Method and apparatus for managing secure communications

US 8,352,725 B1
Filed: 04/21/2003
Issued: 01/08/2013
Est. Priority Date: 04/21/2003
Status: Active Grant

First Claim

Patent Images

1. In a data communications device, a method of managing secure communications comprising:

packet sniffing one or more network packets from a first endpoint device and traversing the data communications device destined for a second endpoint device to identify;

(i) a request from a first endpoint device to initiate secure communications between the first endpoint device and the second endpoint device, and(ii) a security usage indicator in the request indicative of an intended secure session to be established between the first and second endpoint devices;

analyzing the identified security usage indicator to determine an intended key to be used in establishing the secure communications;

computing a secure usage result indicative of whether to allow the intended secure session to be established, comprising;

mapping one or more attributes of the intended key to a respective one or more entries within a data store; and

applying one or more rules corresponding to the one or more entries within the data store to compute the secure usage result, wherein each of the one or more rules is associated with a respective priority value indicating a relative priority of the rule with respect to the other rules; and

enforcing the computed secure usage result by selectively allowing and prohibiting establishment of the intended secure session for secure communications between the first and second endpoint devices, comprising at least one of (i) disallowing communications, (ii) allowing secure communications pending further key usage authorization results, (iii) logging communications, and (iv) allowing secure communications.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A device for managing secure communications by examining message packets to detect and control the use of encryption keys noninvasively examines an incoming message packet according to typical cryptographic protocols and sequences. If an incoming packet exhibits the use of an encryption key, such as via IKEP, IPsec, or PPTP, the device processes the packet to attempt to find the corresponding encryption key. The device compares the key to a list of known suspect keys to determine a blocked status. If the key is not on the list, a sequence of authorization rules concerning prohibited key usage attempts to determine a result. The authorization rules examine available keying attributes from the message packet, possibly via a remote server, and compute an indication concerning key usage. If the authorization rules are still undeterministic of usage of the key, the device uses a default action. The default action indicates whether to allow or block usage of the key until a deterministic response indicates the key status.

Citations

27 Claims

1. In a data communications device, a method of managing secure communications comprising:
- packet sniffing one or more network packets from a first endpoint device and traversing the data communications device destined for a second endpoint device to identify;
  
  (i) a request from a first endpoint device to initiate secure communications between the first endpoint device and the second endpoint device, and(ii) a security usage indicator in the request indicative of an intended secure session to be established between the first and second endpoint devices;
  
  analyzing the identified security usage indicator to determine an intended key to be used in establishing the secure communications;
  
  computing a secure usage result indicative of whether to allow the intended secure session to be established, comprising;
  
  mapping one or more attributes of the intended key to a respective one or more entries within a data store; and
  
  applying one or more rules corresponding to the one or more entries within the data store to compute the secure usage result, wherein each of the one or more rules is associated with a respective priority value indicating a relative priority of the rule with respect to the other rules; and
  
  enforcing the computed secure usage result by selectively allowing and prohibiting establishment of the intended secure session for secure communications between the first and second endpoint devices, comprising at least one of (i) disallowing communications, (ii) allowing secure communications pending further key usage authorization results, (iii) logging communications, and (iv) allowing secure communications.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, where the first and second endpoint devices are unaware of the data communications device enforcing the secure usage result.
  - 3. The method of claim 1, where the data communications device comprises a router disposed between the first endpoint device and the second endpoint device.
  - 4. The method of claim 1, wherein computing the secure usage result comprises generating at least one of, a key status query, a key usage authorization query, and a default action query, operable to generate the secure usage result.
  - 5. The method of claim 4, wherein computing the secure usage result comprises:
    - generating the key status query including the intended key;
      
      receiving, at a key status processor the key status query;
      
      comparing, via the key status processor, the intended key to a managed key list having managed keys; and
      
      computing the secure usage result based on the outcome of the comparing.
  - 6. The method of claim 4, wherein computing the secure usage result further comprises:
    - generating the key usage authorization query and keying material attributes;
      
      computing, in a managed status processor, a rule deterministic of a managed status of the intended key;
      
      applying the rule to the keying material attributes to generate a key usage authorization result; and
      
      computing the secure usage result based, at least in part, on applying the rule.
  - 7. The method of claim 4, wherein computing the secure usage result further comprises:
    - generating the default action query;
      
      computing, in a default action processor, a default action indicative of an acceptable usage of the intended key; and
      
      computing the secure usage result based, at least in part, on the computer default action.
  - 8. The method of claim 4, wherein computing the secure usage result further comprises:
    - generating a key status query where the key status query produces the secure usage result, and examining the secure usage result;
      
      generating, if examining the secure usage result of the key status query is undeterministic of the intended key, the key usage authorization query and examining the corresponding secure usage result; and
      
      generating, if the key usage authorization query is undeterministic of the intended key, the default action query and examining the corresponding secure usage result.
  - 9. The method of claim 5, where the key status query further comprises:
    - indexing, in a local datastore, the security usage indicator to retrieve a Boolean indicator corresponding to permissible usage of the intended key for secure communications.
  - 10. The method of claim 6 wherein the secure usage result is not immediately indicative of permissible use and enforcing the secure usage result further comprises:
    - applying the default action until a secure usage result from the key usage authorization query is available; and
      
      applying the secure usage result from the key usage authorization query to subsequent requests to initiate secure communications.
  - 11. The method of claim 10, where the key usage authorization query further comprises:
    - transmitting the key usage authorization query to a remote node operable to invoke a rule base for determining the secure usage result; and
      
      receiving, from the remote node at the data communications device, the secure usage result.
  - 12. The method of claim 1, wherein determining an intended key to be used in establish the secure communications comprises determining a key operable for cryptographic communications.

13. A data communications device for managing secure communications comprising:
- an observer operable to sniff communications received by the data communications device and identify, from communications between a first endpoint device and traversing the data communications device destined for a second endpoint device, a security usage indicator indicative of an intended secure session to be established between the first and second endpoints; and
  
  an authorizer coupled to the observer having secure authorization logic operable to analyze the security usage indicator to compute, by operation of one or more computer processors, a secure usage result indicative of whether or not to allow the intended secure session, wherein the authorizer is configured to map one or more attributes of an intended key, determined by analyzing the identified security usage indicator, to a respective one or more entries within a data store and to apply one or more rules corresponding to the one or more entries within the data store to compute the secure usage result, wherein each of the one or more rules is associated with a respective priority value indicating a relative priority of the rule with respect to the other rules; and
  
  an enforcer operable to enforce the secure usage result at the data communications device by selectively allowing and prohibiting establishment of the intended secure session for secure communications between the first and second endpoint devices, comprising at least one of (i) disallowing communications, (ii) allowing secure communications pending further key usage authorization results, (iii) logging communications, and (iv) allowing secure communications.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The device of claim 13 wherein the detector is unintrusive such that the communications endpoints are unaware of the secure authorization query and the applying the secure communications result.
  - 15. The device of claim 13 wherein the authorizer is further operable to generate a secure authorization query comprising at least one of a key status query, a key usage authorization query, and a default action query, each of the status query, the key usage authorization query, and the default action query adapted to generate the secure usage result.
  - 16. The device of claim 13 wherein the authorizer further includes a managed key list having managed keys and a key status processor operable to generate a key status query and further operable to:
    - generate the key status query including the intended key;
      
      receive, at a key status processor the key status query;
      
      compare, via the key status processor, the intended key to the managed keys on the managed key list; and
      
      compute the secure usage result based on the outcome of the comparing.
  - 17. The device of claim 13 wherein the authorizer further comprises a default action processor operable to:
    - generate the default action query;
      
      compute, in a default action processor, a default action indicative of an acceptable usage of the intended key; and
      
      compute the secure usage result based on the computed default action.
  - 18. The device of claim 13 wherein the authorizer is further operable to:
    - generate a key status query and examining the corresponding secure usage result;
      
      generate, if examining the secure usage result of the key status query is undeterministic of the intended key, the key usage authorization query and examining the corresponding secure usage result; and
      
      generate, if the key usage authorization query is undeterministic of the intended key, the default action query and examining the corresponding secure usage result.
  - 19. The device of claim 16 wherein the key status processor is further operable to:
    - index, in a local datastore, the security usage indicator andretrieve a Boolean indicator corresponding to permissible usage of the security usage indicator for secure communications.
  - 20. The device of claim 13 wherein the key usage authorization result is not immediately indicative of permissible use the managed status processor is further operable to:
    - apply the default action until the key usage authorization result is available; and
      
      apply the key usage authorization result to subsequent requests to initiate secure communications.
  - 21. The device of claim 13 wherein the managed status processor is further operable to:
    - transmit the key usage authorization query to a remote node, the remote node having a rule database to be operable to determine the secure usage result; and
      
      receive, from the remote node, the secure usage result, wherein the remote node is adapted to receive key usage authorization queries from a plurality of data communications devices.
  - 22. The device of claim 13 wherein the authorizer is further operable to analyze the security usage indicator to determine a corresponding key operable for cryptographic communications.
  - 23. The device of claim 13 wherein at least one of the key status processor, the managed status processor, and the default action processor are in a remote key authorization server and accessible via a network transmission.
  - 24. The device of claim 13 wherein the security usage indicator for the intended secure communications conforms to a predetermined protocol of establishing secure communications, the predetermined protocol operable to define secure communications between a plurality of interconnected nodes.

25. A method of key usage enforcement comprising:
- packet sniffing, at a key enforcement device, communications from a first endpoint device and traversing the key enforcement device destined for a second endpoint device to identify a request to initiate secure communications between the first and second endpoint devices;
  
  interrogating the request to determine a security usage indicator indicative of an intended secure session to be established between the first and second endpoint devices;
  
  identifying, from the security usage indicator, an intended key to be employed in establishing the secure communications;
  
  computing a secure usage result indicative of whether to allow the intended secure session to be established, comprising;
  
  mapping one or more attributes of the intended key to a respective one or more entries within a data store; and
  
  applying one or more rules corresponding to the one or more entries within the data store to compute the secure usage result, wherein each of the one or more rules is associated with a respective priority value indicating a relative priority of the rule with respect to the other rules;
  
  enforcing the computed secure usage result by selectively allowing and prohibiting establishment of the intended secure session for secure communications between the first and second endpoint devices, comprising at least one of (i) disallowing communications, (ii) allowing secure communications pending further key usage authorization results, (iii) logging communications, and (iv) allowing secure communications.

26. A computer program product including a computer readable medium for encoding program logic thereon, the computer readable medium having computer program code for managing secure communications comprising:
- computer program code for packet sniffing, at a data communications device, one or more network packets from a first endpoint device and traversing the data communications device en route to a second endpoint device, to identify (i) a request to initiate secure communications between the first and second endpoint devices and (ii) a security usage indicator indicative of an intended secure session to be established between the first and second endpoint devices;
  
  computer program code to analyze the identified security usage indicator to determine an intended key to be used in establishing the secure communications;
  
  computer program code for computing a secure usage result indicative of whether or not to allow the intended secure session to be established, comprising mapping one or more attributes of the intended key to a respective one or more entries within a data store, and applying one or more rules corresponding to the one or more entries within the data store to compute the secure usage result, wherein each of the one or more rules is associated with a respective priority value indicating a relative priority of the rule with respect to the other rules; and
  
  computer program code for enforcing the secure usage result by selectively allowing and prohibiting establishment of the intended secure session for secure communications between the first and second endpoint devices, comprising at least one of (i) disallowing communications, (ii) allowing secure communications pending further key usage authorization results, (iii) logging communications, and (iv) allowing secure communications.

27. A data communications device for managing secure communications comprising:
- means for identifying, by packet sniffing one or more network packets from a first endpoint device and traversing the data communications device en route to a second endpoint device, (i) a request to initiate secure communications between the first endpoint device and a second endpoint devices, and (ii) a security usage indicator indicative of an intended secure session to be established employed for the secure communications between the first and second endpoint devices;
  
  means for analyzing the identified security usage indicator to determine an intended key to be used in establishing the secure communications;
  
  means for computing a security usage result indicative of whether to allow the intended secure session to be established, comprising;
  
  means for mapping one or more attributes of the intended key to a respective one or more entries within a data store; and
  
  means for applying one or more rules corresponding to the one or more entries within the data store to compute the secure usage result, wherein each of the one or more rules is associated with a respective priority value indicating a relative priority of the rule with respect to the other rules;
  
  andmeans for enforcing the computed secure usage result by selectively allowing and prohibiting establishment of the intended secure session for secure communications between the first and second endpoint devices, comprising at least one of;
  
  means for disallowing communications;
  
  means for allowing secure communications pending further key usage authorization results;
  
  means for logging communications; and
  
  means for allowing secure communications.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
O'Toole, James W. Jr.
Primary Examiner(s)
Chea, Philip
Assistant Examiner(s)
HOANG, DANIEL L

Application Number

US10/419,484
Time in Patent Office

3,550 Days
Field of Search

713/153, 713/154, 713/155, 713/160, 713/161, 713/151, 726/22
US Class Current

713/151
CPC Class Codes

H04L 63/061 for key exchange, e.g. in p...

H04L 63/20 for managing network securi...

Method and apparatus for managing secure communications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for managing secure communications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links