Key encryption system, method, and network devices

US 9,584,485 B2
Filed: 12/20/2012
Issued: 02/28/2017
Est. Priority Date: 12/28/2011
Status: Active Grant

First Claim

Patent Images

1. In a system comprising at least one encryption device and at least one transport device, a method of controlling access to a first plurality of functions of the at least one encryption device and access to a second plurality of functions of the at least one transport device, the first plurality of functions comprising a function for controlling security of customer data transmitted across a network, the method comprising:

providing a customer with access to at least some functions of the first plurality of functions, the at least some of the first plurality of functions comprising said function for controlling security of customer data transmitted across a network;

providing a network service provider with restricted access to a subset of the first plurality of functions, the subset of the first plurality of functions comprising at least one of the first plurality of functions and excluding said function for controlling security of customer data transmitted across a network; and

,providing the network service provider with access to at least some functions of the second plurality of functions,wherein the providing a customer with access to at least some functions of the first plurality of functions comprises;

responsive to receiving first requests from users of the customer, providing first instructions intended for the at least one encryption device for controlling access to the at least some functions of the first plurality of functions;

wherein the providing a network service provider with restricted access to a subset of the first plurality of functions comprises;

responsive to receiving second request from users of the network service provider, providing second instructions intended for that at least one encryption device for controlling access to the subset of the first plurality of functions; and

,wherein the providing the network service provider with access to at least dome functions of the second plurality of functions comprises;

responsive to receiving third request from the users of the network service provider, providing third instruction intended for the at least one transport device for controlling access to the at least some functions of the second plurality of functions.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network includes encryption devices at customer sites and transport devices provide transport functionality for encrypted data for transmission across networks. A method of controlling access to a first plurality of functions of the encryption devices and access to a second plurality functions of the transport devices is disclosed. The method involves providing a customer with access to at least some of the first plurality of functions and providing a network service provider with access to at least some of the second plurality of functions. The method also involves providing the network service provider with restricted access to a first subset of the first plurality of functions and/or providing the network service provider with restricted access to a second subset of the second plurality of functions. This allows the customer and the service provider to share access to hardware resources such as the encryption devices and the transport devices.

19 Citations

26 Claims

1. In a system comprising at least one encryption device and at least one transport device, a method of controlling access to a first plurality of functions of the at least one encryption device and access to a second plurality of functions of the at least one transport device, the first plurality of functions comprising a function for controlling security of customer data transmitted across a network, the method comprising:
- providing a customer with access to at least some functions of the first plurality of functions, the at least some of the first plurality of functions comprising said function for controlling security of customer data transmitted across a network;
  
  providing a network service provider with restricted access to a subset of the first plurality of functions, the subset of the first plurality of functions comprising at least one of the first plurality of functions and excluding said function for controlling security of customer data transmitted across a network; and
  
  ,providing the network service provider with access to at least some functions of the second plurality of functions,wherein the providing a customer with access to at least some functions of the first plurality of functions comprises;
  
  responsive to receiving first requests from users of the customer, providing first instructions intended for the at least one encryption device for controlling access to the at least some functions of the first plurality of functions;
  
  wherein the providing a network service provider with restricted access to a subset of the first plurality of functions comprises;
  
  responsive to receiving second request from users of the network service provider, providing second instructions intended for that at least one encryption device for controlling access to the subset of the first plurality of functions; and
  
  ,wherein the providing the network service provider with access to at least dome functions of the second plurality of functions comprises;
  
  responsive to receiving third request from the users of the network service provider, providing third instruction intended for the at least one transport device for controlling access to the at least some functions of the second plurality of functions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. A method according to claim 1 wherein the providing a customer with access to at least some of the first plurality of functions comprises providing the customer with restricted access to an other subset of the first plurality of functions, the other subset of the first plurality of functions comprising fewer than all of the first plurality of functions.
  - 3. A method according to claim 2 wherein said other subset of the first plurality of functions is different than said subset of the first plurality of functions.
  - 4. A method according to claim 1 comprising:
    - providing the customer with restricted access to at least one of the second plurality of functions.
  - 5. A method according to claim 4 wherein the providing the network service provider with access to at least some of the second plurality of functions comprises providing the network service provider with restricted access to an other subset of the second plurality of functions, the other subset of the second plurality of functions comprising fewer than all of the second plurality of functions.
  - 6. A method according to claim 5 wherein said other subset of the second plurality of functions forms a first subset of the second plurality of functions and the at least one of the second plurality of functions forms a second subset of the second plurality of functions, the first subset and the second subset being different subsets.
  - 7. A method according to claim 1 comprising:
    - maintaining a database of user credentials of users of the service provider;
      
      conducting user authentication by comparing received user credentials with the user credentials of the users of the service provider in the database; and
      
      ,providing the users of the service provider with restricted access to said subset of the first plurality of functions based on said authentication.
  - 8. A method according to claim 1 wherein the customer and the service provider collectively own network elements, the network elements comprising the at least one encryption device and the at least one transport device and the method comprising:
    - using a proxy to service user instructions from the customer and the service provider for accessing the first plurality of functions and the second plurality of functions, the proxy having limited access to the network elements.
  - 9. A method according to claim 8 comprising:
    - limiting available protocols for use in accessing the network elements by the service provider and the customer.
  - 10. A method according to claim 8 wherein each of the at least one transport device comprises a plurality of ports, the method comprising:
    - limiting access by the customer to a restricted subset of the plurality of ports, the restricted subset of the plurality of ports comprising fewer than all of the plurality of ports.
  - 11. A method according to claim 8 wherein each of the at least one encryption device comprises a plurality of ports, the method comprising:
    - limiting access by the service provider to a restricted subset of the plurality of ports, the restricted subset of the plurality of ports comprising fewer than all of the plurality of ports.
  - 12. A method according to claim 8 wherein the network elements collectively comprise a plurality of ports, the method comprising:
    - storing the user instructions from the customer and the service provider in a database, each user instruction being intended for a respective network element of the network elements;
      
      limiting access by the customer and the service provider to a respective subset of the plurality of ports, each respective subset comprising fewer than all of the plurality of ports;
      
      accessing the user instructions from the database; and
      
      ,servicing the user instructions by sending the instructions over encrypted communications paths to the respective network elements.
  - 13. A method according to claim 12 wherein the servicing the user instructions comprises converting the user instructions to a format for execution by the respective network elements.
  - 14. A method according to claim 1 wherein the network comprises a topology having a plurality of point-to-point connections comprising respective two end points, the method comprising:
    - transmitting the customer data across the network through the point-to-point connections.
  - 15. A method according to claim 14 comprising decrypting the customer data, said decrypting being controlled by the customer.
  - 16. A method according to claim 14 wherein for each point-to-point connection the respective two end points each comprise encryption functionality and encryption management functionality implemented in a single device.
  - 17. A method according to claim 14 comprising:
    - providing a key roll function of encryption keys for each point to point connection.

18. In a system comprising at least one encryption device and at least one transport device, a method of controlling access to a first plurality of functions of the at least one encryption device and access to a second plurality of functions of the at least one transport device, the second plurality of functions comprising a transport function necessary for providing network service offered by a network service provider, the method comprising:
- providing a customer with access to at least some functions of the first plurality of functions;
  
  providing the customer with access to a subset of the second plurality of functions, the subset of the second plurality of functions comprising at least one of the second plurality of functions and excluding said transport function necessary for providing network service offered by a network service provider; and
  
  ,providing a network service provider with access to at least some functions of the second plurality of functions, the at least some functions of the second plurality of functions comprising said transport function necessary for providing network service offered by a network service provider,wherein the providing a customer with access to at least some functions of the first plurality of functions comprises;
  
  responsive to receiving first request from users of the customer, providing first instructions intended for the at least one encryption device for controlling access to the at least some functions of the first plurality of functions;
  
  wherein the providing the customer with access to a subset of the second plurality of functions comprises;
  
  responsive to receiving second request from the users of the customer, providing second instructions intended for the at least one transport device for controlling access to the subset of the second plurality of functions; and
  
  ,wherein the providing a network service provider with access to at least some of the second plurality of functions comprises;
  
  responsive to receiving third requests from users of the network service provider, providing third instructions intended for the at least one transport device for controlling access to the at least some functions of the second plurality of functions.
- View Dependent Claims (19)
- - 19. A method according to claim 18 comprising:
    - maintaining a database of user credentials of users of the customer;
      
      conducting user authentication by comparing received user credentials with the user credentials of the users of the customer in the database; and
      
      ,providing the users of the customer with restricted access to said subset of the second plurality of functions based on said authentication.

20. A network device for controlling access to a first plurality of functions of at least one encryption device and access to a second plurality functions of at least one transport device, the first plurality of functions comprising a function for controlling security of customer data transmitted across a network, the network device comprising:
- an encryption management unit for, responsive to receiving first requests from the users of a customer, providing first instructions intended for the at least one encryption device for controlling access to at least some functions of the first plurality of functions, the at least some of the first plurality of functions comprising said function for controlling security of customer data transmitted across a network and, responsive to receiving second requests from users of a network service provider, providing second instructions intended for the at least one encryption device for controlling access a subset of the first plurality of functions, the subset comprising at least one of the first plurality of functions and excluding said function for controlling security of customer data transmitted across a network; and
  
  ,a transport management unit for, responsive to receiving third requests from the users of the network service provider, providing third instructions intended for the at least one transport device for controlling access to at least some functions of the second plurality of functions; and
  
  ,a communications interface for receiving the first requests, the second requests, and the third requests and for transmitting the first instructions, the second instructions, and the third instructions.
- View Dependent Claims (21, 22)
- - 21. A network device according to claim 20 comprising:
    - a database for maintaining user credentials of the users of the service provider; and
      
      an authentication unit for conducting a user authentication by comparing user credentials received through the communications interface with the user credentials of the users of the service provider in the database and for providing the users of the service provider with restricted access to said subset of the first plurality of functions based on said user authentication.
  - 22. A network device according to claim 20 comprising:
    - a GUI (Graphical Interface) unit for providing a GUI to the network service provider, the GUI providing the users of the service provider with an interface for providing instructions for accessing the subset of the first plurality of functions.

23. A network device for controlling access to a first plurality of functions of at least one encryption device and access to a second plurality functions of at least one transport device, the second plurality functions comprising a transport function necessary for providing network service offered by a network service provider, the network device comprising:
- an encryption management unit for, responsive to receiving first requests from users of a customer, providing first instructions intended for the at least one encryption device for controlling access to at least some functions of the first plurality of functions; and
  
  ,a transport management unit for, responsive to receiving second requests from users of the network service provider, providing second instructions intended for the at least one transport device for controlling access to at least some of the second plurality of functions, the at least some of the second plurality of functions comprising said transport function necessary for providing network service offered by a network service provider and,responsive to receiving third requests from the users of the customer, providing third instructions intended for the at least one transport device for controlling access to a subset of the second plurality of functions, the subset comprising at least one of the second plurality of functions and excluding said transport function necessary for providing network service offered by a network service provider; and
  
  ,a communications interface for receiving the first requests, the second requests, and the third requests and for transmitting the first instructions, the second instructions, and the third instructions.
- View Dependent Claims (24, 25)
- - 24. A network device according to claim 23 comprising:
    - a database for maintaining user credentials of the users of the customer; and
      
      an authentication unit for conducting a user authentication by comparing user credentials received through the communications interface with the user credentials of the users of the customer in the database and for providing the users of the customer with restricted access to said subset of the second plurality of functions based on said user authentication.
  - 25. A network system according to claim 23 comprising:
    - a GUI (Graphical Interface) unit for providing a GUI to the customer, the GUI providing the users of the customer with an interface for providing instructions for accessing the subset of the second plurality of functions.

26. An article of manufacture comprising:
- a non-transitory computer usable medium having computer readable program code means embodied therein for controlling access to a first plurality of functions of at least one encryption device and access to a second plurality of functions of at least one transport device, the first plurality of functions comprising a function for controlling security of customer data transmitted across a network, the computer readable code means in said article of manufacture comprising;
  
  computer readable code means for providing a customer with access to at least some functions of the first plurality of functions;
  
  computer readable code means for providing a network service provider with restricted access to a subset of the first plurality of functions, the subset of the first plurality of functions comprising at least one of the first plurality of functions and excluding said function for controlling security of customer data transmitted across a network; and
  
  ,computer readable code means for providing the network service provider with access to at least some functions of the second plurality of functions, the at least some functions of the second plurality of functions comprising said function for controlling security of customer data transmitted across a network,wherein the providing a customer with access to at least some functions of the first plurality of functions comprises;
  
  responsive to receiving first requests from users of the customer, providing first instructions intended for the at least one encryption device for controlling access to the at least some functions of the first plurality of functions;
  
  wherein the providing a network service provider with restricted access to a subset of the first plurality of functions comprises;
  
  responsive to receiving second requests from users of the network service provider, providing second instructions intended for the at least one encryption device for controlling access to the subset of the first plurality of functions; and
  
  ,wherein the providing the network service provider with access to at least some of the second plurality of functions, comprises;
  
  responsive to receiving third requests from the users of the network service provider, providing third instructions intended for the at least one transport device for controlling access to the at least some functions of the second plurality of functions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Superna Incorporated
Original Assignee
Superna Business Consulting, Inc.
Inventors
Arno, Michael William, MacKay, Andrew
Primary Examiner(s)
Powers, William

Application Number

US13/721,813
Publication Number

US 20130173909A1
Time in Patent Office

1,531 Days
Field of Search

713/153
US Class Current

1/1
CPC Class Codes

H04L 41/18   Delegation of network manag...

H04L 43/0823   Errors, e.g. transmission e...

H04L 63/04   for providing a confidentia...

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

Key encryption system, method, and network devices

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

19 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Key encryption system, method, and network devices

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

19 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links