System and method for preventing a computing device from obtaining unauthorized access to a secure network or trusted computing environment

US 9,059,853 B1
Filed: 02/22/2012
Issued: 06/16/2015
Est. Priority Date: 02/22/2012
Status: Active Grant

First Claim

Patent Images

1. A system for preventing a computing device from obtaining unauthorized access to a secure network, comprising:

a) a network client agent operably connected to a computing device configured to intercept network traffic information from applications running on said computing device and transmit a network request comprising application information and said network traffic information;

b) a network token broker operably connected to said network client agent and containing a database of application information, said network token broker configured to receive said network request and cooperate with said network client agent for i) verifying whether said network request should be granted access to said secure network, and ii) generating a network authorization token by cryptographically signing the intercepted network traffic information to provide a cryptographic signature, to authorize network access for said intercepted network traffic information, wherein said network authorization token is returned to said network client agent, said network client agent attaching the network authorization token to the network traffic information; and

,c) a guard system operably connected to said computing device, configured to receive said network traffic information and the attached network authorization token, and to inspect said network traffic information from said network client agent on said computing device and reject any traffic information not signed with said network authorization token, wherein said guard system is configured to provide inspection of said network traffic information by the process of;

i) receiving said network request and said network authorization token;

ii) testing the validity of said network authorization token to provide a validated said network request;

iii) stripping said network authorization token to restore said network request to provide original state prior to interception by said network client agent, andiv) forwarding said intercepted network traffic information to a secure network destination only if said network authorization token is valid.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for preventing a computing device from obtaining unauthorized access to a secure network includes a client agent operably connected to the computing device configured to intercept network traffic information from applications running on the computing device and transmit a network request including application information and the network traffic information. A network token broker operably connected to the network client agent contains a database of application information. The network token broker is configured to cooperate with the network client agent for i) verifying whether the network request should be granted access to the secure network, and ii) cryptographically signing the intercepted network traffic information with a network authorization token, to authorize network access for the intercepted network traffic information. A guard system is configured to inspect the network traffic information from the computing device and reject any traffic information not signed with the network authorization token.

42 Citations

View as Search Results

28 Claims

1. A system for preventing a computing device from obtaining unauthorized access to a secure network, comprising:
- a) a network client agent operably connected to a computing device configured to intercept network traffic information from applications running on said computing device and transmit a network request comprising application information and said network traffic information;
  
  b) a network token broker operably connected to said network client agent and containing a database of application information, said network token broker configured to receive said network request and cooperate with said network client agent for i) verifying whether said network request should be granted access to said secure network, and ii) generating a network authorization token by cryptographically signing the intercepted network traffic information to provide a cryptographic signature, to authorize network access for said intercepted network traffic information, wherein said network authorization token is returned to said network client agent, said network client agent attaching the network authorization token to the network traffic information; and
  
  ,c) a guard system operably connected to said computing device, configured to receive said network traffic information and the attached network authorization token, and to inspect said network traffic information from said network client agent on said computing device and reject any traffic information not signed with said network authorization token, wherein said guard system is configured to provide inspection of said network traffic information by the process of;
  
  i) receiving said network request and said network authorization token;
  
  ii) testing the validity of said network authorization token to provide a validated said network request;
  
  iii) stripping said network authorization token to restore said network request to provide original state prior to interception by said network client agent, andiv) forwarding said intercepted network traffic information to a secure network destination only if said network authorization token is valid.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The system of claim 1, wherein said network token broker provides said cryptographic signature by signing individual network packets.
  - 3. The system of claim 2, wherein said guard system provides inspection of said network traffic information by the process of:
    - a) receiving said cryptographically signed individual network packets;
      
      b) testing the validity of said cryptographic signature to provide validated cryptographic signature;
      
      c) stripping said signature to restore said signed individual network packets to provide original state prior to interception by said network client agent, andd) forwarding said original intercepted network traffic information to a secure network destination only if said signature is valid.
  - 4. The system of claim 1, wherein said network token broker provides said cryptographic signature by signing individual network packets, by applying internet protocol (IP) encapsulation by adding a cryptographic hash field to said intercepted network traffic information.
  - 5. The system of claim 4, wherein said guard system provides inspection of said network traffic information by the process of:
    - a) receiving said cryptographically signed individual network packets;
      
      b) testing the validity of said cryptographic signature to provide validated cryptographic signature;
      
      c) stripping said signature to restore said signed individual network packets to provide original state prior to interception by said network client agent, andd) forwarding said original intercepted network traffic information to a secure network destination only if said signature is valid.
  - 6. The system of claim 1, wherein said network token broker provides said cryptographic signature by signing individual network packets, by applying an Internet Protocol header field to said intercepted network traffic information.
  - 7. The system of claim 6, wherein said guard system provides inspection of said network traffic information by the process of:
    - a) receiving said cryptographically signed individual network packets;
      
      b) testing the validity of said cryptographic signature to provide validated cryptographic signature;
      
      c) stripping said signature to restore said signed individual network packets to provide original state prior to interception by said network client agent, andd) forwarding said original intercepted network traffic information to a secure network destination only if said signature is valid.
  - 8. The system of claim 1, wherein said network token broker provides said cryptographic signature by signing individual network packets, by applying a transport layer wrapping protocol to said intercepted network traffic information.
  - 9. The system of claim 8, wherein said guard system provides inspection of said network traffic information by the process of:
    - a) receiving said cryptographically signed individual wrapped network packets;
      
      b) testing the validity of said cryptographic signature to provide validated cryptographic signature;
      
      c) stripping said signature and transport layer wrapper to restore said signed individual network packets to provide original state prior to interception by said network client agent, andd) forwarding said original intercepted network traffic information to a secure network destination only if said signature is valid.
  - 10. The system of claim 1, wherein said network token broker provides said cryptographic signature by adding a token to a transport or session protocol.
  - 11. The system of claim 10, wherein said guard system provides inspection of said network traffic information by the process of:
    - a) receiving said cryptographically signed token and network traffic information;
      
      b) testing the validity of said cryptographic signature to provide validated cryptographic signature;
      
      c) stripping said token to restore network traffic information to provide original state prior to interception by said network client agent, andd) forwarding said original intercepted network traffic information to a secure network destination only if said signature is valid.
  - 12. The system of claim 1, wherein said network token broker provides said cryptographic signature by adding a token, by adding a tag-value pair to an application layer protocol.
  - 13. The system of claim 12, wherein said guard system provides inspection of said network traffic information by the process of:
    - a) receiving said cryptographically signed token within said application layer protocol;
      
      b) testing validity of said cryptographic signature to provide validated cryptographic signature;
      
      c) stripping said token to restore said application layer request to provide original state prior to interception by said network client agent, andd) forwarding said original intercepted network traffic information to a secure network destination only if signature is valid.
  - 14. The system of claim 1, wherein said network token broker provides said cryptographic signature by adding a token, by providing a tag-value pair matched to the application layer protocol via an out-of-band transport.
  - 15. The system of claim 1, wherein said network token broker provides said cryptographic signature by a decision making technique.
  - 16. The system of claim 1, wherein said network client agent provides monitoring of said network traffic information by the process of:
    - a) intercepting said transmit network request or said network traffic information to provide said intercepted transmit network request or said network traffic information;
      
      b) identifying the application information of said intercepted network request or said network traffic information to provide identified said user computer and application information;
      
      c) forwarding said intercepted transmit network request or said network traffic information, with said computed cryptographic hash of said identified application information, to said network token broker.
  - 17. The system of claim 1, wherein said network token broker and said guard system are embodied within a communication sleeve constructed to attach to said computing device.

18. A system for preventing a computing device from obtaining unauthorized access to a secure network, comprising:
- a) a network client agent operably connected to a computing device configured to intercept network traffic information from applications running on said computing device and transmit a network request comprising application information and said network traffic information;
  
  b) a network token broker operably connected to said network client agent and containing a database of application information, said network token broker configured to receive said network request and cooperate with said network client agent for i) verifying whether said network request should be granted access to said secure network, and ii) generating a network authorization token by cryptographically signing the intercepted network traffic information to provide a cryptographic signature, to authorize network access for said intercepted network traffic information, wherein said network authorization token is returned to said network client agent, said network client agent attaching the network authorization token to the network traffic information; and
  
  ,c) a guard system operably connected to said computing device, configured to receive said network traffic information and the attached network authorization token, and to inspect said network traffic information from said network client agent on said computing device and reject any traffic information not signed with said network authorization token,wherein said network token broker provides said cryptographic signing by a decision making technique, by the process of;
  
  receiving cryptographic signatures of said application information and said network traffic information to provide received cryptographic signature and network traffic information;
  
  identifying the application information authentication of said received network traffic information and said received cryptographic signature to provide identified intercepted network information and cryptographic signature;
  
  computing a cryptographic signature of said identified traffic information including user authentication and user host OS configuration to provide computed cryptographic hash of said identified traffic information;
  
  comparing said computed network traffic information and said cryptographic signature against at least one of a whitelist and a blacklist database or comparing intercepted network information against whitelist or blacklist database to provide compared computed networked information and compared computed cryptographic signature; and
  
  ,digitally signing the network traffic information only if said compared computed network information and compared computed cryptographic signature are contained in said whitelist, and not contained in said blacklist.

19. A method for preventing a computing device from obtaining unauthorized access to a secure network, comprising the steps of:
- a) intercepting network traffic information from applications running on a computing device utilizing a network client agent operably connected to said computing device and transmitting a network request comprising application information and said network traffic information;
  
  b) verifying whether said network request should be granted access to said secure network utilizing a network token broker operably connected to said network client agent containing a database of application information;
  
  c) cryptographically signing said intercepted network traffic information with a network authorization token, to authorize network access for said intercepted network traffic information wherein said cryptographically signing is provided by generating a network authorization token and wherein said network authorization token is returned to said network client agent, said network client agent attaching the network authorization token to the network traffic information; and
  
  ,d) inspecting said network traffic information from said network client agent on said computing device and rejecting any traffic information not signed with said authorization server key utilizing a guard system operably connected to said computing device and said network client agent, wherein said guard system is configured to receive said network traffic information and the attached network authorization token, and wherein, wherein said guard system is configured to provide said inspecting of said network traffic information by the process of;
  
  i) receiving said network request and said network authorization token;
  
  ii) testing the validity of said network authorization token to provide a validated said network request;
  
  iii) stripping said network authorization token to restore said network request to provide original state prior to interception by said network client agent, andiv) forwarding said intercepted network traffic information to a secure network destination only if said network authorization token is valid.

20. A system for authenticating a request from an untrusted computing device to access an interface for service functions in a trusted computing environment, comprising:
- a) a service client agent operably connected to an untrusted computing device configured to present identity-recognition credentials with service requests from service applications to access an interface to service functions in a trusted computing environment;
  
  b) a service token broker contained in said trusted computing environment, operably connected to said service client agent and containing a database of identity-recognition credentials and unique hardware identifiers, said service token broker configured to receive said service requests and cooperate with said service client agent for i) verifying whether said service requests should have access to said trusted computing environment, and ii) generating a service authorization token by cryptographically signing the service requests to provide a cryptographic signature, to authorize access for said services or functions, wherein said network service token is returned to said service client agent, said service client agent attaching the service authorization token to the service requests; and
  
  ,c) a service interface in a trusted computing environment operably connected to said service client agent, configured to receive said service requests and the attached service authorization token, and to inspect said service requests from said service client agent on said untrusted computing device and reject any said service requests not signed with said service authorization token, wherein said service interface is configured to provide inspection of said service requests by the process of;
  
  i) receiving said service requests and said service authorization token;
  
  ii) testing the validity of said service authorization token to provide a validated said service request;
  
  iii) stripping said service authorization token to restore said service request to provide original state prior to inspection by said service client agent, andiv) forwarding said inspected service request to a secure network destination only if said service authorization token is valid.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27)
- - 21. The system of claim 20, wherein said service token broker provides said cryptographic signing by adding a token to a transport or session protocol.
  - 22. The system of claim 21, wherein said service interface provides inspection of said service request information by the process of:
    - a) receiving said cryptographically signed service request information;
      
      b) testing the validity of said cryptographic signature to provide a validated cryptographic signature; and
      
      ,c) fulfilling said original service request only if said signature is valid.
  - 23. The system of claim 20, wherein said service token broker provides said cryptographic signing by adding a token, by adding a tag-value pair to an application layer protocol.
  - 24. The system of claim 23, wherein said service interface provides inspection of said service request information by the process of:
    - a) receiving said cryptographically signed service request information;
      
      b) testing the validity of said cryptographic signature to provide a validated cryptographic signature; and
      
      ,c) fulfilling said original service request only if said signature is valid.
  - 25. The system of claim 20, wherein said service token broker provides said cryptographic signing by adding a token, by providing a tag-value pair matched to the application layer protocol via an out-of-band transport.
  - 26. The system of claim 25, wherein said service interface provides inspection of said service request information by the process of:
    - a) receiving said cryptographically signed service request information;
      
      b) testing the validity of said cryptographic signature to provide a validated cryptographic signature; and
      
      ,c) fulfilling said original service request only if said signature is valid.
  - 27. The system of claim 20, wherein said service token broker provides said cryptographic signing by a decision making technique.

28. A system for preventing a computing device from obtaining unauthorized access to a secure network, comprising:
- a) a service client agent operably connected to an untrusted computing device configured to present identity-recognition credentials with service requests from service applications to access an interface to service functions in a trusted computing environment;
  
  b) a service token broker contained in said trusted computing environment, operably connected to said service client agent and containing a database of identity-recognition credentials and unique hardware identifiers, said service token broker configured to receive said service requests and cooperate with said service client agent for i) verifying whether said service requests should have access to said trusted computing environment, and ii) generating a service authorization token by cryptographically signing the service requests to provide a cryptographic signature, to authorize access for said services or functions, wherein said network service token is returned to said service client agent, said service client agent attaching the service authorization token to the service requests; and
  
  ,c) a service interface in a trusted computing environment operably connected to said service client agent, configured to receive said service requests and the attached service authorization token, and to inspect said service requests from said network client agent on said untrusted computing device and reject any said service requests not signed with said service authorization token, wherein said service token broker provides said cryptographic signing by a decision making technique, by the process of;
  
  receiving said identity-recognition credentials, said service request information from said service requests to provide said received identity-recognition credentials, said unique hardware identifiers and said service request information;
  
  identifying said identity-recognition credentials and said received service request information to provide identified service request information and identified identity-recognition credentials;
  
  computing a cryptographic signature of said identified service request information including said identified identity-recognition credentials to provide a computed cryptographic hash of said identified service request information;
  
  comparing said computed service request information and said computed cryptographic signature against at least one of a whitelist and a blacklist database or comparing said service request information against a whitelist or blacklist database to provide compared computed service request information and compared computed cryptographic signature; and
  
  ,digitally signing the service request information only if said compared computed service request information and compared computed cryptographic signature are contained in said whitelist, and not contained in said blacklist.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Rockwell Collins, Inc. (Raytheon Technologies Corporation d/b/a RTX)
Original Assignee
Rockwell Collins, Inc. (Raytheon Technologies Corporation d/b/a RTX)
Inventors
Bortz, Mark A., Potts, James N., Rice, Gregory W., Hoech, Karl F.
Primary Examiner(s)
Nguyen, Thuong

Application Number

US13/402,278
Time in Patent Office

1,210 Days
Field of Search

713/156, 713/168, 726/4, 726/9, 726/13
US Class Current

1/1
CPC Class Codes

G06F 21/00   Security arrangements for p...

H04L 67/562   Brokering proxy services

H04L 69/22   Parsing or analysis of headers

H04L 9/32   including means for verifyi...

H04L 9/3234   involving additional secure...

H04L 9/3247   involving digital signatures

System and method for preventing a computing device from obtaining unauthorized access to a secure network or trusted computing environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

42 Citations

28 Claims

Specification

Use Cases

Quick Links

Others

System and method for preventing a computing device from obtaining unauthorized access to a secure network or trusted computing environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

42 Citations

28 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others