Secure end-to-end communication system

US 9,374,344 B1
Filed: 03/19/2014
Issued: 06/21/2016
Est. Priority Date: 03/29/2013
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving first data from an internal network of a first data source;

loading, by a key manager, a first set of keys into a first security device associated with the first data source;

encrypting the first data with the first set of keys using the first security device;

receiving, by transport network equipment from the first security device, the encrypted first data;

sending, by the transport network equipment, over an external network, the encrypted first data to an external site that stores data received from each of a plurality of data sources;

after the sending to the external site, requesting the encrypted first data from the external site;

in response to the requesting, receiving, by the transport network equipment, over the external network, the encrypted first data;

decrypting, by the first security device using the first set of keys, the received encrypted first data; and

providing, from the first security device, the decrypted first data to the internal network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure end-to-end communication system is implemented via one or more security processing devices. In one embodiment, a method includes: loading, by a key manager, a first set of keys into a security device; encrypting first data with the first set of keys using the security device; and sending, over a network, the encrypted first data to an external site or a mobile device. The method may further include: requesting the encrypted data from the external site or mobile device; receiving, over the network, the encrypted first data; and decrypting the received encrypted first data with the first set of keys using the security device.

63 Citations

View as Search Results

20 Claims

1. A method, comprising:
- receiving first data from an internal network of a first data source;
  
  loading, by a key manager, a first set of keys into a first security device associated with the first data source;
  
  encrypting the first data with the first set of keys using the first security device;
  
  receiving, by transport network equipment from the first security device, the encrypted first data;
  
  sending, by the transport network equipment, over an external network, the encrypted first data to an external site that stores data received from each of a plurality of data sources;
  
  after the sending to the external site, requesting the encrypted first data from the external site;
  
  in response to the requesting, receiving, by the transport network equipment, over the external network, the encrypted first data;
  
  decrypting, by the first security device using the first set of keys, the received encrypted first data; and
  
  providing, from the first security device, the decrypted first data to the internal network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the external site is a data center, a storage site, or a computing site.
  - 3. The method of claim 2, wherein the external site is a computing site, a user controls the key manager, and the computing site is a site of the user.
  - 4. The method of claim 3, wherein the first security device is a first network security device, and the method further comprising:
    - receiving, over the network by the computing site, the encrypted first data; and
      
      decrypting the received first data with the first set of keys using a second network security device.
  - 5. The method of claim 4, further comprising loading, by the key manager, the first set of keys into the second network security device.
  - 6. The method of claim 1, wherein the first security device is a first storage security device that receives data to be encrypted from a first data storage, and the method further comprising:
    - receiving, over the network at the external site, the encrypted first data;
      
      storing the encrypted first data in a second data storage at the external site; and
      
      after the storing of the encrypted first data in the second data storage, accessing the encrypted first data by decrypting the first data using a second storage security device of the external site.
  - 7. The method of claim 6, further comprising loading, by the key manager, the first set of keys into the second storage security device.
  - 8. The method of claim 1, wherein the first set of keys comprises an encryption or decryption key, the encrypting or decrypting uses the encryption or decryption key, and the method further comprises obtaining the encryption or decryption key using network protocol information stored in the first security device, and information obtained from a header of at least one packet of the first data.

9. A method, comprising:
- loading, by a first key manager, a first set of keys into a first security device;
  
  decrypting, by the first security device using the first set of keys, first data obtained from a data storage;
  
  encrypting, by a second security device, the first data using a second set of keys;
  
  receiving, by transport network equipment from the second security device, the encrypted first data; and
  
  sending, by the transport network equipment, over an external network, the encrypted first data to an external site that stores data received from each of a plurality of data sources.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The method of claim 9, wherein the external site comprises a third security device configured to decrypt the first data using the second set of keys.
  - 11. The method of claim 10, wherein a key address is sent with the first data over the network, and the key address is for use by the external site in selecting the second set of keys when decrypting the first data.
  - 12. The method of claim 11, wherein an authentication code is sent with the first data over the external network, and the authentication code is used to authenticate the external site and verify that a proper key address is used when selecting the second set of keys.
  - 13. The method of claim 9, further comprising loading the second set of keys into the second security device using a second key manager.

14. A system, comprising:
- transport network equipment configured to communicate with an external site that stores encrypted data provided from each of a plurality of data sites, including a first data site;
  
  a security device, coupled to receive first data from an internal network of the first data site, the security device configured to;
  
  encrypt the first data with a first set of keys,provide the encrypted first data for sending by the transport network equipment over an external network for storage the external site,receive, via the transport network equipment, over the external network, the encrypted first data from the external site,decrypt, using the first set of keys, the received encrypted first data, andprovide the decrypted first data to the internal network; and
  
  a first key manager configured to load the first set of keys into the security device.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The system of claim 14, wherein the first key manager is an external key manager and is further configured to select the first set of keys from a plurality of key sets, and to provide the first set of keys to the security device via an application programming interface.
  - 16. The system of claim 14, wherein the security device is a first security device, and the external site includes a second security device configured to receive, over the external network, the encrypted first data, and to decrypt the received data using the first set of keys.
  - 17. The system of claim 14, wherein the security device is a network security device, and the system further comprising a storage security device configured to decrypt the first data with a second set of keys after obtaining the first data from storage, and prior to the encrypting of the first data by the network security device.
  - 18. The system of claim 17, further comprising a second key manager configured to load the second set of keys into the storage security device.
  - 19. The system of claim 17, further comprising an application server configured to receive the decrypted first data from the storage security device, and to provide the first data to the network security device for encryption prior to the sending of the encrypted first data over the external network by the transport network equipment.
  - 20. The system of claim 14, wherein the first set of keys is a single key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Secturion Systems, Inc.
Original Assignee
Secturion Systems, Inc.
Inventors
Takahashi, Richard J.
Primary Examiner(s)
Nguyen, Thu Ha

Application Number

US14/219,651
Time in Patent Office

825 Days
Field of Search

713/168, 380/28, 380/286, 380/279
US Class Current

1/1
CPC Class Codes

H04L 2209/80   Wireless network architectu...

H04L 63/0281   Proxies

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 9/08   Key distribution or managem...

H04L 9/14   using a plurality of keys o...

Secure end-to-end communication system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

63 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Secure end-to-end communication system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others