Security for remote access VPN

US 8,806,609 B2
Filed: 03/08/2011
Issued: 08/12/2014
Est. Priority Date: 03/08/2011
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising;

generating, at a first device, key information for a virtual private network (VPN) connection between the first device and a second device;

wherein the key information comprises one or more session keys for a VPN session associated with the VPN connection;

generating, at the first device, a plurality of shares from the key information;

wherein the plurality of shares includes a first set of one or more shares and a second set of one or more shares;

wherein the first set of one or more shares is different than the second set of one or more shares;

causing the first set of one or more shares to be stored on a dongle that is paired to the first device;

causing the second set of one or more shares to be stored on the first device;

reconstructing the one or more session keys for the VPN session associated with the VPN connection using the first set of one or more shares and the second set of one or more shares;

resuming the VPN session based at least in part on the one or more session keys that were reconstructed using the first set of one or more shares and the second set of one or more shares.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclosed for improving security in virtual private network. In one embodiment, key information is generated for a virtual private network (VPN) connection between a first device and a second device. A plurality of shares is then generated based on the key information. A first set of one or more shares is stored on a dongle that is paired to the first device. A second set of one or more shares is stored on the first device. In response to a request to resume the VPN connection, the first set of shares is retrieved from the dongle. The key information is reconstructed based on the first set of shares and the second set of shares. The reconstructed key information may then be used to resume the VPN connection.

76 Citations

View as Search Results

19 Claims

1. A method comprising;
- generating, at a first device, key information for a virtual private network (VPN) connection between the first device and a second device;
  
  wherein the key information comprises one or more session keys for a VPN session associated with the VPN connection;
  
  generating, at the first device, a plurality of shares from the key information;
  
  wherein the plurality of shares includes a first set of one or more shares and a second set of one or more shares;
  
  wherein the first set of one or more shares is different than the second set of one or more shares;
  
  causing the first set of one or more shares to be stored on a dongle that is paired to the first device;
  
  causing the second set of one or more shares to be stored on the first device;
  
  reconstructing the one or more session keys for the VPN session associated with the VPN connection using the first set of one or more shares and the second set of one or more shares;
  
  resuming the VPN session based at least in part on the one or more session keys that were reconstructed using the first set of one or more shares and the second set of one or more shares.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising, in response to a request to establish the VPN connection between the first device and the second device:
    - retrieving the first set of one or more shares from the dongle;
      
      establishing the VPN connection between the first device and the second device based on the first set of one or more shares and the second set of one or more shares.
  - 3. The method of claim 1, wherein the key information comprises one or more authentication keys associated with the VPN connection, the method further comprising reconstructing the one or more authentication keys using the first set of one or more shares and the second set of one or more shares.
  - 4. The method of claim 1, further comprising in response to a request to establish the VPN connection between the first device and the second device:
    - determining that the first set of one or more shares transferred to the dongle is not available;
      
      in response to determining that the first set of one or more shares transferred to the dongle is not available, requiring that a user of the first device provide authentication information to reauthenticate the first device for the VPN connection.
  - 5. The method of claim 4, wherein determining that the first set of one or more shares transferred to the dongle is not available comprises determining that the dongle is not paired to the first device.
  - 6. The method of claim 4, wherein the first set of one or more shares stored on the dongle is associated with a timeout value and determining that the first set of one or more shares transferred to the dongle is not available comprises determining that a time associated with the first set of one or more shares has exceeded the timeout value.
  - 7. The method of claim 1, wherein each share of the plurality of shares is stored on a different storage device including the first device and the dongle, the method further comprising:
    - in response to a request to establish the VPN connection between the first device and the second device;
      
      determining whether a minimum threshold of shares is available for retrieval by the first device;
      
      if the minimum threshold of shares is available for retrieval by the first device, retrieving the minimum threshold of shares and using the retrieved shares to establish the VPN connection between the first device and the second device;
      
      if the minimum threshold of shares is not available for retrieval by the first device, requiring that a user of the first device provide authentication information to reauthenticate the first device for the VPN connection.
  - 8. The method of claim 1, wherein the first set of one or more shares comprises a random encryption key generated by the first device and wherein the second set of one or more shares comprises ciphertext generated by applying the random encryption key to the key information for the VPN connection.
  - 9. The method of claim 1, wherein the dongle is at least one of a Bluetooth device that is paired to the first device over a wireless Bluetooth connection or a Universal Serial Bus (USB) device that is paired to the first device over physical connection to a USB port physically coupled to the first device.

10. A non-transitory computer-readable medium storing instructions, which, when executed by one or more processors, cause performance of;
- generating, at a first device, key information for a virtual private network (VPN) connection between the first device and a second device;
  
  wherein the key information comprises one or more session keys for a VPN session associated with the VPN connection;
  
  generating, at the first device, a plurality of shares from the key information;
  
  wherein the plurality of shares includes a first set of one or more shares and a second set of one or more shares;
  
  wherein the first set of one or more shares is different than the second set of one or more shares;
  
  causing the first set of one or more shares to be stored on a dongle that is paired to the first device;
  
  causing the second set of one or more shares to be stored on the first device;
  
  reconstructing the one or more session keys for the VPN session associated with the VPN connection using the first set of one or more shares and the second set of one or more shares;
  
  resuming the VPN session based at least in part on the one or more session keys that were reconstructed using the first set of one or more shares and the second set of one or more shares.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The non-transitory computer-readable medium of claim 10, further comprising instructions, which, when executed by the one or more processors, cause performance of:
    - in response to a request to establish the VPN connection between the first device and the second device;
      
      retrieving the first set of one or more shares from the dongle;
      
      establishing the VPN connection between the first device and the second device based on the first set of one or more shares and the second set of one or more shares.
  - 12. The non-transitory computer-readable medium of claim 10, wherein the key information comprises one or more authentication keys associated with the VPN connection the non-transitory computer readable medium further storing instructing, which, when executed by the one or more processors cause performance of:
    - reconstructing the one or more authentication keys using the first set of one or more shares and the second set of one or more shares.
  - 13. The non-transitory computer-readable medium of claim 10, further comprising instructions, which, when executed by the one or more processors, cause performance of:
    - in response to a request to establish the VPN connection between the first device and the second device;
      
      determining that the first set of one or more shares transferred to the dongle is not available;
      
      in response to determining that the first set of one or more shares transferred to the dongle is not available, requiring that a user of the first device provide authentication information to reauthenticate the first device for the VPN connection.
  - 14. The non-transitory computer-readable medium of claim 13, wherein determining that the first set of one or more shares transferred to the dongle is not available comprises determining that the dongle is not paired to the first device.
  - 15. The non-transitory computer-readable medium of claim 13, wherein the first set of one or more shares stored on the dongle is associated with a timeout value and determining that the first set of one or more shares transferred to the dongle is not available comprises determining that a time associated with the first set of one or more shares has exceeded the timeout value.
  - 16. The non-transitory computer-readable medium of claim 10, wherein each share of the plurality of shares is stored on a different storage device including the first device and the dongle, the non-transitory computer-readable medium further comprising instructions, which, when executed by the one or more processors, cause performance of:
    - in response to a request to establish the VPN connection between the first device and the second device;
      
      determining whether a minimum threshold of shares is available for retrieval by the first device;
      
      if the minimum threshold of shares is available for retrieval by the first device, retrieving the minimum threshold of shares and using the retrieved shares to establish the VPN connection between the first device and the second device;
      
      if the minimum threshold of shares is not available for retrieval by the first device, requiring that a user of the first device provide authentication information to reauthenticate the first device for the VPN connection.
  - 17. The non-transitory computer-readable medium of claim 10, wherein the first set of one or more shares comprises a random encryption key generated by the first device and wherein the second set of one or more shares comprises ciphertext generated by applying the random encryption key to the key information for the VPN connection.

18. An apparatus comprising;
- one or more hardware processors;
  
  one or more stored sequences of instructions which, when executed by the one or more hardware processors, cause the apparatus to perform;
  
  generating, at the apparatus, key information for a virtual private network (VPN) connection between the apparatus and a second device;
  
  wherein the key information comprises one or more session keys for a VPN session associated with the VPN connection;
  
  generating, at the apparatus, a plurality of shares from the key information;
  
  wherein the plurality of shares includes a first set of one or more shares and a second set of one or more shares;
  
  wherein the first set of one or more shares is different than the second set of one or more shares;
  
  causing the first set of one or more shares to be stored on a dongle that is paired to the apparatus;
  
  causing the second set of one or more shares to be stored on the apparatus;
  
  reconstructing the one or more session keys for the VPN session associated with the VPN connection using the first set of one or more shares and the second set of one or more shares;
  
  resuming the VPN session based at least in part on the one or more session keys that were reconstructed using the set of one or more shares and the second set of one or more shares.
- View Dependent Claims (19)
- - 19. The apparatus of claim 18, further comprising instructions, which, when executed by the one or more hardware processors, cause the apparatus to perform, in response to a request to establish the VPN connection between the apparatus and the second device:
    - retrieving the first set of one or more shares from the dongle;
      
      establishing the VPN connection between the apparatus and the second device based on the first set of one or more shares and the second set of one or more shares.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Gladstone, Philip John Steuart, McGrew, David A.
Primary Examiner(s)
KOSOWSKI, CAROLYN M

Application Number

US13/043,222
Publication Number

US 20120233674A1
Time in Patent Office

1,253 Days
Field of Search

726/9, 726/15
US Class Current

726/15
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/06   for supporting key manageme...

H04L 63/0853   using an additional device,...

H04L 9/085   Secret sharing or secret sp...

H04L 9/0897   involving additional device...

Security for remote access VPN

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

76 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Security for remote access VPN

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

76 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links