Apparatus for providing security over untrusted networks
First Claim
1. Network security apparatus comprising a processor and a computer readable apparatus having a storage medium with at least one computer program stored thereon, the at least one computer program comprising a plurality of computer executable instructions that when executed by the processor are configured to communicate with a computerized host device and other network security apparatus on a network having components that may be individually secure or non-secure, the apparatus comprising:
- a message process disposed on the computer readable apparatus that is adapted to, when executed by the processor, exchange first security association information including a digital certificate between the security apparatus and at least one of said other security apparatus on the network via one or more messages, said digital certificate comprising a first encryption key;
a cryptographic material management process disposed on the computer readable apparatus, said cryptographic material management process adapted to, when executed by the processor, package cryptographic material comprising at least one second encryption key for distribution to said at least one other security apparatus; and
an association process disposed on the computer readable apparatus that is configured to, when executed by the processor, establish a security association between said network apparatus and said at least one other network security apparatus based at least in part on said first security association information;
wherein said apparatus further comprises a key exchange protocol disposed on the computer readable apparatus, said key exchange protocol being adapted to, when executed by the processor, exchange said at least one second encryption key between said network security apparatus and said at least one other security apparatus using at least one message generated by said message process.
0 Assignments
0 Petitions
Accused Products
Abstract
A network security apparatus adapted to provide for secure communications across data networks, including untrusted networks. In one embodiment, the security apparatus comprises one or more components disposed within the software stack of a computerized device, the components including an association process adapted to establish security associations between devices on the network, and an encryption key generation process adapted to generate one or more encryption keys. In one variant, the keys are specifically for use with temporary or ad hoc security associations. The one or more keys are exchanged according to a key exchange protocol after the device is authenticated or authenticates another device. In one implementation, the device comprises a portable device such as a laptop computer.
96 Citations
22 Claims
-
1. Network security apparatus comprising a processor and a computer readable apparatus having a storage medium with at least one computer program stored thereon, the at least one computer program comprising a plurality of computer executable instructions that when executed by the processor are configured to communicate with a computerized host device and other network security apparatus on a network having components that may be individually secure or non-secure, the apparatus comprising:
-
a message process disposed on the computer readable apparatus that is adapted to, when executed by the processor, exchange first security association information including a digital certificate between the security apparatus and at least one of said other security apparatus on the network via one or more messages, said digital certificate comprising a first encryption key; a cryptographic material management process disposed on the computer readable apparatus, said cryptographic material management process adapted to, when executed by the processor, package cryptographic material comprising at least one second encryption key for distribution to said at least one other security apparatus; and an association process disposed on the computer readable apparatus that is configured to, when executed by the processor, establish a security association between said network apparatus and said at least one other network security apparatus based at least in part on said first security association information; wherein said apparatus further comprises a key exchange protocol disposed on the computer readable apparatus, said key exchange protocol being adapted to, when executed by the processor, exchange said at least one second encryption key between said network security apparatus and said at least one other security apparatus using at least one message generated by said message process.
-
-
2. A portable computerized device adapted for secure communications over an untrusted network, the device comprising:
-
a network security apparatus comprising a processor and a computer readable apparatus having a storage medium with at least one computer program stored thereon, the at least one computer program comprising a plurality of computer executable instructions that when executed by the processor are configured to communicate with other network security apparatus on said network, the network security apparatus comprising; a message process disposed on the computer readable apparatus that is adapted to, when executed by the processor, exchange first security association information between the security apparatus and at least one of said other security apparatus on the network via one or more messages; a cryptographic material management process disposed on the computer readable apparatus, said management process being adapted to, when executed by the processor, package cryptographic material comprising at least one encryption key for distribution to said at least one other network security apparatus; an association process disposed on the computer readable apparatus that is configured to, when executed by the processor, establish an ad hoe security association between said network apparatus and said at least one other network security apparatus based at least in part on said first security association information; a key exchange protocol disposed on the computer readable apparatus, said key exchange protocol being adapted to, when executed by the processor, exchange said at least one encryption key between said network security apparatus and said at least one other security apparatus using at least a request and reply message exchange; and a block ciphering algorithm disposed on the computer readable apparatus that is adapted to, when executed by the processor, cipher data to be transmitted between said network security apparatus and said at least one other security apparatus; wherein said network security apparatus is disposed within a software stack of said portable device.
-
-
3. Network security apparatus comprising a processor and a computer readable apparatus having a storage medium with at least one computer program stored thereon, the at least one computer program comprising a plurality of computer executable instructions that when executed by the processor are configured to communicate with a computerized host device and other network security apparatus on a network having components that may be individually secure or non-secure, the apparatus comprising:
-
a cryptographic material generation process disposed on the computer readable apparatus, said generation process being configured to, when executed by the processor, generate cryptographic material comprising at least one encryption key; a message process disposed on the computer readable apparatus that is configured to, when executed by the processor, exchange first security association information between the security apparatus and at least one of said other security apparatus on the network via one or more messages; and an association process disposed on the computer readable apparatus that is configured to, when executed by the processor, establish a security association between said network apparatus and said at least one other network security apparatus based at least in part on said first security association information; wherein said apparatus further comprises a key exchange protocol disposed on the computer readable apparatus, said key exchange protocol being configured to, when executed by the processor, exchange said at least one encryption key between said network security apparatus and at least one other security apparatus using at least one message generated by said message process; and wherein said cryptographic material generation process is further configured to, when executed by the processor, generate said at least one encryption key and a second encryption key different from said at least one key.
-
-
4. Network security apparatus comprising a processor and a computer readable apparatus having a storage medium with at least one computer program stored thereon, the at least one computer program comprising a plurality of computer executable instructions that when executed by the processor are configured to communicate with a computerized host device and other network security apparatus on a network having components that may be individually secure or non-secure, the apparatus comprising:
-
a cryptographic material generation process disposed on the computer readable apparatus, said cryptographic material generation process being configured to, when executed by the processor, generate cryptographic material comprising at least one encryption key; a message process disposed on the computer readable apparatus that is configured to, when executed by the processor, exchange first security association information between the security apparatus and at least one of said other security apparatus on the network via one or more messages; and an association process disposed on the computer readable apparatus that is configured to, when executed by the processor, establish a security association between said network apparatus and said at least one other network security apparatus based at least in part on said first security association information; wherein said apparatus further comprises a key exchange protocol disposed on the computer readable apparatus, said key exchange protocol being configured to, when executed by the processor, exchange said at least one encryption key between said network security apparatus and at least one other security apparatus using at least one message generated by said message process; and wherein the security association information comprises a digital certificate, the digital certificate comprising a public encryption key. - View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. Network security apparatus comprising a processor and a computer readable apparatus having a storage medium with at least one computer program stored thereon, the at least one computer program comprising a plurality of computer executable instructions that when executed by the processor are configured to communicate with a computerized host device and other network security apparatus on a network having components that may be individually secure or non-secure, the apparatus comprising:
-
a cryptographic material generation process disposed on the computer readable apparatus, said generation process being configured to, when executed by the processor, generate cryptographic material comprising at least one encryption key; a message process disposed on the computer readable apparatus that is configured to, when executed by the processor, exchange first security association information between the security apparatus and at least one of said other security apparatus on the network via one or more messages; and an association process disposed on the computer readable apparatus that is configured to, when executed by the processor, establish a security association between said network apparatus and said at least one other network security apparatus based at least in part on said first security association information; wherein said apparatus further comprises a key exchange protocol disposed on the computer readable apparatus, said key exchange protocol being configured to, when executed by the processor, exchange said at least one encryption key between said network security apparatus and at least one other security apparatus using at least one message generated by said message process; wherein said material generation process is further configured to, when executed by the processor, generate at least one random number for use in association with said at least one encryption key; and wherein said at least one random number is transmitted along with said at least one encryption key as part of said key exchange protocol.
-
-
14. Network security apparatus comprising a processor and a computer readable apparatus having a storage medium with at least one computer program stored thereon, the at least one computer program comprising a plurality of computer executable instructions that when executed by the processor are configured to communicate with a computerized host device and other network security apparatus on a network having components that may be individually secure or non-secure, the apparatus comprising:
-
a cryptographic material generation process disposed on the computer readable apparatus, said generation process being configured to, when executed by the processor, generate cryptographic material comprising at least one encryption key; a message process disposed on the computer readable apparatus that is configured to, when executed by the processor, exchange first security association information between the security apparatus and at least one of said other security apparatus on the network via one or more messages; and an association process disposed on the computer readable apparatus that is configured to, when executed by the processor, establish a security association between said network apparatus and said at least one other network security apparatus based at least in part on said first security association information; wherein said apparatus further comprises a key exchange protocol disposed on the computer readable apparatus, said key exchange protocol being configured to, when executed by the processor, exchange said at least one encryption key between said network security apparatus and at least one other security apparatus using at least one message generated by said message process; and wherein said apparatus utilizes a cryptographic residue for determining datagram integrity.
-
-
15. A portable computerized device configured for secure communications over an entrusted network, the device comprising:
-
network security apparatus comprising a processor and a computer readable apparatus having a storage medium with at least one computer program stored thereon, the at least one computer program comprising a plurality of computer executable instructions that when executed by the processor are configured to communicate with other network security apparatus on said network, the apparatus comprising; a cryptographic material generator disposed on the computer readable apparatus, said cryptographic material generator being configured to, when executed by the processor, generate cryptographic material comprising at least one encryption key; a message process disposed on the computer readable apparatus that is configured to, when executed by the processor, exchange first security association information between the security apparatus and at least one of said other security apparatus on the network via one or more messages; an association process disposed on the computer readable apparatus that configured to, when executed by the processor, establish a temporary security association between said network apparatus and said at least one other network security apparatus based at least in part on said first security association information; a key exchange protocol disposed on the computer readable apparatus, said key exchange protocol being configured to, when executed by the processor, exchange said at least one encryption key between said network security apparatus and at least one other security apparatus using at least a request and reply message exchange; and an encryption process disposed on the computer readable apparatus that is configured to, when executed by the processor, encrypt said at least one encryption key using at least a private key; wherein said network security apparatus is disposed within a software stack of said portable device. - View Dependent Claims (16, 17)
-
-
18. A portable computerized device configured for secure communications over an untrusted network, the device comprising:
-
network security apparatus comprising a processor and a computer readable apparatus having a storage medium with at least one computer program stored thereon, the at least one computer program comprising a plurality of computer executable instructions that when executed by the processor are configured to communicate with other network security apparatus on said network, the apparatus comprising; a cryptographic material generator disposed on the computer readable apparatus, said cryptographic material generator being configured to, when executed by the processor, generate cryptographic material comprising at least one encryption key; a message process disposed on the computer readable apparatus that is configured to, when executed by the processor, exchange first security association information between the security apparatus and at least one of said other security apparatus on the network via one or more messages; an association process disposed on the computer readable apparatus that configured to, when executed by the processor, establish a temporary security association between said network apparatus and said at least one other network security apparatus based at least in part on said first security association information; and a key exchange protocol disposed on the computer readable apparatus, said key exchange protocol being configured to, when executed by the processor, exchange said at least one encryption key between said network security apparatus and at least one other security apparatus using at least a request and reply message exchange; wherein said network security apparatus is disposed within a software stack of said portable device; and wherein said cryptographic material generator is further configured to, when executed by the processor, generate said at least one encryption key and another key different from said at least one encryption key. - View Dependent Claims (19, 20, 21)
-
-
22. A portable computerized device configured for secure communications over an untrusted network, the device comprising:
-
network security apparatus comprising a processor and a computer readable apparatus having a storage medium with at least one computer program stored thereon, the at least one computer program comprising a plurality of computer executable instructions that when executed by the processor are configured to communicate with other network security apparatus on said network, the apparatus comprising; a cryptographic material generator disposed on the computer readable apparatus, said cryptographic material generator being configured to, when executed by the processor, generate cryptographic material comprising at least one encryption key; a message process disposed on the computer readable apparatus that is configured to, when executed by the processor, exchange first security association information between the security apparatus and at least one of said other security apparatus on the network via one or more messages; an association process disposed on the computer readable apparatus that configured to, when executed by the processor, establish a temporary security association between said network apparatus and said at least one other network security apparatus based at least in part on said first security association information; and a key exchange protocol disposed on the computer readable apparatus, said key exchange protocol being configured to, when executed by the processor, exchange said at least one encryption key between said network security apparatus and at least one other security apparatus using at least a request and reply message exchange; wherein said network security apparatus is disposed within a software stack of said portable device; and wherein said apparatus utilizes a cryptographic residue for determining message integrity.
-
Specification