Separating control and data operations to support secured data transfers

US 8,687,804 B2
Filed: 11/01/2006
Issued: 04/01/2014
Est. Priority Date: 11/01/2006
Status: Active Grant

First Claim

Patent Images

1. A device comprising:

one or more processors;

memory coupled to the one or more processors, the memory comprising;

a protocol unit that includes a first protocol module and a second protocol module;

the first protocol module to communicate over at least one control channel in accordance with a message-oriented communication protocol, the second protocol module to communicate over one or more data channels in accordance with a stream-oriented communication protocol, the at least one control channel operating independently and in parallel to the one or more data channels, the one or more data channels utilized to transmit data; and

a security unit comprising;

a security negotiator to negotiate security requirements for a first data portion of a single data transfer request via the at least one control channel with the message-oriented communication protocol and to negotiate security requirements for a second data portion of the single data transfer request while the first data portion is transferred over the one or more data channels in accordance with the stream-oriented communication protocol; and

a security implementer to bind the security requirements for the first data portion of the single data transfer request to the second protocol and to bind the security requirements for the second data portion of the single data transfer request to a different protocol that is associated with a different data channel than the stream-oriented communication protocol.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

For a data transfer, security is negotiated via a control channel operating in accordance with a first protocol. The data is transmitted responsive to the security negotiation on a data channel operating in accordance with a second protocol. For example, a described implementation involves using a security control protocol and a separate secure data transfer protocol that operate cooperatively, but independently, to provide flexible application layer security with highly efficient data transfers.

Citations

19 Claims

1. A device comprising:
- one or more processors;
  
  memory coupled to the one or more processors, the memory comprising;
  
  a protocol unit that includes a first protocol module and a second protocol module;
  
  the first protocol module to communicate over at least one control channel in accordance with a message-oriented communication protocol, the second protocol module to communicate over one or more data channels in accordance with a stream-oriented communication protocol, the at least one control channel operating independently and in parallel to the one or more data channels, the one or more data channels utilized to transmit data; and
  
  a security unit comprising;
  
  a security negotiator to negotiate security requirements for a first data portion of a single data transfer request via the at least one control channel with the message-oriented communication protocol and to negotiate security requirements for a second data portion of the single data transfer request while the first data portion is transferred over the one or more data channels in accordance with the stream-oriented communication protocol; and
  
  a security implementer to bind the security requirements for the first data portion of the single data transfer request to the second protocol and to bind the security requirements for the second data portion of the single data transfer request to a different protocol that is associated with a different data channel than the stream-oriented communication protocol.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The device as recited in claim 1, wherein the security implementer comprises at least part of a requesting application that receives data via the one or more data channels using the stream-oriented communication protocol module or a responding application that transmits data via the one or more data channels using the second protocol module.
  - 3. The device as recited in claim 1, wherein the security negotiator comprises an integrity negotiator and a confidentiality negotiator;
    - the integrity negotiator to negotiate integrity information via the at least one control channel for use with transmission of the data via the one or more data channels, the confidentiality negotiator to negotiate confidentiality information via the at least one control channel for use with transmission of the data via the one or more data channels.
  - 4. The device as recited in claim 1, wherein the processor-executable instructions further negotiate the stream-oriented communication protocol with a remote application using at least one message.
  - 5. The device as recited in claim 1, wherein the message-oriented communication protocol comprises a Simple Object Access Protocol (SOAP), a Remote Procedure Call (RPC) protocol, or a Web Services protocol and the stream-oriented communication protocol comprises a Transmission Control Protocol/Internet Protocol (TCP/IP) protocol, a Remote Direct Memory Access (RDMA) protocol, a File Transfer Protocol (FTP), or a GridFTP.
  - 6. The one or more processor-accessible storage device as recited in claim 1, wherein the negotiated security requirements for the first portion of the single data transfer comprise confidentiality information or integrity information.
  - 7. The computer-implemented method as recited in claim 6, wherein the confidentiality information comprises an encryption algorithm, at least one cryptographic key, or one or more encryption parameters.

8. One or more computer-readable devices encoded with instructions that, when executed, direct a computing device to perform operations comprising:
- negotiating, via at least one control channel operating in accordance with a message-oriented communication protocol, security information for a first portion of a single data transfer;
  
  binding the security information for the first data portion of the single data transfer request to a stream-oriented communication protocol, the stream-oriented communication protocol usable to communicate over one or more data channels used to transmit data, the one or more data channels operating independently and in parallel to the at least one control channel;
  
  negotiating, via the at least one control channel operating in accordance with the message-oriented communication protocol, security information for a second portion of the single data transfer while the first data portion is transferred over the one or more data channels in accordance with the stream-oriented communication protocol; and
  
  binding the security information for the second data portion of the single data transfer request to a different protocol that is associated with a different data channel than the stream-oriented communication protocol.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. One or more computer-readable devices as recited in claim 8, wherein the operations further comprise:
    - performing, via the at least one control channel operating in accordance with the message-oriented communication protocol, an authentication procedure between a requester and a responder to authenticate the requester of the single data transfer and/or the responder who is to supply the single data transfer.
  - 10. One or more computer-readable devices as recited in claim 8, wherein the operations further comprise:
    - identifying, via the at least one control channel operating in accordance with the message-oriented communication protocol, the data to be transferred on the one or more data channels and stipulating the stream-oriented communication protocol to be used for the one or more data channels.
  - 11. One or more computer-readable devices as recited in claim 8, wherein the message-oriented communication protocol comprises a Simple Object Access Protocol (SOAP), a Remote Procedure Call (RPC) protocol, or a Web Services protocol;
    - and wherein the stream-oriented communication protocol comprises a Transmission Control Protocol/Internet Protocol (TCP/IP) protocol, a Remote Direct Memory Access (RDMA) protocol, a File Transfer Protocol (FTP), or a GridFTP.
  - 12. One or more computer-readable devices as recited in claim 8, wherein the negotiated security information for the first portion of the single data transfer comprises an encryption algorithm.
  - 13. One or more computer-readable devices as recited in claim 8, wherein the negotiated security information for the first portion of the single data transfer comprises one or more cryptographic keys for cryptographic operations to be implemented on the first portion of the single data transfer.

14. A computer-implemented method comprising:
- negotiating, via at least one control channel operating in accordance with a message-oriented communication protocol, security information for a first portion of a single data transfer;
  
  binding the security requirements for the first data portion of the single data transfer request to a stream-oriented communication protocol, the stream-oriented communication protocol usable to communicate over one or more data channels used to transmit data, the one or more data channels operating independently and in parallel to the at least one control channel;
  
  negotiating, via the at least one control channel operating in accordance with the message-oriented communication protocol, security information for a second portion of the single data transfer while the first data portion is transferred over the one or more data channels in accordance with the stream-oriented communication protocol; and
  
  binding the security information for the second data portion of the single data transfer request to a different protocol that is associated with a different data channel than the stream-oriented communication protocol.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The computer-implemented method as recited in claim 14, further comprising:
    - performing, via the at least one control channel operating in accordance with the message-oriented communication protocol, an authentication procedure between a requester and a responder to authenticate the requester of the data stream and/or the responder who is to supply the single data transfer.
  - 16. The computer-implemented method as recited in claim 14, further comprising:
    - identifying, via the at least one control channel operating in accordance with the message-oriented communication protocol, the data to be transferred on the one or more data channels and stipulating the stream-oriented communication protocol to be used for the one or more data channels.
  - 17. The computer-implemented method as recited in claim 14, wherein the security negotiation is accomplished by an application using one or more messages.
  - 18. The computer-implemented method as recited in claim 14, wherein the negotiated security information for the first portion of the single data transfer comprises an encryption algorithm.
  - 19. The computer-implemented method as recited in claim 14, wherein the negotiated security information for the first portion of the single data transfer comprises confidentiality information or integrity information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Dillaway, Blair B.
Primary Examiner(s)
Pham, Luu
Assistant Examiner(s)
Kabir, Jahangir

Application Number

US11/555,578
Publication Number

US 20080101598A1
Time in Patent Office

2,708 Days
Field of Search

380/44, 726/3, 726/4, 713/151, 713/163
US Class Current

380/44
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/123   received data contents, e.g...

H04L 63/20   for managing network securi...

Separating control and data operations to support secured data transfers

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Separating control and data operations to support secured data transfers

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links