Dynamic trust session

US 9,092,427 B2
Filed: 07/31/2012
Issued: 07/28/2015
Est. Priority Date: 06/08/2012
Status: Active Grant

First Claim

Patent Images

1. A network communication system in a network comprising:

a first electronic device of the network; and

a second electronic device of the network, the first electronic device configured to transmit a connection-request to the network to begin a session, the connection-request being authenticated by the second electronic device, and then the second electronic device configured to transmit a session-request in response to the connection-request to the network, and the session-request being reverse-authenticated by the first electronic device, based upon at least one redirector-pattern formed by the session-request, by comparing the at least one redirector-pattern to an expected value of the at least one redirector-pattern,wherein the at least one redirector-director pattern includes identification information of at least two entities of the network that the session-request traversed between the second electronic device and the first electronic device,the first electronic device comprises;

first authenticator circuitry configured to reverse-authenticate the session-request; and

first session manager circuitry configured to wait to receive a tunnel-request corresponding to the session-request, andthe first session manager circuitry is configured to;

authenticate the tunnel-request,record tunnel-parameters, andtransmit communication data through a tunnel based on the tunnel-parameters.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure session of communication between two entities in a network is disclosed. Using client-server terminology, a client sends a connection-request to a server that authenticates the connection-request and transmits a session-request to the client in response. The client reverse-authenticates the session-request and then passively waits to receive a tunnel-request transmitted by the server. The tunnel-request sets up one or more overlapping tunnels between the client and the server to support the desired communications. Each of the tunnels exists only for a specified time and is replaced by another tunnel that is set up after a selected time delay after the start of a previous tunnel.

61 Citations

View as Search Results

19 Claims

1. A network communication system in a network comprising:
- a first electronic device of the network; and
  
  a second electronic device of the network, the first electronic device configured to transmit a connection-request to the network to begin a session, the connection-request being authenticated by the second electronic device, and then the second electronic device configured to transmit a session-request in response to the connection-request to the network, and the session-request being reverse-authenticated by the first electronic device, based upon at least one redirector-pattern formed by the session-request, by comparing the at least one redirector-pattern to an expected value of the at least one redirector-pattern,wherein the at least one redirector-director pattern includes identification information of at least two entities of the network that the session-request traversed between the second electronic device and the first electronic device,the first electronic device comprises;
  
  first authenticator circuitry configured to reverse-authenticate the session-request; and
  
  first session manager circuitry configured to wait to receive a tunnel-request corresponding to the session-request, andthe first session manager circuitry is configured to;
  
  authenticate the tunnel-request,record tunnel-parameters, andtransmit communication data through a tunnel based on the tunnel-parameters.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 19)
- - 2. The system of claim 1, whereinthe second electronic device is configured to transmit the tunnel-request through the network;
    - andthe first electronic device is configured to form the with the second electronic device in response to the tunnel-request, the tunnel forming a communication path for the session.
  - 3. The system of claim 2 further comprising:
    - at least one memory configured to store;
      
      one or more session time durations;
      
      one or more geographical regions; and
      
      a correspondence between the session time durations and the geographical regions,wherein the second electronic device is configured to select a session time duration for a geographical region based on the correspondence.
  - 4. The system of claim 2, whereinthe second electronic device is configured to select a tunnel time duration for the tunnel based on a geographical region, andthe second electronic device is configured to select a tunnel delay time for each of one or more subsequent tunnels resulting in two tunnels having an overlap in time.
  - 5. The system of claim 1, wherein the tunnel-parameters includes one or more tunnel times, one or more time delays for starting a new tunnel, a tunnel-identity, one or more identifications of encryption algorithms, and one or more identifications of communication protocols.
  - 6. The system of claim 1, wherein the second electronic device comprises:
    - second authenticator circuitry configured to authenticate the connection-request; and
      
      second session manager circuitry configured to select session-parameters, generate the session-request based on the session-parameters, and transmit the session-request to the network.
  - 7. The system of claim 6, wherein the second session manager circuitry is configured to:
    - generate the tunnel-parameters based on the session-parameters, the tunnel-request including authentication credentials, and tunnel-parameters that include a tunnel-identity, one or more identifications of encryption algorithms, and one or more identifications of communication protocols; and
      
      transmit the tunnel-request to the network.
  - 8. The system of claim 7, wherein the second session manager circuitry is configured to:
    - generate one or more subsequent tunnel-requests based on the session-parameters; and
      
      transmit the subsequent tunnel-request at a time that results in an overlap between two tunnels between the first and second entities.
  - 9. The system of claim 1 further comprising a plurality of third electronic devices, wherein at least one third electronic device of the plurality of third electronic devices is configured to:
    - receive the session-request;
      
      authenticate the session-request; and
      
      transmit a modified session-request to the network.
  - 10. The system of claim 9, wherein the at least one third electronic device is configured to:
    - receive the tunnel-request;
      
      authenticate the tunnel-request;
      
      record the tunnel-parameters if the tunnel-request is authenticated, the tunnel-parameters including a tunnel-identity;
      
      receive a communication that identifies a valid tunnel-identity; and
      
      transmit the communication based on tunnel-parameters corresponding to the tunnel-identity without further authentication.
  - 11. The system of claim 1 further comprising:
    - means for generating a session-request;
      
      means for reverse-authenticating the session-request;
      
      means for setting up one or more tunnels between the first and second entities using one or more tunnel-requests, wherein if two or more tunnels are generated, at least two tunnels overlap in time; and
      
      means for communication between the first and second entities using tunnels that are set up by the means for setting up one or more tunnels.
  - 19. The system of claim 1, wherein the at least one redirector-pattern includes at least two different redirector-patterns formed by the session-request.

12. A method for communication in a network comprising:
- transmitting a connection-request by a first electronic device to the network;
  
  authenticating the connection-request in a second electronic device;
  
  transmitting a session-request by the second electronic device to the network;
  
  reverse-authenticating the session-request in the first electronic device, based upon at least one redirector-pattern formed by the session-request, by comparing the at least one redirector-pattern to an expected value of the at least one redirector-pattern;
  
  waiting to receive one or more tunnel-requests corresponding to the session-request;
  
  authenticating the tunnel-request;
  
  recording tunnel-parameters; and
  
  transmitting communication data through a tunnel based on the tunnel-parameters,wherein the at least one redirector-director pattern includes identification information of at least two entities of the network that the session-request traversed between the second electronic device and the first electronic device.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The method of claim 12, further comprising:
    - selecting session-parameters in the second electronic device;
      
      generating the one or more tunnel-requests based on the session-parameters at the second electronic device; and
      
      transmitting the one or more tunnel-requests to the network by the second electronic device to set up tunnels including the tunnel for communication between the first and second electronic devices.
  - 14. The method of claim 13 further comprising:
    - determining one or more session times, one or more tunnel times, and one or more time delays for starting new tunnels based on geographical location information; and
      
      incorporating the session times, tunnel times and time delays in the session-parameters.
  - 15. The method of claim 12 further comprising:
    - recording the tunnel-parameters based on the tunnel-request.
  - 16. The method of claim 15, further comprising:
    - continuing communication between the first and second entities using a first tunnel;
      
      receiving indication that a second tunnel has been set up;
      
      steering all new communications between the first and second entities to the second tunnel; and
      
      deleting the first tunnel after all communications already started using the first tunnel are completed.
  - 17. The method of claim 12 further comprising:
    - receiving the session-request in a third electronic device;
      
      authenticating the session-request in the third electronic device; and
      
      transmitting a modified session-request to the network.
  - 18. The method of claim 17, further comprising:
    - receiving the one or more tunnel-requests in the third electronic device;
      
      authenticating the one or more tunnel-requests in the third electronic device;
      
      recording the tunnel-parameters in the third electronic device if the one or more tunnel-requests is authenticated, the tunnel-parameters including a tunnel-identity;
      
      receiving a communication in the third electronic device that identifies a valid tunnel-identity; and
      
      transmitting the communication based on tunnel-parameters corresponding to the tunnel-identity without further authentication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lockheed Martin Corporation (Martin Marietta Corporation)
Original Assignee
Lockheed Martin Corporation (Martin Marietta Corporation)
Inventors
Mackler, Russell T.
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
BROWN, DE'MARIS R

Application Number

US13/563,000
Publication Number

US 20140040984A1
Time in Patent Office

1,092 Days
Field of Search

726/3
US Class Current

1/1
CPC Class Codes

G06F 11/28   by checking the correct ord...

G06F 21/00   Security arrangements for p...

G06F 21/44   Program or device authentic...

G06F 21/445   by mutual authentication, e...

G06F 2211/003   Mutual Authentication Bi-Di...

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/108   when the policy decisions a...

H04L 63/18   using different networks or...

H04L 63/205   involving negotiation or de...

Dynamic trust session

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

61 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic trust session

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

61 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links