Methods for providing security over untrusted networks

US 8,874,768 B2
Filed: 12/10/2010
Issued: 10/28/2014
Est. Priority Date: 07/30/1996
Status: Expired due to Fees

First Claim

Patent Images

1. A method of establishing security within an untrusted network, comprising:

providing a digital certificate associated with a first security apparatus associated with a first computerized host device;

sending said digital certificate via a message to a second security apparatus associated with a second computerized host device;

receiving at said first security apparatus and from said second security apparatus an initialization vector and a cryptographic element which is encrypted, said cryptographic element having been generated by said second apparatus after receiving said digital certificate;

decrypting said encrypted cryptographic element to obtain access to said encrypted cryptographic element;

verifying an integrity of a second message used to transmit said cryptographic element using a digital signature, at least a portion of said second message wrapped along with said digital signature;

initializing an encryption algorithm using the initialization vector; and

encrypting one or more datagrams exchanged between the computerized host devices using the decrypted cryptographic element.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods for providing for secure communications across data networks, including untrusted networks. In one embodiment, the method comprises establishing security associations between devices on the network using a digital certificate and key exchange protocol. In one variant, the digital certificate comprises a public encryption key; the recipient of the certificate authenticates the sender using at least the signature, and then generates a cryptographic element (e.g., key), and initialization vector. The key is encrypted and sent back to the originator, where it is decrypted and used to encrypt datagrams sent between the devices. The initialization vector may be used to initialize the encryption algorithm on the receiving device.

Citations

13 Claims

1. A method of establishing security within an untrusted network, comprising:
- providing a digital certificate associated with a first security apparatus associated with a first computerized host device;
  
  sending said digital certificate via a message to a second security apparatus associated with a second computerized host device;
  
  receiving at said first security apparatus and from said second security apparatus an initialization vector and a cryptographic element which is encrypted, said cryptographic element having been generated by said second apparatus after receiving said digital certificate;
  
  decrypting said encrypted cryptographic element to obtain access to said encrypted cryptographic element;
  
  verifying an integrity of a second message used to transmit said cryptographic element using a digital signature, at least a portion of said second message wrapped along with said digital signature;
  
  initializing an encryption algorithm using the initialization vector; and
  
  encrypting one or more datagrams exchanged between the computerized host devices using the decrypted cryptographic element.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein said initializing of said encryption algorithm comprises initializing a block cipher encryption algorithm.
  - 3. The method of claim 1, wherein said digital certificate comprises a public portion of a public-private key pair.
  - 4. The method of claim 3, wherein said cryptographic element is encrypted using at least a private portion of a public-private key pair.
  - 5. The method of claim 1, wherein said generation of said cryptographic element by said second apparatus after receiving said digital certificate comprises first authenticating said first network security apparatus based at least in part on said digital certificate.
  - 6. The method of claim 1, wherein said at least a portion of said message comprises an association request, and said digital signature enabling verification of an integrity of the association request received from the first apparatus.
  - 7. The method of claim 6, wherein said verification of said integrity must be completed before said second security apparatus provides the cryptographic element to the first apparatus.
  - 8. The method of claim 1, wherein said encryption of said one or more datagrams further comprises generating at least one cryptographic residue.
  - 9. The method of claim 8, further comprising using said at least one cryptographic residue to assure an integrity of said one or more datagrams after transmission.
  - 10. The method of claim 1, wherein said first computerized host comprises a portable computerized device having an entrusted operating system and a software stack, at least a portion of said stack comprising said first security apparatus, said method further comprising transmitting an application layer message down through said stack, said first security apparatus encrypting at least a portion of said application layer message before transmission over said network.
  - 11. The method of claim 1, further comprising identifying a user of said first device to said first security apparatus before providing access to said network.
  - 12. The method of claim 11, wherein said identifying said user comprises requiring said user to enter a password.
  - 13. The method of claim 1, wherein said message to said second security apparatus comprises a security association request message, and said encrypted cryptographic element is received at said first apparatus via an association grant message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Round Rock Research LLC
Original Assignee
Round Rock Research LLC
Inventors
Holden, James M, Levin, Stephen E, Nickel, James O, Wrench, Edwin H
Primary Examiner(s)
Moise, Emmanuel L
Assistant Examiner(s)
HUQ, FARZANA B

Application Number

US12/965,646
Publication Number

US 20110197068A1
Time in Patent Office

1,418 Days
Field of Search

709/200, 709225-226, 709/237, 726/2, 713/150, 713170-171, 713/182
US Class Current

709/229
CPC Class Codes

G06F 21/31   User authentication

G06F 21/606   by securing the transmissio...

G06F 21/85   interconnection devices, e....

G06F 2211/001   In-Line Device

G06F 2211/005   Network, LAN, Remote Access...

G06F 2211/007   Encryption, En-/decode, En-...

G06F 2211/009   Trust

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

G06F 2221/2153   Using hardware token as a s...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/02   for separating internal fro...

H04L 63/0218   Distributed architectures, ...

H04L 63/0442   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0869   for achieving mutual authen...

H04L 63/101   Access control lists [ACL]

H04L 63/105   Multiple levels of security

H04L 63/126   the source of the received ...

H04L 63/14 : for detecting or protecting...

H04L 67/141 : Setup of application sessio...

H04L 67/563 : Data redirection of data ne...

H04L 9/3247 : involving digital signatures

H04L 9/3268 : using certificate validatio...

H04L 9/3273 : for mutual authentication n...

H04L 9/40 : Network security protocols

H04W 12/069 : using certificates or pre-s...

View All

Methods for providing security over untrusted networks

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Methods for providing security over untrusted networks

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links