted local network device creates or changes the security key, wherein (a) the second secure communication channel is a persistent connection used to transmit all security keys between the security device and the trusted local network device that is independent of the first secure communication channels, and (b) the security device is disposed between the trusted local network device and the two or more remote devices;

storing the security keys in a secure storage communicably coupled to the security device, wherein the stored security keys cannot be extracted or read by the security device;

decoding one or more messages transmitted between the trusted local network device and the two or more remote devices at the security device by performing operations on the stored security keys; and

maintaining the second secure communication channel independently of the set of first communication channels using one or more interface messages sent between the trusted local network device and the security device.

View all claims

21 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides a system, method and apparatus for securely exchanging security keys and monitoring links in an IP communications network. The apparatus is disposed between the local device and the remote device and receives a security key associated with the secure communication(s) for the local device. The apparatus then uses the security key to decode one or more messages transmitted between the local device and the remote device. The apparatus may initiate one or more security protocols whenever the decoded message(s) satisfy one or more criteria. Note that the present invention can be implemented as a computer program embodied on a computer readable medium wherein each step is performed by one or more code segments.

48 Citations

View as Search Results

21 Claims

1. A method for monitoring two or more secure communications between a trusted local network device and two or more remote devices via a set of first secure communication channels, comprising the steps of:
- receiving a security key associated with any of the secure communication(s) between the trusted local network device and the two or more remote devices at a security device via a second secure communication channel whenever the trusted local network device creates or changes the security key, wherein (a) the second secure communication channel is a persistent connection used to transmit all security keys between the security device and the trusted local network device that is independent of the first secure communication channels, and (b) the security device is disposed between the trusted local network device and the two or more remote devices;
  
  storing the security keys in a secure storage communicably coupled to the security device, wherein the stored security keys cannot be extracted or read by the security device;
  
  decoding one or more messages transmitted between the trusted local network device and the two or more remote devices at the security device by performing operations on the stored security keys; and
  
  maintaining the second secure communication channel independently of the set of first communication channels using one or more interface messages sent between the trusted local network device and the security device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method as recited in claim 1, further comprising the step of initiating one or more security protocols whenever the decoded message(s) satisfy one or more criteria.
  - 3. The method as recited in claim 1, wherein the security device is communicably connected between the trusted local network device and the remote two or more devices, or is communicably connected to a tap communicably connected between the trusted local network device and the remote device.
  - 4. The method as recited in claim 1, further comprising the step of establishing the second secure communication channel between the security device and the trusted local network device.
  - 5. The method as recited in claim 1, wherein the security key is changed on a per session or per call basis.
  - 6. The method as recited in claim 1, further comprising the step of establishing a persistent connection for the second secure communication channel between the security device and the trusted local network device.
  - 7. The method as recited in claim 1, wherein the one or more interface messages comprise a key notification message, a keepalive message, a notify message, a request message or a response message.
  - 8. The method as recited in claim 1, wherein:
    - the security device comprises an application level security node or an Internet Protocol Communication Security device;
      
      the trusted local network device comprises a packet data gateway;
      
      the packet-based network comprises an Internet Protocol network;
      
      the remote device comprises an end user device, a mobile handset, a computer, a portable computer, a personal data assistant, a multimedia device or a combination thereof;
      
      orthe message(s) comprise one or more data packets, voice packets, multimedia packets or a combination thereof.

9. A method for monitoring two or more secure communications between a trusted local network device and two or more remote devices via a set of first secure communication channels, comprising the steps of:
- establishing a persistent connection between a security device and the trusted local network device wherein the security device is disposed between the trusted local network device and the two or more remote devices;
  
  establishing a second secure communication channel between the security device and the trusted local network device via the persistent connection that is used to transmit all security keys to the security device and is independent of the set of first secure communication channels;
  
  receiving a security key associated with any of the secure communication(s) between the trusted local network device and the two or more remote devices at the security device via the second secure communication channel, whenever the trusted local network device creates or changes the security key;
  
  storing the security keys in a secure storage communicably coupled to the security device, wherein the stored security keys cannot be extracted or read by the security device;
  
  decoding one or more messages transmitted between the trusted local network device and the two or more remote devices at the security device by performing operations on the stored security keys;
  
  initiating one or more security protocols whenever the decoded message(s) satisfy one or more criteria; and
  
  maintaining the second secure communication channel independently of the set of first communication channels using one or more interface messages sent between the trusted local network device and the security device.

10. A non-transitory computer readable medium for monitoring two or more secure communications between a trusted local network device and two or more remote devices via a set of first secure communication channels, the non-transitory computer readable medium comprising program instructions when executed by a security device causes the security device to perform the steps of:
- receiving a security key associated with any of the secure communication(s) between the trusted local network device and the two or more remote devices at the security device via a second secure communication channel whenever the trusted local network device creates or changes the security key, wherein (a) the second secure communication channel is a persistent connection used to transmit all the security keys between the security device and the trusted local network device that is independent of the first secure communication channels, and (b) the security device is disposed between the trusted local network device and the two or more remote devices;
  
  storing the security keys in a secure storage communicably coupled to the security device, wherein the stored security keys cannot be extracted or read by the security device;
  
  decoding one or more messages transmitted between the trusted local network device and the two or more remote devices at the security device by performing operations on the stored security keys; and
  
  maintaining the second secure communication channel independently of the set of first communication channels using one or more interface messages sent between the trusted local network device and the security device.

11. A non-transitory computer readable medium for monitoring two or more secure communications between a trusted local network device and two or more remote devices via a set of first secure communication channels, the non-transitory computer readable medium comprising program instructions when executed by a security device causes the security device to perform the steps of:
- establishing a persistent connection between a security device and the trusted local network device wherein the security device is disposed between the trusted local network device and the two or more remote devices;
  
  establishing a second secure communication channel between the security device and the trusted local network device via the persistent connection that is used to transmit all security keys to the security device and is independent of the set of first secure communication channels;
  
  receiving a security key associated with any of the secure communication(s) between the trusted local network device and the two or more remote devices at the security device via the second secure communication channel whenever the trusted local network device creates or changes the security key;
  
  storing the security keys in a secure storage communicably coupled to the security device, wherein the stored security keys cannot be extracted or read by the security device;
  
  decoding one or more messages transmitted between the trusted local network device and the two or more remote devices at the security device by performing operations on the stored security keys;
  
  initiating one or more security protocols whenever the decoded message(s) satisfy one or more criteria; and
  
  maintaining the second secure communication channel independently of the set of first communication channels using one or more interface messages sent between the trusted local network device and the security device.

12. An apparatus for monitoring two or more secure communications between a trusted local network device and two or more remote devices via a set of secure local-to-remote device communication channels comprising:
- a first interface for a secure private communication channel to the trusted local network device that is a persistent connection used to transmit all security keys between the apparatus and the trusted local network device and is independent of the set of secure local-to-remote device communication channels;
  
  a second interface for the set of secure local-to-remote device communication channels;
  
  a secure data storage; and
  
  a processor communicably coupled to the first interface, the second interface and the secure data storage wherein the processor;
  
  (a) receives a security key at the first interface that is associated with any of the secure communication(s) between the trusted local network device and the two or more remote devices via the secure private channel whenever the trusted local network device creates or changes the security key, (b) stores the security keys in the secure data storage such that the stored security keys cannot be extracted or read by the security device, (c) decodes one or more messages by performing operations on the stored security keys wherein the one or more messages are transmitted between the trusted local network device and the one or more remote devices and are obtained from the set of secure local-to-remote device communication channels via the second interface, and (d) maintains the secure private communication channel independently of the set of secure local-to-remote device communication channels using one or more interface messages sent between the trusted local network device and the security device via the first interface.
- View Dependent Claims (13, 14, 15)
- - 13. The apparatus as recited in claim 12, wherein the processor initiates one or more security protocols whenever the decoded message(s) satisfy one or more criteria.
  - 14. The apparatus as recited in claim 12, wherein the processor establishes the secure private communication channel between the security device and the trusted local network device.
  - 15. The apparatus as recited in claim 12, wherein the processor establishes the persistent connection for the secure private communication channel between the security device and the trusted local network device.

16. A security device for monitoring two or more secure communications between a trusted local network device and two or more remote devices via a set of secure local-to-remote device communication channels comprising:
- a first interface for a secure private communication channel to the trusted local network device that is a persistent connection used to transmit all security keys between the security device and the trusted local network device and is independent of the set of secure local-to-remote device communication channels;
  
  a second interface for the set of secure local-to-remote device communication channels;
  
  a secure data storage; and
  
  a processor communicably coupled to the first interface, the second interface and the secure data storage wherein the processor;
  
  (a) establishes the persistent connection with the trusted local network device, (b) establishes the secure private communication channel with the trusted local network device via the persistent connection, (c) receives a security key at the first interface that is associated with any of the secure communication(s) between the trusted local network device and the two or more remote devices via the secure private channel whenever the trusted local network device creates or changes the security key, (d) stores the security keys in the secure data storage such that the stored security keys cannot be extracted or read by the security device, (e) decodes one or more messages by performing operations on the stored security keys wherein the one or more messages are transmitted between the trusted local network device and the remote devices and are obtained from the set of secure local-to-remote device communication channels via the second interface, (f) initiates one or more security protocols whenever the decoded message(s) satisfy one or more criteria, and (g) maintains the secure private communication channel independently of the set of secure local-to-remote device communication channels using one or more interface messages sent between the trusted local network device and the security device via the first interface.

17. A system comprising:
- a network;
  
  two or more remote devices;
  
  a trusted local network device communicably coupled to the remote devices via the network to engage in two or more secure communications via a set of secure local-to-remote communication channels;
  
  a security device disposed between the trusted local network device and the two or more remote devices wherein the security device comprises;
  
  (1) a first interface for a secure private communication channel to the trusted local network device that is a persistent connection used to transmit all security keys between the trusted local network device and the security device and is independent of the set of secure local-to-remote device communication channels, (2) a second interface for the secure local-to-remote device communication channels, (3) a secure data storage, and (4) a processor communicably coupled to the first interface, the second interface and the secure data storage wherein the processor;
  
  (a) receives a security key at the first interface that is associated with any of the secure communication(s) between the trusted local network device and the two or more remote devices via the secure private channel whenever the trusted local network device creates or changes the security key, (b) stores the security keys in the secure data storage such that the stored security keys cannot be extracted or read by the security device, (c) decodes one or more messages by performing operations on the stored security keys wherein the one or more messages are transmitted between the trusted local network device and the two or more remote devices and are obtained from the set of secure local-to-remote device communication channels via the second interface, and (d) maintains the secure private communication channel independently of the set of secure local-to-remote device communication channels using one or more interface messages sent between the trusted local network device and the security device via the first interface.
- View Dependent Claims (18, 19, 20)
- - 18. The system as recited in claim 17, wherein the processor initiates one or more security protocols whenever the decoded message(s) satisfy one or more criteria.
  - 19. The system as recited in claim 17, wherein the processor establishes the secure private communication channel between the security device and the trusted local network device.
  - 20. The system as recited in claim 17, wherein the processor establishes the persistent connection for the secure private communication channel between the security device and the trusted local network device.

21. A system comprising:
- a network;
  
  two or more remote devices;
  
  a trusted local network device communicably coupled to the remote devices via the network to engage in two or more secure communications via a set of secure local-to-remote communication channels;
  
  a security device disposed between the trusted local network device and the two or more remote devices wherein the security device comprises;
  
  (1) a first interface for a secure private communication channel to the trusted local network device that is a persistent connection used to transmit all security keys between the trusted local network device and the security device and is independent of the set of secure local-to-remote device communication channels, (3) a secure data storage, and (4) a processor communicably coupled to the first interface, the second interface and the secure data storage wherein the processor;
  
  (a) establishes the persistent connection with the trusted local network device, (b) establishes the secure private communication channel with the trusted local network device via the persistent connection, (c) receives a security key at the first interface that is associated with any of the secure communication(s) between the trusted local network device and the two or more remote devices via the secure private channel whenever the trusted local network device creates or changes the security key, (d) stores the security keys in the secure data storage such that the stored security keys cannot be extracted or read by the security device, (e) decodes one or more messages by performing operations on the stored security keys wherein the one or more messages are transmitted between the trusted local network device and the remote devices and are obtained from the set of secure local-to-remote device communication channels via the second interface, (f) initiates one or more security protocols whenever the decoded message(s) satisfy one or more criteria, and (g) maintains the secure private communication channel independently of the set of secure local-to-remote device communication channels using one or more interface messages sent between the trusted local network device and the security device via the first interface.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avaya Incorporated
Original Assignee
Avaya Incorporated
Inventors
Herle, Sudhindra Pundaleeka, Kurapati, Srikrishna
Primary Examiner(s)
REZA, MOHAMMAD W

Application Number

US11/776,509
Publication Number

US 20080016334A1
Time in Patent Office

1,777 Days
Field of Search

713/155, 713/171, 713/151, 713/150, 713/168, 726/11, 726/12, 726/14, 726/15, 380/277, 380/278
US Class Current

726/15
CPC Class Codes

H04L 2209/80   Wireless network architectu...

H04L 63/061   for key exchange, e.g. in p...

H04L 9/0891   Revocation or update of sec...

System, method and apparatus for securely exchanging security keys and monitoring links in a IP communications network

First Claim

21 Assignments

0 Petitions

Accused Products

Abstract

48 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

System, method and apparatus for securely exchanging security keys and monitoring links in a IP communications network

First Claim

21 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

48 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others