Validating network communications

US 9,130,937 B1
Filed: 03/07/2011
Issued: 09/08/2015
Est. Priority Date: 03/07/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a message at a first network interface of a first node, the first node comprising;

a first network interface for communicating with a first network, the first network comprising a first security level, the first security level being a governmental security level defined in accordance with a governmental agency certification process; and

a second network interface for communicating with a second network, the second network comprising a second security level different than the first security level, wherein an enclave associated with the first security level is implemented using a protocol for secret or classified information and an enclave associated with the second security level is implemented using a protocol for non-classified information;

determining a set of expected tokens in response to analyzing the message at the first node;

determining an expected order of tokens in response to analyzing the message at the first node;

accessing a plurality of tokens generated prior to the first node receiving the message, each of the plurality of tokens indicating that a respective policy service of a plurality of policy services has been performed on the message, wherein a respective token of the plurality of tokens indicates a result of applying the respective policy service to the message, and wherein each token of the expected set of tokens is associated with the respective policy service of the plurality of policy services;

generating a plurality of decrypted tokens from the plurality of tokens using a first parameter associated with the plurality of policy services;

validating the decrypted tokens by comparing the decrypted tokens to the set of expected tokens and verifying that the policy services associated with the expected set of tokens have been applied to the message;

determining whether the decrypted tokens are in the expected order, wherein the expected order includes an order in which the plurality of policy services were to be applied to the message;

generating an approval in response to validating the decrypted tokens and determining that the decrypted tokens are in the expected order; and

sending the message through the second network interface to the second network, the message comprising the approval.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In certain embodiments, a method includes receiving a message at a first network interface of a first node. The first network interface communicates with a first network while a second network interface communicates with a second network. The method includes determining a set of expected tokens and an expected order of tokens. A plurality of tokens are accessed that were generated for the message, each of the plurality of tokens associated with a policy service of a plurality of policy services. The method includes generating a plurality of decrypted tokens from the plurality of tokens using a first parameter associated with the plurality of policy services and validating the decrypted tokens by comparing the decrypted tokens to the set of expected tokens. In response to validating the decrypted tokens and determining that the decrypted tokens are in the expected order, an approval is generated.

62 Citations

View as Search Results

18 Claims

1. A method comprising:
- receiving a message at a first network interface of a first node, the first node comprising;
  
  a first network interface for communicating with a first network, the first network comprising a first security level, the first security level being a governmental security level defined in accordance with a governmental agency certification process; and
  
  a second network interface for communicating with a second network, the second network comprising a second security level different than the first security level, wherein an enclave associated with the first security level is implemented using a protocol for secret or classified information and an enclave associated with the second security level is implemented using a protocol for non-classified information;
  
  determining a set of expected tokens in response to analyzing the message at the first node;
  
  determining an expected order of tokens in response to analyzing the message at the first node;
  
  accessing a plurality of tokens generated prior to the first node receiving the message, each of the plurality of tokens indicating that a respective policy service of a plurality of policy services has been performed on the message, wherein a respective token of the plurality of tokens indicates a result of applying the respective policy service to the message, and wherein each token of the expected set of tokens is associated with the respective policy service of the plurality of policy services;
  
  generating a plurality of decrypted tokens from the plurality of tokens using a first parameter associated with the plurality of policy services;
  
  validating the decrypted tokens by comparing the decrypted tokens to the set of expected tokens and verifying that the policy services associated with the expected set of tokens have been applied to the message;
  
  determining whether the decrypted tokens are in the expected order, wherein the expected order includes an order in which the plurality of policy services were to be applied to the message;
  
  generating an approval in response to validating the decrypted tokens and determining that the decrypted tokens are in the expected order; and
  
  sending the message through the second network interface to the second network, the message comprising the approval.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the first node comprises a guard.
  - 3. The method of claim 1, further comprising:
    - accessing at least one policy in response to receiving the message at the first node; and
      
      wherein the set of expected tokens is determined by comparing the at least one policy to the message.
  - 4. The method of claim 1, further comprising removing the plurality of tokens from the message in response to validating the plurality of decrypted tokens.
  - 5. The method of claim 1, wherein:
    - the plurality of tokens are generated by a set of service nodes and not by the first node;
      
      the plurality of tokens comprises a chain of hashes generated by the set of service nodes; and
      
      validating the decrypted tokens further comprises validating the chain of hashes.
  - 6. The method of claim 1, wherein the plurality of tokens comprises a cryptographic hash of the message.

7. An apparatus comprising:
- a first network interface for communicating with a first network, the first network comprising a first security level, the first security level being a governmental security level defined in accordance with a governmental agency certification process;
  
  a second network interface for communicating with a second network, the second network comprising a second security level different than the first security level, wherein an enclave associated with the first security level implemented using a protocol for secret or classified information and an enclave associated with the second security level is implemented using a protocol for non-classified information;
  
  at least one processor;
  
  wherein the first network interface is configured to receive a message;
  
  wherein the at least one processor is configured to;
  
  determine a set of expected tokens in response to analyzing the message;
  
  determine an expected order of tokens in response to analyzing the message;
  
  access a plurality of tokens generated for the message, each of the plurality of tokens indicating that a respective policy service of a plurality of policy services has been performed on the message, wherein a respective token of the plurality of tokens indicates a result of applying the respective policy service to the message, and wherein each token of the expected set of tokens is associated with the respective policy service of the plurality of policy services;
  
  generate a plurality of decrypted tokens from the plurality of tokens using a first parameter associated with the plurality of policy services;
  
  validate the decrypted tokens by comparing the decrypted tokens to the set of expected tokens and verifying that the policy services associated with the expected set of tokens have been applied to the message;
  
  determine whether the decrypted tokens are in the expected order, wherein the expected order includes an order in which the plurality of policy services were to be applied to the message; and
  
  generate an approval in response to validating the decrypted tokens and determining that the decrypted tokens are in the expected order; and
  
  wherein the second network interface is configured to send the message through the second network interface to the second network, the message comprising the approval.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The apparatus of claim 7, wherein the apparatus is a guard.
  - 9. The apparatus of claim 7, wherein the at least one processor is further configured to:
    - access at least one policy in response to receiving the message at the first network interface; and
      
      wherein the set of expected tokens is determined by comparing the at least one policy to the message.
  - 10. The apparatus of claim 7, wherein:
    - the first network interface is configured to receive the message by receiving an encrypted package comprising the message and the plurality of tokens; and
      
      the at least one processor is further configured to remove the plurality of tokens from the message in response to validating the plurality of decrypted tokens.
  - 11. The apparatus of claim 7, wherein:
    - the plurality of tokens are generated by a set of service nodes and not by the first node;
      
      the plurality of tokens comprises a chain of hashes generated by the set of service nodes; and
      
      validating the decrypted tokens further comprises validating the chain of hashes.
  - 12. The apparatus of claim 7, wherein the plurality of tokens comprises a cryptographic hash of the message.

13. At least one computer-readable non-transitory medium comprising instructions that, when executed by at least one processor, are configured to:
- determine a set of expected tokens in response to analyzing a message at a first node, the message received at a first network interface of the first node, the first node comprising;
  
  the first network interface for communicating with a first network, the first network comprising a first security level, the first security level being a governmental security level defined in accordance with a governmental agency certification process; and
  
  a second network interface for communicating with a second network, the second network comprising a second security level different than the first security level, wherein an enclave associated with the first security level is implemented using a protocol for secret or classified information and an enclave associated with the second security level is implemented using a protocol for non-classified information;
  
  determine an expected order of tokens in response to analyzing the message at the first node;
  
  access a plurality of tokens generated prior to the first node receiving the message, each of the plurality of tokens indicating that a respective policy service of a plurality of policy services has been performed on the message, wherein a respective token of the plurality of tokens indicates a result of applying the respective policy service to the message, and wherein each token of the expected set of tokens is associated with the respective policy service of the plurality of policy services;
  
  generate a plurality of decrypted tokens from the plurality of tokens using a first parameter associated with the plurality of policy services;
  
  validate the decrypted tokens by comparing the decrypted tokens to the set of expected tokens and verifying that the policy services associated with the expected set of tokens have been applied to the message;
  
  determine whether the decrypted tokens are in the expected order, wherein the expected order includes an order in which the plurality of policy services were to be applied to the message;
  
  generate an approval in response to validating the decrypted tokens and determining that the decrypted tokens are in the expected order; and
  
  send the message through the second network interface to the second network, the message comprising the approval.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The at least one computer-readable non-transitory medium of claim 13, wherein the first node comprises a guard.
  - 15. The at least one computer-readable non-transitory medium of claim 13, wherein the instructions are further configured to:
    - access at least one policy in response to receiving the message at the first node; and
      
      wherein the set of expected tokens is determined by comparing the at least one policy to the message.
  - 16. The at least one computer-readable non-transitory medium of claim 13, wherein:
    - accessing the plurality of tokens comprises accessing an encrypted package comprising the message and the plurality of tokens; and
      
      the instructions are further configured to remove the plurality of tokens from the message in response to validating the plurality of decrypted tokens.
  - 17. The at least one computer-readable non-transitory medium of claim 13, wherein:
    - the plurality of tokens are generated by a set of service nodes and not by the first node;
      
      the plurality of tokens comprises a chain of hashes generated by the set of service nodes; and
      
      validating the decrypted tokens further comprises validating the chain of hashes.
  - 18. The at least one computer-readable non-transitory medium of claim 13, wherein the plurality of tokens comprises a cryptographic hash of the message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Raytheon Company (Rtx Corporation)
Original Assignee
Raytheon Company (Rtx Corporation)
Inventors
Ostermann, Jason E., Bieda, Teresa M., Hicks, Matthew J., Huch, Alan T., Ernst, Richard J., Richard, Shelli J.
Primary Examiner(s)
Hoffman, Brandon
Assistant Examiner(s)
JHAVERI, JAYESH M

Application Number

US13/042,300
Time in Patent Office

1,646 Days
Field of Search

726/1, 726/22, 726/26, 713/161, 713/170, 713179-181, 380/28
US Class Current

1/1
CPC Class Codes

G06F 21/33   using certificates

G06F 21/60   Protecting data

H04L 12/417   with deterministic access, ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/108   when the policy decisions a...

H04L 63/12   Applying verification of th...

H04L 63/16   Implementing security featu...

H04L 63/168   above the transport layer

Validating network communications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

62 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Validating network communications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

62 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others