System and method for preventing a computing device from obtaining unauthorized access to a secure network or trusted computing environment
First Claim
1. A system for preventing a computing device from obtaining unauthorized access to a secure network, comprising:
- a) a network client agent operably connected to a computing device configured to intercept network traffic information from applications running on said computing device and transmit a network request comprising application information and said network traffic information;
b) a network token broker operably connected to said network client agent and containing a database of application information, said network token broker configured to receive said network request and cooperate with said network client agent for i) verifying whether said network request should be granted access to said secure network, and ii) generating a network authorization token by cryptographically signing the intercepted network traffic information to provide a cryptographic signature, to authorize network access for said intercepted network traffic information, wherein said network authorization token is returned to said network client agent, said network client agent attaching the network authorization token to the network traffic information; and
,c) a guard system operably connected to said computing device, configured to receive said network traffic information and the attached network authorization token, and to inspect said network traffic information from said network client agent on said computing device and reject any traffic information not signed with said network authorization token, wherein said guard system is configured to provide inspection of said network traffic information by the process of;
i) receiving said network request and said network authorization token;
ii) testing the validity of said network authorization token to provide a validated said network request;
iii) stripping said network authorization token to restore said network request to provide original state prior to interception by said network client agent, andiv) forwarding said intercepted network traffic information to a secure network destination only if said network authorization token is valid.
1 Assignment
0 Petitions
Accused Products
Abstract
A system for preventing a computing device from obtaining unauthorized access to a secure network includes a client agent operably connected to the computing device configured to intercept network traffic information from applications running on the computing device and transmit a network request including application information and the network traffic information. A network token broker operably connected to the network client agent contains a database of application information. The network token broker is configured to cooperate with the network client agent for i) verifying whether the network request should be granted access to the secure network, and ii) cryptographically signing the intercepted network traffic information with a network authorization token, to authorize network access for the intercepted network traffic information. A guard system is configured to inspect the network traffic information from the computing device and reject any traffic information not signed with the network authorization token.
42 Citations
28 Claims
-
1. A system for preventing a computing device from obtaining unauthorized access to a secure network, comprising:
-
a) a network client agent operably connected to a computing device configured to intercept network traffic information from applications running on said computing device and transmit a network request comprising application information and said network traffic information; b) a network token broker operably connected to said network client agent and containing a database of application information, said network token broker configured to receive said network request and cooperate with said network client agent for i) verifying whether said network request should be granted access to said secure network, and ii) generating a network authorization token by cryptographically signing the intercepted network traffic information to provide a cryptographic signature, to authorize network access for said intercepted network traffic information, wherein said network authorization token is returned to said network client agent, said network client agent attaching the network authorization token to the network traffic information; and
,c) a guard system operably connected to said computing device, configured to receive said network traffic information and the attached network authorization token, and to inspect said network traffic information from said network client agent on said computing device and reject any traffic information not signed with said network authorization token, wherein said guard system is configured to provide inspection of said network traffic information by the process of; i) receiving said network request and said network authorization token; ii) testing the validity of said network authorization token to provide a validated said network request; iii) stripping said network authorization token to restore said network request to provide original state prior to interception by said network client agent, and iv) forwarding said intercepted network traffic information to a secure network destination only if said network authorization token is valid. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A system for preventing a computing device from obtaining unauthorized access to a secure network, comprising:
-
a) a network client agent operably connected to a computing device configured to intercept network traffic information from applications running on said computing device and transmit a network request comprising application information and said network traffic information; b) a network token broker operably connected to said network client agent and containing a database of application information, said network token broker configured to receive said network request and cooperate with said network client agent for i) verifying whether said network request should be granted access to said secure network, and ii) generating a network authorization token by cryptographically signing the intercepted network traffic information to provide a cryptographic signature, to authorize network access for said intercepted network traffic information, wherein said network authorization token is returned to said network client agent, said network client agent attaching the network authorization token to the network traffic information; and
,c) a guard system operably connected to said computing device, configured to receive said network traffic information and the attached network authorization token, and to inspect said network traffic information from said network client agent on said computing device and reject any traffic information not signed with said network authorization token, wherein said network token broker provides said cryptographic signing by a decision making technique, by the process of; receiving cryptographic signatures of said application information and said network traffic information to provide received cryptographic signature and network traffic information; identifying the application information authentication of said received network traffic information and said received cryptographic signature to provide identified intercepted network information and cryptographic signature; computing a cryptographic signature of said identified traffic information including user authentication and user host OS configuration to provide computed cryptographic hash of said identified traffic information; comparing said computed network traffic information and said cryptographic signature against at least one of a whitelist and a blacklist database or comparing intercepted network information against whitelist or blacklist database to provide compared computed networked information and compared computed cryptographic signature; and
,digitally signing the network traffic information only if said compared computed network information and compared computed cryptographic signature are contained in said whitelist, and not contained in said blacklist.
-
-
19. A method for preventing a computing device from obtaining unauthorized access to a secure network, comprising the steps of:
-
a) intercepting network traffic information from applications running on a computing device utilizing a network client agent operably connected to said computing device and transmitting a network request comprising application information and said network traffic information; b) verifying whether said network request should be granted access to said secure network utilizing a network token broker operably connected to said network client agent containing a database of application information; c) cryptographically signing said intercepted network traffic information with a network authorization token, to authorize network access for said intercepted network traffic information wherein said cryptographically signing is provided by generating a network authorization token and wherein said network authorization token is returned to said network client agent, said network client agent attaching the network authorization token to the network traffic information; and
,d) inspecting said network traffic information from said network client agent on said computing device and rejecting any traffic information not signed with said authorization server key utilizing a guard system operably connected to said computing device and said network client agent, wherein said guard system is configured to receive said network traffic information and the attached network authorization token, and wherein, wherein said guard system is configured to provide said inspecting of said network traffic information by the process of; i) receiving said network request and said network authorization token; ii) testing the validity of said network authorization token to provide a validated said network request; iii) stripping said network authorization token to restore said network request to provide original state prior to interception by said network client agent, and iv) forwarding said intercepted network traffic information to a secure network destination only if said network authorization token is valid.
-
-
20. A system for authenticating a request from an untrusted computing device to access an interface for service functions in a trusted computing environment, comprising:
-
a) a service client agent operably connected to an untrusted computing device configured to present identity-recognition credentials with service requests from service applications to access an interface to service functions in a trusted computing environment; b) a service token broker contained in said trusted computing environment, operably connected to said service client agent and containing a database of identity-recognition credentials and unique hardware identifiers, said service token broker configured to receive said service requests and cooperate with said service client agent for i) verifying whether said service requests should have access to said trusted computing environment, and ii) generating a service authorization token by cryptographically signing the service requests to provide a cryptographic signature, to authorize access for said services or functions, wherein said network service token is returned to said service client agent, said service client agent attaching the service authorization token to the service requests; and
,c) a service interface in a trusted computing environment operably connected to said service client agent, configured to receive said service requests and the attached service authorization token, and to inspect said service requests from said service client agent on said untrusted computing device and reject any said service requests not signed with said service authorization token, wherein said service interface is configured to provide inspection of said service requests by the process of; i) receiving said service requests and said service authorization token; ii) testing the validity of said service authorization token to provide a validated said service request; iii) stripping said service authorization token to restore said service request to provide original state prior to inspection by said service client agent, and iv) forwarding said inspected service request to a secure network destination only if said service authorization token is valid. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27)
-
-
28. A system for preventing a computing device from obtaining unauthorized access to a secure network, comprising:
-
a) a service client agent operably connected to an untrusted computing device configured to present identity-recognition credentials with service requests from service applications to access an interface to service functions in a trusted computing environment; b) a service token broker contained in said trusted computing environment, operably connected to said service client agent and containing a database of identity-recognition credentials and unique hardware identifiers, said service token broker configured to receive said service requests and cooperate with said service client agent for i) verifying whether said service requests should have access to said trusted computing environment, and ii) generating a service authorization token by cryptographically signing the service requests to provide a cryptographic signature, to authorize access for said services or functions, wherein said network service token is returned to said service client agent, said service client agent attaching the service authorization token to the service requests; and
,c) a service interface in a trusted computing environment operably connected to said service client agent, configured to receive said service requests and the attached service authorization token, and to inspect said service requests from said network client agent on said untrusted computing device and reject any said service requests not signed with said service authorization token, wherein said service token broker provides said cryptographic signing by a decision making technique, by the process of; receiving said identity-recognition credentials, said service request information from said service requests to provide said received identity-recognition credentials, said unique hardware identifiers and said service request information; identifying said identity-recognition credentials and said received service request information to provide identified service request information and identified identity-recognition credentials; computing a cryptographic signature of said identified service request information including said identified identity-recognition credentials to provide a computed cryptographic hash of said identified service request information; comparing said computed service request information and said computed cryptographic signature against at least one of a whitelist and a blacklist database or comparing said service request information against a whitelist or blacklist database to provide compared computed service request information and compared computed cryptographic signature; and
,digitally signing the service request information only if said compared computed service request information and compared computed cryptographic signature are contained in said whitelist, and not contained in said blacklist.
-
Specification