System and method for policy driven protection of remote computing environments

US 9,355,228 B2
Filed: 07/15/2013
Issued: 05/31/2016
Est. Priority Date: 07/13/2012
Status: Active Grant

First Claim

Patent Images

1. A method for securely producing a cryptographic session key, comprising:

establishing, by a transportable device comprising at least one processor and a plurality of sensors, a software agent network comprising a plurality of software agents networked together in a predetermined configuration according to a network definition file, wherein the transportable device, when deployed in a predetermined environment, contains encrypted sensitive information;

obtaining, by the transportable device, a plurality of examination results based on sensory information obtained from the plurality of sensors operating within the predetermined environment when deployed therein, wherein the sensory information comprises a combination of more than one of temperature, humidity, light, position, orientation, altitude, motion, speed, acceleration, biological information, and mission status, and wherein each software agent of the plurality of software agents conducts a review of a respective examination result of the plurality of examination results of the predetermined environment based on a plurality of predetermined sensory ranges, to obtain reviews of the plurality of examination results of the predetermined environment;

generating, by the transportable device, a plurality of encryption key fragments in response to the reviews of the plurality of examination results of the predetermined environment, wherein each encryption key fragment of the plurality of encryption key fragments is determined by a respective software agent of the plurality of software agents, based on the review of the respective examination result of the plurality of examination results of the predetermined environment;

combining, by the transportable device, the plurality of encryption key fragments based on the network definition file, to obtain a field-determined cryptographic session key;

responsive to the plurality of examination results of the predetermined environment falling within the plurality of sensory ranges, decrypting, by the transportable device, the encrypted sensitive information by way of the field-determined session key, to obtain a clear text version of the sensitive information at the transportable device; and

responsive to at least one of the plurality of examination results of the predetermined environment falling outside of the plurality of sensory ranges, preventing, by the transportable device, decryption of the encrypted sensitive information at the transportable device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system that incorporates teachings of the subject disclosure may include, for example, receiving multiple software agents and configuring a network of the multiple software agents according to a predetermined policy. The process can further include facilitating secure communications among software agents of the network of the multiple software agents according to the predetermined policy. A state of one of the system, a system environment within which the system operates, or a combination thereof can be determined, based on the secure communications among the software agents of the network of the multiple software agents. A computing environment can be facilitated conditionally on the state of the one of the system, the system environment, or the combination thereof, according to the predetermined policy to support a mission application. Other embodiments are disclosed.

Citations

18 Claims

1. A method for securely producing a cryptographic session key, comprising:
- establishing, by a transportable device comprising at least one processor and a plurality of sensors, a software agent network comprising a plurality of software agents networked together in a predetermined configuration according to a network definition file, wherein the transportable device, when deployed in a predetermined environment, contains encrypted sensitive information;
  
  obtaining, by the transportable device, a plurality of examination results based on sensory information obtained from the plurality of sensors operating within the predetermined environment when deployed therein, wherein the sensory information comprises a combination of more than one of temperature, humidity, light, position, orientation, altitude, motion, speed, acceleration, biological information, and mission status, and wherein each software agent of the plurality of software agents conducts a review of a respective examination result of the plurality of examination results of the predetermined environment based on a plurality of predetermined sensory ranges, to obtain reviews of the plurality of examination results of the predetermined environment;
  
  generating, by the transportable device, a plurality of encryption key fragments in response to the reviews of the plurality of examination results of the predetermined environment, wherein each encryption key fragment of the plurality of encryption key fragments is determined by a respective software agent of the plurality of software agents, based on the review of the respective examination result of the plurality of examination results of the predetermined environment;
  
  combining, by the transportable device, the plurality of encryption key fragments based on the network definition file, to obtain a field-determined cryptographic session key;
  
  responsive to the plurality of examination results of the predetermined environment falling within the plurality of sensory ranges, decrypting, by the transportable device, the encrypted sensitive information by way of the field-determined session key, to obtain a clear text version of the sensitive information at the transportable device; and
  
  responsive to at least one of the plurality of examination results of the predetermined environment falling outside of the plurality of sensory ranges, preventing, by the transportable device, decryption of the encrypted sensitive information at the transportable device.
- View Dependent Claims (4, 5, 6, 7, 8, 9, 10, 11)
- - 4. The method of claim 1, wherein the encrypted sensitive information is decrypted by way of the field-determined cryptographic session key, responsive to the field-determined cryptographic session key being identical to a symmetric encryption key used to obtain the encrypted sensitive information prior to exposure of the transportable device to the predetermined environment, wherein no key exists at the transportable device to decrypt the encrypted sensitive information until the field-determined cryptographic session key is obtained.
  - 5. The method of claim 4, wherein the plurality of software agents, executing on more than one of the at least one processors, return the plurality of examination results of the predetermined environment, and wherein the field-determined cryptographic session key differs from the symmetric encryption key, responsive to an examination result of the plurality of examination results falling within a predetermined unacceptable range.
  - 6. The method of claim 5, wherein the symmetric encryption key is determined before the transportable device is deployed to the predetermined environment, wherein the symmetric key is used to encrypt the sensitive information is determined before the transportable device is deployed to the predetermined environment, and wherein the encrypted sensitive information is transferred to the transportable device before the transportable device is deployed to the predetermined environment.
  - 7. The method of claim 4, wherein the plurality of software agents return the reviews of the plurality of examination results of the predetermined environment, and wherein the field-determined cryptographic session key matches the symmetric encryption key based on each examination result of the plurality of examination results of the predetermined environment falling within a predetermined acceptable range.
  - 8. The method of claim 7, wherein the symmetric encryption key is determined based on a plurality of examinations of a secure environment, wherein the plurality of examinations of the secure environment produce a plurality of examination results that fall within a plurality of predetermined acceptable ranges.
  - 9. The method of claim 8, responsive to the predetermined acceptable ranges of the predetermined environment not being available within the secure the environment, applying software functions within the secure environment that produce a correct symmetric encryption key expected in the predetermined environment.
  - 10. The method of claim 1, wherein the sensory information comprises a status of a process executing on the processor of the transportable device, a status of at least one software agent of the plurality of software agents, and a combination thereof.
  - 11. The method of claim 1, wherein the transportable device comprises one of a shipping container, equipment of a soldier, a vehicle, a piloted airplane, a drone, an ordinance, and equipment of a pass holder.

2. A deployable system, comprising:
- a plurality of sensors;
  
  a memory to store instructions; and
  
  at least one processor in communication with the memory, wherein the at least one processor, responsive to executing the instructions, performs operations that securely produce a session key, comprising;
  
  configuring a software agent network comprising a plurality of software agents based on a network definition file, wherein the deployable system, when deployed in a predetermined environment, contains encrypted sensitive information;
  
  obtaining sensory information from the plurality of sensors operating within the predetermined environment when deployed therein, wherein the sensory information comprises a combination of more than one of temperature, humidity, light, position, orientation, altitude, motion, speed, acceleration, biological information, and mission status;
  
  conducting a plurality of examinations of the predetermined environment when deployed therein based on the sensory information, to obtain a plurality of examination results, wherein each software agent of the plurality of software agents conducts a review of a respective examination result of the plurality of examination results of the predetermined environment based on a respective range of a plurality of sensory ranges, to obtain reviews of the plurality of examination results;
  
  generating a plurality of encryption key fragments in response to the reviews of the plurality of examination results of the predetermined environment, wherein each encryption key fragment of the plurality of encryption key fragments is determined by a respective software agent of the plurality of software agents, based on the review of the respective examination result of the plurality of examination results of the predetermined environment;
  
  assembling the plurality of encryption key fragments, to obtain a field-determined cryptographic session key;
  
  responsive to the plurality of examination results of the predetermined environment falling within the plurality of sensory ranges, decrypting the encrypted sensitive information by way of the field-determined cryptographic session key, to obtain a clear text version of the sensitive information; and
  
  responsive to at least one of the plurality of examination results of the predetermined environment falling outside of the plurality of sensory ranges, preventing decryption of the encrypted sensitive information.
- View Dependent Claims (12, 13, 14)
- - 12. The deployable system of claim 2, wherein the encrypted sensitive information is decrypted by way of the field-determined cryptographic session key, responsive to the field-determined cryptographic session key being equivalent to a symmetric encryption key used to obtain the encrypted sensitive information, wherein no key exists at the deployable system to decrypt the encrypted sensitive information until the field-determined cryptographic session key is obtained.
  - 13. The deployable system of claim 12, wherein the plurality of software agents, running on more than one of the at least one processor, return the plurality of examination results of the predetermined environment, and wherein the field-determined cryptographic session key fails to match the symmetric encryption key based on an examination result of the plurality of examination results falling within a predetermined unacceptable range.
  - 14. The deployable system of claim 13, wherein the symmetric encryption key is determined before the deployable system is deployed to the predetermined environment, wherein the symmetric key is used to encrypt the sensitive information before the deployable system is deployed to the predetermined environment, and wherein the encrypted sensitive information is transferred to the deployable system before the deployable system is deployed to the predetermined environment.

3. A machine readable storage device, comprising executable instructions that when executed by at least one processor of a deployable asset comprising a plurality of sensors, cause the at least one processor to facilitate operations that securely produce session key comprising:
- configuring a software agent network comprising a plurality of software agents, wherein the deployable asset, when deployed in a field environment, contains encrypted sensitive information;
  
  obtaining sensory information from the plurality of sensors operating within the field environment when deployed therein, wherein the sensory information comprises a combination of more than one of temperature, humidity, light, position, orientation, altitude, motion, speed, acceleration, biological information, and mission status;
  
  performing a plurality of examinations of the field environment when deployed therein based on the sensory information, to obtain a plurality of examination results, wherein each software agent of the plurality of software agents conducts a review of a respective examination result of the plurality of examination results of the field environment based on a respective range of a plurality of sensory ranges, to obtain reviews of the plurality of examination results;
  
  generating a plurality of encryption key fragments in response to the reviews of the plurality of examination results of the field environment, wherein each encryption key fragment of the plurality of encryption key fragments is determined by a respective software agent of the plurality of software agents, based on the review of the respective examination result of the plurality of examination results of the field environment;
  
  combining the plurality of encryption key fragments, to obtain a field-determined session key;
  
  responsive to the plurality of examination results of the field environment falling within the plurality of sensory ranges, decrypting, by the deployable asset, the encrypted sensitive information by way of the field-determined session key, to obtain a clear text version of the sensitive information at the deployable asset and within the field environment; and
  
  responsive to at least one of the plurality of examination results of the field environment falling outside of the plurality of sensory ranges, preventing decryption of the encrypted sensitive information.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The machine readable storage device of claim 3, wherein the encrypted sensitive information is decrypted by way of the field-determined session key, responsive to the field-determined session key matching a previously determined symmetric encryption key used to obtain the encrypted sensitive information, and wherein the previously determined symmetric encryption key is unavailable on the deployed asset, and wherein the field-determined session key, as a combination of the plurality of encryption key fragments, is only obtainable by way of the plurality of examinations of the field environment.
  - 16. The machine readable storage device of claim 15, wherein the plurality of software agents return the reviews of the plurality of examination results of the field environment, and wherein the field-determined session key matches the symmetric encryption key based on each examination result of the plurality of examination results falling within a predetermined acceptable range.
  - 17. The machine readable storage device of claim 16, wherein the symmetric encryption key is determined based on a plurality of examinations of a secure environment, wherein the plurality of examinations of the secure environment produce a plurality of examination results that fall within a plurality of predetermined acceptable ranges.
  - 18. The machine readable storage device of claim 17 responsive to the predetermined acceptable ranges of the field environment not being available within the secure the environment, applying software functions within the secure environment that produce a correct symmetric encryption key expected in the field environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ANGEL Secure Networks, Inc.
Original Assignee
ANGEL Secure Networks, Inc.
Inventors
Smith, Fred Hewitt III, Smith, Cynthia, Smith, Benjamin, Sabin, Daniel
Primary Examiner(s)
Shaw, Yin-Chen
Assistant Examiner(s)
DHRUV, DARSHAN I

Application Number

US13/942,319
Publication Number

US 20140020049A1
Time in Patent Office

1,051 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/121   Restricting unauthorised ex...

G06F 21/554   involving event detection a...

G06F 8/65   Updates security arrangemen...

H04L 2209/80   Wireless

H04L 2209/84   Vehicles

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/20   for managing network securi...

H04L 9/0861   Generation of secret inform...

H04W 12/02   Protecting privacy or anony...

H04W 12/033   of the user plane, e.g. use...

H04W 12/04   Key management, e.g. using ...

H04W 12/35   Protecting application or s...

System and method for policy driven protection of remote computing environments

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for policy driven protection of remote computing environments

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links