Methods and systems for managing concurrent unsecured and cryptographically secure communications across unsecured networks

US 9,525,666 B2
Filed: 05/11/2011
Issued: 12/20/2016
Est. Priority Date: 01/31/2005
Status: Active Grant

First Claim

Patent Images

1. An endpoint comprising:

a computing system including a programmable circuit operatively connected to a memory and a communication interface, the communication interface configured to send and receive data packets via a data communications network;

a filter defined in the memory of the computing system, the filter configured to define one or more access lists, each access list defining a group of access permissions for a community of interest, wherein the community of interest includes one or more users, and wherein an access list from among the one or more access lists defines a set of clear text access permissions associated with a community of interest; and

a driver executable by the programmable circuit, the driver configured to cooperate with the communication interface to send and receive data packets via the data communications network, the driver configured to selectively split and encrypt a data packet into a plurality of data packets based at least in part upon the contents of the one or more access lists, the driver further configured to effectuate transmission of the split and encrypted data packet through transmission of the plurality data packets;

wherein the driver encrypts the data packets using a community-of-interest specific encryption key associated with the community of interest as identified upon the access list.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An endpoint, method, and authorization server are disclosed which can be used to allow concurrent secure and clear text communication. An endpoint includes a computing system including a programmable circuit operatively connected to a memory and a communication interface, the communication interface configured to send and receive data packets via a data communications network. The endpoint also includes a filter defined in the memory of the computing system, the filter configured to define one or more access lists, each access list defining a group of access permissions for a community of interest. The community of interest includes one or more users, and an access list from among the one or more access lists defines a set of clear text access permissions associated with a community of interest. The endpoint also includes a driver executable by the programmable circuit, the driver configured to cooperate with the communication interface to send and receive data packets via the data communications network. The driver is also configured to selectively split and encrypt data into a plurality of data packets to be transmitted via the data communications network based at least in part upon the contents of the one or more access lists.

14 Citations

21 Claims

1. An endpoint comprising:
- a computing system including a programmable circuit operatively connected to a memory and a communication interface, the communication interface configured to send and receive data packets via a data communications network;
  
  a filter defined in the memory of the computing system, the filter configured to define one or more access lists, each access list defining a group of access permissions for a community of interest, wherein the community of interest includes one or more users, and wherein an access list from among the one or more access lists defines a set of clear text access permissions associated with a community of interest; and
  
  a driver executable by the programmable circuit, the driver configured to cooperate with the communication interface to send and receive data packets via the data communications network, the driver configured to selectively split and encrypt a data packet into a plurality of data packets based at least in part upon the contents of the one or more access lists, the driver further configured to effectuate transmission of the split and encrypted data packet through transmission of the plurality data packets;
  
  wherein the driver encrypts the data packets using a community-of-interest specific encryption key associated with the community of interest as identified upon the access list.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The endpoint of claim 1, further comprising virtual private network software stored in the memory and configured to connect to a second endpoint using a dedicated secure tunnel established between the endpoint and the second endpoint, wherein the second endpoint is listed in the access list defining a set of access permissions.
  - 3. The endpoint of claim 1, wherein each access list defines a group of access permissions for a plurality of different communities of interest.
  - 4. The endpoint of claim 1, wherein the driver is configured to pass a data packet containing clear text data to the communication interface only upon determining that a destination defined in the data packet is granted a clear text access permission in at least one of the one or more access lists.
  - 5. The endpoint of claim 1, wherein the set of clear text access permissions includes a list of one or more network destinations incapable of decrypting and combining the split and encrypted data.
  - 6. The endpoint of claim 1, wherein the one or more network destinations include network destinations selected from the group consisting of:
    - a second endpoint;
      
      a subnet; and
      
      a gateway for a virtual private network.
  - 7. The endpoint of claim 1, wherein the set of clear text access permissions includes a list of one or more endpoints capable of decrypting and combining the split and encrypted data, and wherein the driver is configured to prevent transmission of clear text data from the endpoint to the one or more endpoints.
  - 8. The endpoint of claim 1, wherein the driver is further configured to the driver configured to decrypt and combine data received in one or more data frames at the communication interface to recreate a message for use at the endpoint.
  - 9. The endpoint of claim 8, wherein the driver is further configured to inspect the plurality of data packets, and, upon determining that the received data is from an authorized source, forward the message m the communication interface to one or more applications executing at the endpoint.
  - 10. The endpoint of claim 1, further comprising a monitoring application operable on the programmable circuit and configured to provide administrative access to information regarding the filter and operational status of the driver.

11. A computer-implemented method of authorizing an computer-based endpoint for use in a secure network, the method comprising:
- transmitting a request from the computer-based endpoint to authorize a user of the computer-based endpoint for operation on the secure network, the request including an identity of a user of the computer-based endpoint;
  
  receiving at the computer-based endpoint a set of one or more keys associated with communities of interest, the communities of interest defined to include the user;
  
  receiving at the computer-based endpoint one or more filters defining one or more access lists, wherein an access list from among the one or more access lists defines a set of clear text access permissions associated with a community of interest; and
  
  transmitting data packets from the computer-based endpoint to a network location, wherein the computer-based endpoint selectively splits and encrypts each data packet to be transmitted into a plurality of data packets based at least in part upon the contents of the one or more access lists, and wherein the computer-based endpoint transmits a split and encrypted data packet by transmitting the plurality of data packets split and encrypted from the data packet;
  
  wherein the computer-based endpoint encrypts the data packets using a community-of-interest specific encryption keys associated with the community of interest as identified upon the access list.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The method of claim 11, wherein transmitting the request comprises transmitting user credentials from the computer-based endpoint to an authorization server, the method further comprising:
    - receiving from the authorization server a filter configured to define one or more access lists, each access list defining a group of access permissions for a community of interest, and wherein a first access list from among the one or more access lists defines a set of clear text access permissions associated with a community of interest.
  - 13. The method of claim 11, wherein each access list defines a group of access permissions for one of the communities of interest including the user.
  - 14. The method of claim 11, wherein the first access list further defines a set of permissions associated with the community of interest used to require data transmitted to one or more network locations to be split and encrypted prior to transmission.
  - 15. The method of claim 11, wherein the filter received from the authorization server further defines a second access list defining a set of access permissions associated with a second community of interest.
  - 16. The method of claim 11, further comprising forming a first virtual network adapter configured to communicate clear text data and a second virtual network adapter configured to communicate split and encrypted data.
  - 17. The method of claim 11, further comprising forming a virtual private network connection between the computer-based endpoint and a network location, wherein the network location is included in the clear text access permissions of the access list.

18. An authorization system integrable into a secure network, the authorization system comprising:
- an authorization server including a programmable circuit communicatively connected to a memory;
  
  a provisioning utility executable on the programmable circuit, the provisioning utility including program instructions which, when executed, cause the authorization server to;
  
  in response to a request from an computer-based endpoint to authorize a user of the computer-based endpoint for operation on the secure network, determine a set of communities of interest associated with the user defined in the provisioning utility;
  
  respond to the request by sending to the endpoint a set of one or more keys, associated with communities of interest, the communities of interest defined to include the user;
  
  sending to the endpoint one or more filters defining one or more access lists, wherein an access list from among the one or more access lists defines a set of clear text access permissions associated with a community of interest; and
  
  receiving a plurality of data packets from the computer-based endpoint, the plurality of data packets representing a primary data packet and being selectively split and encrypted from the primary data packet based at least in part upon the contents of the one or more access lists;
  
  wherein the computer-based endpoint encrypts the data packets using a community-of-interest specific encryption keys associated with the community of interest as identified upon the access list.
- View Dependent Claims (19, 20, 21)
- - 19. The authorization system of claim 18, wherein the communities of interest associated with the user are defined in the provisioning utility by an authorization administrator.
  - 20. The authorization system of claim 18, further comprising a communication status application executing at the computer-based endpoint, wherein the communication status application provides information to an administrative user regarding use of the one or more filters at the computer-based endpoint.
  - 21. The authorization system of claim 18, further comprising a communication status application executing at a gateway appliance configured to route split and encrypted data between the computer-based endpoint and the secure network, the communication status application configurable to generate a tunnel status report.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Unisys Corporation
Original Assignee
Unisys Corporation
Inventors
Inforzato, Sarah K., Hinaman, Ted, Johnson, Robert A.
Primary Examiner(s)
Tolentino, Roderick

Application Number

US13/105,130
Publication Number

US 20120084838A1
Time in Patent Office

2,050 Days
Field of Search

726 1- 10
US Class Current

1/1
CPC Class Codes

G06F 21/575   Secure boot

H04L 63/0428   wherein the data content is...

H04L 63/10   for controlling access to d...

H04L 63/12   Applying verification of th...

Methods and systems for managing concurrent unsecured and cryptographically secure communications across unsecured networks

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

14 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for managing concurrent unsecured and cryptographically secure communications across unsecured networks

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links