Apparatus for providing security over untrusted networks

US 8,346,925 B2
Filed: 12/10/2010
Issued: 01/01/2013
Est. Priority Date: 07/30/1996
Status: Expired due to Fees

First Claim

Patent Images

1. Network security apparatus comprising a processor and a computer readable apparatus having a storage medium with at least one computer program stored thereon, the at least one computer program comprising a plurality of computer executable instructions that when executed by the processor are configured to communicate with a computerized host device and other network security apparatus on a network having components that may be individually secure or non-secure, the apparatus comprising:

a message process disposed on the computer readable apparatus that is adapted to, when executed by the processor, exchange first security association information including a digital certificate between the security apparatus and at least one of said other security apparatus on the network via one or more messages, said digital certificate comprising a first encryption key;

a cryptographic material management process disposed on the computer readable apparatus, said cryptographic material management process adapted to, when executed by the processor, package cryptographic material comprising at least one second encryption key for distribution to said at least one other security apparatus; and

an association process disposed on the computer readable apparatus that is configured to, when executed by the processor, establish a security association between said network apparatus and said at least one other network security apparatus based at least in part on said first security association information;

wherein said apparatus further comprises a key exchange protocol disposed on the computer readable apparatus, said key exchange protocol being adapted to, when executed by the processor, exchange said at least one second encryption key between said network security apparatus and said at least one other security apparatus using at least one message generated by said message process.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network security apparatus adapted to provide for secure communications across data networks, including untrusted networks. In one embodiment, the security apparatus comprises one or more components disposed within the software stack of a computerized device, the components including an association process adapted to establish security associations between devices on the network, and an encryption key generation process adapted to generate one or more encryption keys. In one variant, the keys are specifically for use with temporary or ad hoc security associations. The one or more keys are exchanged according to a key exchange protocol after the device is authenticated or authenticates another device. In one implementation, the device comprises a portable device such as a laptop computer.

96 Citations

View as Search Results

22 Claims

1. Network security apparatus comprising a processor and a computer readable apparatus having a storage medium with at least one computer program stored thereon, the at least one computer program comprising a plurality of computer executable instructions that when executed by the processor are configured to communicate with a computerized host device and other network security apparatus on a network having components that may be individually secure or non-secure, the apparatus comprising:
- a message process disposed on the computer readable apparatus that is adapted to, when executed by the processor, exchange first security association information including a digital certificate between the security apparatus and at least one of said other security apparatus on the network via one or more messages, said digital certificate comprising a first encryption key;
  
  a cryptographic material management process disposed on the computer readable apparatus, said cryptographic material management process adapted to, when executed by the processor, package cryptographic material comprising at least one second encryption key for distribution to said at least one other security apparatus; and
  
  an association process disposed on the computer readable apparatus that is configured to, when executed by the processor, establish a security association between said network apparatus and said at least one other network security apparatus based at least in part on said first security association information;
  
  wherein said apparatus further comprises a key exchange protocol disposed on the computer readable apparatus, said key exchange protocol being adapted to, when executed by the processor, exchange said at least one second encryption key between said network security apparatus and said at least one other security apparatus using at least one message generated by said message process.

2. A portable computerized device adapted for secure communications over an untrusted network, the device comprising:
- a network security apparatus comprising a processor and a computer readable apparatus having a storage medium with at least one computer program stored thereon, the at least one computer program comprising a plurality of computer executable instructions that when executed by the processor are configured to communicate with other network security apparatus on said network, the network security apparatus comprising;
  
  a message process disposed on the computer readable apparatus that is adapted to, when executed by the processor, exchange first security association information between the security apparatus and at least one of said other security apparatus on the network via one or more messages;
  
  a cryptographic material management process disposed on the computer readable apparatus, said management process being adapted to, when executed by the processor, package cryptographic material comprising at least one encryption key for distribution to said at least one other network security apparatus;
  
  an association process disposed on the computer readable apparatus that is configured to, when executed by the processor, establish an ad hoe security association between said network apparatus and said at least one other network security apparatus based at least in part on said first security association information;
  
  a key exchange protocol disposed on the computer readable apparatus, said key exchange protocol being adapted to, when executed by the processor, exchange said at least one encryption key between said network security apparatus and said at least one other security apparatus using at least a request and reply message exchange; and
  
  a block ciphering algorithm disposed on the computer readable apparatus that is adapted to, when executed by the processor, cipher data to be transmitted between said network security apparatus and said at least one other security apparatus;
  
  wherein said network security apparatus is disposed within a software stack of said portable device.

3. Network security apparatus comprising a processor and a computer readable apparatus having a storage medium with at least one computer program stored thereon, the at least one computer program comprising a plurality of computer executable instructions that when executed by the processor are configured to communicate with a computerized host device and other network security apparatus on a network having components that may be individually secure or non-secure, the apparatus comprising:
- a cryptographic material generation process disposed on the computer readable apparatus, said generation process being configured to, when executed by the processor, generate cryptographic material comprising at least one encryption key;
  
  a message process disposed on the computer readable apparatus that is configured to, when executed by the processor, exchange first security association information between the security apparatus and at least one of said other security apparatus on the network via one or more messages; and
  
  an association process disposed on the computer readable apparatus that is configured to, when executed by the processor, establish a security association between said network apparatus and said at least one other network security apparatus based at least in part on said first security association information;
  
  wherein said apparatus further comprises a key exchange protocol disposed on the computer readable apparatus, said key exchange protocol being configured to, when executed by the processor, exchange said at least one encryption key between said network security apparatus and at least one other security apparatus using at least one message generated by said message process; and
  
  wherein said cryptographic material generation process is further configured to, when executed by the processor, generate said at least one encryption key and a second encryption key different from said at least one key.

4. Network security apparatus comprising a processor and a computer readable apparatus having a storage medium with at least one computer program stored thereon, the at least one computer program comprising a plurality of computer executable instructions that when executed by the processor are configured to communicate with a computerized host device and other network security apparatus on a network having components that may be individually secure or non-secure, the apparatus comprising:
- a cryptographic material generation process disposed on the computer readable apparatus, said cryptographic material generation process being configured to, when executed by the processor, generate cryptographic material comprising at least one encryption key;
  
  a message process disposed on the computer readable apparatus that is configured to, when executed by the processor, exchange first security association information between the security apparatus and at least one of said other security apparatus on the network via one or more messages; and
  
  an association process disposed on the computer readable apparatus that is configured to, when executed by the processor, establish a security association between said network apparatus and said at least one other network security apparatus based at least in part on said first security association information;
  
  wherein said apparatus further comprises a key exchange protocol disposed on the computer readable apparatus, said key exchange protocol being configured to, when executed by the processor, exchange said at least one encryption key between said network security apparatus and at least one other security apparatus using at least one message generated by said message process; and
  
  wherein the security association information comprises a digital certificate, the digital certificate comprising a public encryption key.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12)
- - 5. The apparatus of claim 4, further comprising an encryption process disposed on the computer readable apparatus that is configured to encrypt said at least one encryption key using at least said public key and a private key in the possession of said network security apparatus when executed on the processor.
  - 6. The apparatus of claim 4, further comprising an encryption process disposed on the computer readable apparatus that is configured to encrypt said at least one encryption key using at least a private key when executed on the processor.
  - 7. The apparatus of claim 4, wherein said one or more messages comprise at least one of:
    - (i) a request message requesting establishment of a security association; and
      
      (ii) a reply message granting said security association.
  - 8. The apparatus of claim 7, wherein said cryptographic material further comprises at least one initialization vector.
  - 9. The apparatus of claim 8, wherein said initialization vector is used by said at least one other network security apparatus to initialize an encryption algorithm.
  - 10. The apparatus of claim 4, wherein said digital certificate is used by said association process to verify the identity of a sender of said certificate, and said at least one encryption key is generated only after said verification of said identity.
  - 11. The apparatus of claim 4, wherein said computerized host device comprises a portable untrusted device having a software stack, said stack comprising said message process, said material generation process, and said association process as part thereof.
  - 12. The apparatus of claim 11, wherein said network comprises an untrusted network, and said apparatus further comprises a network interface configured to send and receive data between said host device and said network.

13. Network security apparatus comprising a processor and a computer readable apparatus having a storage medium with at least one computer program stored thereon, the at least one computer program comprising a plurality of computer executable instructions that when executed by the processor are configured to communicate with a computerized host device and other network security apparatus on a network having components that may be individually secure or non-secure, the apparatus comprising:
- a cryptographic material generation process disposed on the computer readable apparatus, said generation process being configured to, when executed by the processor, generate cryptographic material comprising at least one encryption key;
  
  a message process disposed on the computer readable apparatus that is configured to, when executed by the processor, exchange first security association information between the security apparatus and at least one of said other security apparatus on the network via one or more messages; and
  
  an association process disposed on the computer readable apparatus that is configured to, when executed by the processor, establish a security association between said network apparatus and said at least one other network security apparatus based at least in part on said first security association information;
  
  wherein said apparatus further comprises a key exchange protocol disposed on the computer readable apparatus, said key exchange protocol being configured to, when executed by the processor, exchange said at least one encryption key between said network security apparatus and at least one other security apparatus using at least one message generated by said message process;
  
  wherein said material generation process is further configured to, when executed by the processor, generate at least one random number for use in association with said at least one encryption key; and
  
  wherein said at least one random number is transmitted along with said at least one encryption key as part of said key exchange protocol.

14. Network security apparatus comprising a processor and a computer readable apparatus having a storage medium with at least one computer program stored thereon, the at least one computer program comprising a plurality of computer executable instructions that when executed by the processor are configured to communicate with a computerized host device and other network security apparatus on a network having components that may be individually secure or non-secure, the apparatus comprising:
- a cryptographic material generation process disposed on the computer readable apparatus, said generation process being configured to, when executed by the processor, generate cryptographic material comprising at least one encryption key;
  
  a message process disposed on the computer readable apparatus that is configured to, when executed by the processor, exchange first security association information between the security apparatus and at least one of said other security apparatus on the network via one or more messages; and
  
  an association process disposed on the computer readable apparatus that is configured to, when executed by the processor, establish a security association between said network apparatus and said at least one other network security apparatus based at least in part on said first security association information;
  
  wherein said apparatus further comprises a key exchange protocol disposed on the computer readable apparatus, said key exchange protocol being configured to, when executed by the processor, exchange said at least one encryption key between said network security apparatus and at least one other security apparatus using at least one message generated by said message process; and
  
  wherein said apparatus utilizes a cryptographic residue for determining datagram integrity.

15. A portable computerized device configured for secure communications over an entrusted network, the device comprising:
- network security apparatus comprising a processor and a computer readable apparatus having a storage medium with at least one computer program stored thereon, the at least one computer program comprising a plurality of computer executable instructions that when executed by the processor are configured to communicate with other network security apparatus on said network, the apparatus comprising;
  
  a cryptographic material generator disposed on the computer readable apparatus, said cryptographic material generator being configured to, when executed by the processor, generate cryptographic material comprising at least one encryption key;
  
  a message process disposed on the computer readable apparatus that is configured to, when executed by the processor, exchange first security association information between the security apparatus and at least one of said other security apparatus on the network via one or more messages;
  
  an association process disposed on the computer readable apparatus that configured to, when executed by the processor, establish a temporary security association between said network apparatus and said at least one other network security apparatus based at least in part on said first security association information;
  
  a key exchange protocol disposed on the computer readable apparatus, said key exchange protocol being configured to, when executed by the processor, exchange said at least one encryption key between said network security apparatus and at least one other security apparatus using at least a request and reply message exchange; and
  
  an encryption process disposed on the computer readable apparatus that is configured to, when executed by the processor, encrypt said at least one encryption key using at least a private key;
  
  wherein said network security apparatus is disposed within a software stack of said portable device.
- View Dependent Claims (16, 17)
- - 16. The device of claim 15, wherein said cryptographic material further comprises at least one initialization vector, said initialization vector is used by said at least one other network security apparatus to initialize an encryption algorithm.
  - 17. The device of claim 15, wherein said security association information comprises a digital certificate, said digital certificate comprising a public portion of a public-private key pair.

18. A portable computerized device configured for secure communications over an untrusted network, the device comprising:
- network security apparatus comprising a processor and a computer readable apparatus having a storage medium with at least one computer program stored thereon, the at least one computer program comprising a plurality of computer executable instructions that when executed by the processor are configured to communicate with other network security apparatus on said network, the apparatus comprising;
  
  a cryptographic material generator disposed on the computer readable apparatus, said cryptographic material generator being configured to, when executed by the processor, generate cryptographic material comprising at least one encryption key;
  
  a message process disposed on the computer readable apparatus that is configured to, when executed by the processor, exchange first security association information between the security apparatus and at least one of said other security apparatus on the network via one or more messages;
  
  an association process disposed on the computer readable apparatus that configured to, when executed by the processor, establish a temporary security association between said network apparatus and said at least one other network security apparatus based at least in part on said first security association information; and
  
  a key exchange protocol disposed on the computer readable apparatus, said key exchange protocol being configured to, when executed by the processor, exchange said at least one encryption key between said network security apparatus and at least one other security apparatus using at least a request and reply message exchange;
  
  wherein said network security apparatus is disposed within a software stack of said portable device; and
  
  wherein said cryptographic material generator is further configured to, when executed by the processor, generate said at least one encryption key and another key different from said at least one encryption key.
- View Dependent Claims (19, 20, 21)
- - 19. The device of claim 18, wherein said digital certificate is used by said association process to verify the identity of a sender of said certificate.
  - 20. The device of claim 18, wherein said cryptographic material generator is further configured to, when executed by the processor, generate at least one random number, said at least one random number being transmitted as part of said key exchange protocol.
  - 21. The device of claim 18, wherein said cryptographic material generator is further configured to, when executed by the processor, generate at least one random number for use in association with said at least one encryption key, said at least one random number being transmitted along with said at least one encryption key as part of said key exchange protocol.

22. A portable computerized device configured for secure communications over an untrusted network, the device comprising:
- network security apparatus comprising a processor and a computer readable apparatus having a storage medium with at least one computer program stored thereon, the at least one computer program comprising a plurality of computer executable instructions that when executed by the processor are configured to communicate with other network security apparatus on said network, the apparatus comprising;
  
  a cryptographic material generator disposed on the computer readable apparatus, said cryptographic material generator being configured to, when executed by the processor, generate cryptographic material comprising at least one encryption key;
  
  a message process disposed on the computer readable apparatus that is configured to, when executed by the processor, exchange first security association information between the security apparatus and at least one of said other security apparatus on the network via one or more messages;
  
  an association process disposed on the computer readable apparatus that configured to, when executed by the processor, establish a temporary security association between said network apparatus and said at least one other network security apparatus based at least in part on said first security association information; and
  
  a key exchange protocol disposed on the computer readable apparatus, said key exchange protocol being configured to, when executed by the processor, exchange said at least one encryption key between said network security apparatus and at least one other security apparatus using at least a request and reply message exchange;
  
  wherein said network security apparatus is disposed within a software stack of said portable device; and
  
  wherein said apparatus utilizes a cryptographic residue for determining message integrity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Round Rock Research LLC
Original Assignee
Round Rock Research LLC
Inventors
Holden, James M, Levin, Stephen E, Nickel, James O, Wrench, Edwin H
Primary Examiner(s)
Vu, Viet

Application Number

US12/965,606
Publication Number

US 20110202758A1
Time in Patent Office

753 Days
Field of Search

709/217, 709/219, 709/223, 709/224, 709/225, 709/227, 709/228
US Class Current

709/225
CPC Class Codes

G06F 21/31   User authentication

G06F 21/606   by securing the transmissio...

G06F 21/85   interconnection devices, e....

G06F 2211/001   In-Line Device

G06F 2211/005   Network, LAN, Remote Access...

G06F 2211/007   Encryption, En-/decode, En-...

G06F 2211/009   Trust

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

G06F 2221/2153   Using hardware token as a s...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/02   for separating internal fro...

H04L 63/0218   Distributed architectures, ...

H04L 63/0442   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0869   for achieving mutual authen...

H04L 63/101   Access control lists [ACL]

H04L 63/105   Multiple levels of security

H04L 63/126   the source of the received ...

H04L 63/14 : for detecting or protecting...

H04L 67/141 : Setup of application sessio...

H04L 67/563 : Data redirection of data ne...

H04L 9/3247 : involving digital signatures

H04L 9/3268 : using certificate validatio...

H04L 9/3273 : for mutual authentication n...

H04L 9/40 : Network security protocols

H04W 12/069 : using certificates or pre-s...

View All

Apparatus for providing security over untrusted networks

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

96 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus for providing security over untrusted networks

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

96 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links