Community of interest-based secured communications over IPsec
First Claim
1. A method of establishing secure communications between endpoints, the method comprising:
- transmitting, by a processor of a first endpoint, from the first endpoint to a second endpoint a first message including a token, the token including one or more entries, each entry corresponding to a community of interest associated with a user of the first endpoint and including an encryption key and a validation key associated with the first endpoint and encrypted with the corresponding community of interest key;
receiving, at the processor of the first endpoint, from the second endpoint a second message, distinct from the first message, including a second authorization token at the first endpoint, the second authorization token including one or more entries, each entry corresponding to a community of interest associated with a second user of the second endpoint and including an encryption key and a validation key associated with the second endpoint and encrypted with corresponding community of interest key;
for each community of interest associated with both the first user and the second user, decrypting an associated entry in the second authorization token to obtain the encryption key and validation key associated with the second endpoint;
creating, by the processor of the first endpoint, a key pair at the first endpoint and generating a shared secret based on the key pair;
transmitting by the processor of the first endpoint, a third message, distinct from the first and second messages, including the created key pair to the second endpoint, thereby allowing the second endpoint to derive the shared secret;
initializing, by the processor of the first endpoint, a tunnel between the first and second endpoints, the tunnel using the shared secret to derive encryption keys used for IPsec-secured communications between the first and second endpoints.
7 Assignments
0 Petitions
Accused Products
Abstract
A method and system for establishing secure communications between endpoints includes transmitting a first message including a token having one or more entries each corresponding to a community of interest associated with a user of the first endpoint and including an encryption key and a validation key associated with the first endpoint. The method includes receiving a second message including a second authorization token including one or more entries, each entry corresponding to a community of interest associated with a second user and including an encryption key and a validation key associated with the second endpoint. The method includes, for each community of interest associated with both users, decrypting an associated entry in the second authorization token to obtain the encryption key and validation key associated with the second endpoint. The method also includes generating a shared secret based on the key pair, transmitting a third message including the created key pair to the second endpoint, and initializing tunnel using the shared secret to derive encryption keys used for IPsec-secured communications between the endpoints.
26 Citations
20 Claims
-
1. A method of establishing secure communications between endpoints, the method comprising:
-
transmitting, by a processor of a first endpoint, from the first endpoint to a second endpoint a first message including a token, the token including one or more entries, each entry corresponding to a community of interest associated with a user of the first endpoint and including an encryption key and a validation key associated with the first endpoint and encrypted with the corresponding community of interest key; receiving, at the processor of the first endpoint, from the second endpoint a second message, distinct from the first message, including a second authorization token at the first endpoint, the second authorization token including one or more entries, each entry corresponding to a community of interest associated with a second user of the second endpoint and including an encryption key and a validation key associated with the second endpoint and encrypted with corresponding community of interest key;
for each community of interest associated with both the first user and the second user, decrypting an associated entry in the second authorization token to obtain the encryption key and validation key associated with the second endpoint;creating, by the processor of the first endpoint, a key pair at the first endpoint and generating a shared secret based on the key pair; transmitting by the processor of the first endpoint, a third message, distinct from the first and second messages, including the created key pair to the second endpoint, thereby allowing the second endpoint to derive the shared secret; initializing, by the processor of the first endpoint, a tunnel between the first and second endpoints, the tunnel using the shared secret to derive encryption keys used for IPsec-secured communications between the first and second endpoints. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method of establishing secure communications between endpoints, the method comprising:
-
receiving, at a processor of a second endpoint, from a first endpoint at the second endpoint a first message including a token, the token including one or more entries, each entry corresponding to a community of interest associated with a user of the first endpoint and including an encryption key and a validation key associated with the first endpoint and encrypted with the corresponding community of interest key; for each community of interest associated with both the first user and the second user, decrypting, by the processor of the second endpoint, an associated entry in the first authorization token to obtain the encryption key and validation key associated with the first endpoint; creating, by the processor of the second endpoint, a key pair at the second endpoint; transmitting, by the processor of the second endpoint, to the first endpoint from the second endpoint a second message, distinct from the first message, including a second authorization token, the second authorization token including one or more entries, each entry corresponding to a community of interest associated with a second user of the second endpoint and including an encryption key and a validation key associated with the second endpoint and encrypted with the corresponding community of interest key; receiving at the processor of the second endpoint, at the second endpoint a third message, distinct from the first and second messages, including a key pair created at the first endpoint encrypted with the encryption key of the second endpoint; deriving, by the processor of the second endpoint, at the second endpoint the shared secret from the key pair created at the first endpoint and the key pair created at the second endpoint; and initializing, by the processor of the second endpoint, a tunnel between the first and second endpoints, the tunnel using the shared secret to derive encryption keys used for IPsec-secured communications between the first and second endpoints. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A system comprising:
-
a first endpoint comprising a non-transitory computer-readable medium comprising instructions which, when executed by a first processor of a computing system of the first endpoint, cause the first processor to perform the steps of; transmitting a first message to a second endpoint, the first message including a token, the token including one or more entries, each entry corresponding to a community of interest associated with a user of the first endpoint and including an encryption key and a validation key associated with the first endpoint and encrypted with the corresponding community of interest key; receiving from the second endpoint a second message, distinct from the first message, including a second authorization token, the second authorization token including one or more entries, each entry corresponding to a community of interest associated with a second user of the second endpoint and including an encryption key and a validation key associated with the second endpoint and encrypted with the corresponding community of interest key; for each community of interest associated with both the first user and the second user, decrypting an associated entry in the second authorization token to obtain the encryption key and validation key associated with the second endpoint; creating a key pair and generating a shared secret based on the key pair; transmitting a third message, distinct from the first and second messages, including the created key pair to the second endpoint, thereby allowing the second endpoint to derive the shared secret; and initializing a tunnel to the second endpoint, the tunnel using the shared secret to derive encryption keys used for IPsec-secured communications by the first endpoint; and the second endpoint including a second computing system communicatively connected to the computing system at the first endpoint, the second endpoint comprising a non-transitory computer-readable medium comprising instructions which, when executed by a second processor of the second computing system of the second endpoint, cause the second processor to perform the steps of; receiving the first message; for each community of interest associated with both the first user and the second user, decrypting an associated entry in the token to obtain the encryption key and validation key associated with the first endpoint; creating a second key pair; transmitting the second message to the first endpoint, the second message including the second authorization token and the second key pair; receiving the third message; deriving at the second endpoint the shared secret from the key pair created at the first endpoint and the key pair created at the second endpoint; and initializing a tunnel to the first endpoint using the shared secret to derive encryption keys used for IPsec-secured communications by the second endpoint.
-
Specification