Community of interest-based secured communications over IPsec

US 9,596,077 B2
Filed: 09/30/2013
Issued: 03/14/2017
Est. Priority Date: 04/22/2013
Status: Active Grant

First Claim

Patent Images

1. A method of establishing secure communications between endpoints, the method comprising:

transmitting, by a processor of a first endpoint, from the first endpoint to a second endpoint a first message including a token, the token including one or more entries, each entry corresponding to a community of interest associated with a user of the first endpoint and including an encryption key and a validation key associated with the first endpoint and encrypted with the corresponding community of interest key;

receiving, at the processor of the first endpoint, from the second endpoint a second message, distinct from the first message, including a second authorization token at the first endpoint, the second authorization token including one or more entries, each entry corresponding to a community of interest associated with a second user of the second endpoint and including an encryption key and a validation key associated with the second endpoint and encrypted with corresponding community of interest key;

for each community of interest associated with both the first user and the second user, decrypting an associated entry in the second authorization token to obtain the encryption key and validation key associated with the second endpoint;

creating, by the processor of the first endpoint, a key pair at the first endpoint and generating a shared secret based on the key pair;

transmitting by the processor of the first endpoint, a third message, distinct from the first and second messages, including the created key pair to the second endpoint, thereby allowing the second endpoint to derive the shared secret;

initializing, by the processor of the first endpoint, a tunnel between the first and second endpoints, the tunnel using the shared secret to derive encryption keys used for IPsec-secured communications between the first and second endpoints.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for establishing secure communications between endpoints includes transmitting a first message including a token having one or more entries each corresponding to a community of interest associated with a user of the first endpoint and including an encryption key and a validation key associated with the first endpoint. The method includes receiving a second message including a second authorization token including one or more entries, each entry corresponding to a community of interest associated with a second user and including an encryption key and a validation key associated with the second endpoint. The method includes, for each community of interest associated with both users, decrypting an associated entry in the second authorization token to obtain the encryption key and validation key associated with the second endpoint. The method also includes generating a shared secret based on the key pair, transmitting a third message including the created key pair to the second endpoint, and initializing tunnel using the shared secret to derive encryption keys used for IPsec-secured communications between the endpoints.

26 Citations

View as Search Results

20 Claims

1. A method of establishing secure communications between endpoints, the method comprising:
- transmitting, by a processor of a first endpoint, from the first endpoint to a second endpoint a first message including a token, the token including one or more entries, each entry corresponding to a community of interest associated with a user of the first endpoint and including an encryption key and a validation key associated with the first endpoint and encrypted with the corresponding community of interest key;
  
  receiving, at the processor of the first endpoint, from the second endpoint a second message, distinct from the first message, including a second authorization token at the first endpoint, the second authorization token including one or more entries, each entry corresponding to a community of interest associated with a second user of the second endpoint and including an encryption key and a validation key associated with the second endpoint and encrypted with corresponding community of interest key;
  
  for each community of interest associated with both the first user and the second user, decrypting an associated entry in the second authorization token to obtain the encryption key and validation key associated with the second endpoint;
  
  creating, by the processor of the first endpoint, a key pair at the first endpoint and generating a shared secret based on the key pair;
  
  transmitting by the processor of the first endpoint, a third message, distinct from the first and second messages, including the created key pair to the second endpoint, thereby allowing the second endpoint to derive the shared secret;
  
  initializing, by the processor of the first endpoint, a tunnel between the first and second endpoints, the tunnel using the shared secret to derive encryption keys used for IPsec-secured communications between the first and second endpoints.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the created key pair comprises a Diffie-Hellman key pair.
  - 3. The method of claim 1, wherein the first message comprises a Session 0 Protocol Data Unit (PDU), the second message comprises a Session 1 PDU, and the third message comprises a Session 2 PDU.
  - 4. The method of claim 1, wherein messages passed within the tunnel remain obscured to a third endpoint having a community of interest in common with the first endpoint and the second endpoint.
  - 5. The method of claim 1, wherein the first endpoint has a plurality of states associated with the tunnel, and wherein, prior to transmitting the third message, the first endpoint changes to an open tunnel state.
  - 6. The method of claim 5, wherein prior to receiving the second message, the first endpoint is in a pending open tunnel state.
  - 7. The method of claim 6, further comprising transmitting, by the processor of the first endpoint, a fourth message from the first endpoint to the second endpoint, the fourth message indicating to the second endpoint to close the tunnel.
  - 8. The method of claim 7, wherein after transmitting the fourth message, the first endpoint is in a closed tunnel state.
  - 9. The method of claim 1, further comprising after receiving the second message, importing, by the processor of the first endpoint, the encryption key and the validation key associated with the second endpoint at the first endpoint.
  - 10. The method of claim 1, further comprising, after initializing the tunnel, transmitting, by the processor of the first endpoint, from the first endpoint to the second endpoint one or more keep-alive messages via the tunnel.

11. A method of establishing secure communications between endpoints, the method comprising:
- receiving, at a processor of a second endpoint, from a first endpoint at the second endpoint a first message including a token, the token including one or more entries, each entry corresponding to a community of interest associated with a user of the first endpoint and including an encryption key and a validation key associated with the first endpoint and encrypted with the corresponding community of interest key;
  
  for each community of interest associated with both the first user and the second user, decrypting, by the processor of the second endpoint, an associated entry in the first authorization token to obtain the encryption key and validation key associated with the first endpoint;
  
  creating, by the processor of the second endpoint, a key pair at the second endpoint;
  
  transmitting, by the processor of the second endpoint, to the first endpoint from the second endpoint a second message, distinct from the first message, including a second authorization token, the second authorization token including one or more entries, each entry corresponding to a community of interest associated with a second user of the second endpoint and including an encryption key and a validation key associated with the second endpoint and encrypted with the corresponding community of interest key;
  
  receiving at the processor of the second endpoint, at the second endpoint a third message, distinct from the first and second messages, including a key pair created at the first endpoint encrypted with the encryption key of the second endpoint;
  
  deriving, by the processor of the second endpoint, at the second endpoint the shared secret from the key pair created at the first endpoint and the key pair created at the second endpoint; and
  
  initializing, by the processor of the second endpoint, a tunnel between the first and second endpoints, the tunnel using the shared secret to derive encryption keys used for IPsec-secured communications between the first and second endpoints.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The method of claim 11, wherein the second endpoint has a plurality of states associated with the tunnel, and wherein, after receiving the third message, the second endpoint changes to an open tunnel state.
  - 13. The method of claim 12, wherein after receiving the first message, the second endpoint is in a pending final tunnel state.
  - 14. The method of claim 11, wherein after receiving the fourth message, the second endpoint is in a closed tunnel state.
  - 15. The method of claim 11, wherein users associated with a community of interest are associated with a common community of interest key.
  - 16. The method of claim 11, further comprising, prior to receiving the first message, enabling by the processor of the second endpoint secure communications at the second endpoint.
  - 17. The method of claim 16, further comprising receiving, by the processor of the second endpoint, at the second endpoint community of interest keys associated with the second user from an authorization server.
  - 18. The method of claim 17, further comprising registering, by the processor of the second endpoint, the second endpoint at a security appliance communicatively connected to the second endpoint.
  - 19. The method of claim 18, further comprising logging by the processor of the second endpoint, initialization of the tunnel at the security appliance.

20. A system comprising:
- a first endpoint comprising a non-transitory computer-readable medium comprising instructions which, when executed by a first processor of a computing system of the first endpoint, cause the first processor to perform the steps of;
  
  transmitting a first message to a second endpoint, the first message including a token, the token including one or more entries, each entry corresponding to a community of interest associated with a user of the first endpoint and including an encryption key and a validation key associated with the first endpoint and encrypted with the corresponding community of interest key;
  
  receiving from the second endpoint a second message, distinct from the first message, including a second authorization token, the second authorization token including one or more entries, each entry corresponding to a community of interest associated with a second user of the second endpoint and including an encryption key and a validation key associated with the second endpoint and encrypted with the corresponding community of interest key;
  
  for each community of interest associated with both the first user and the second user, decrypting an associated entry in the second authorization token to obtain the encryption key and validation key associated with the second endpoint;
  
  creating a key pair and generating a shared secret based on the key pair;
  
  transmitting a third message, distinct from the first and second messages, including the created key pair to the second endpoint, thereby allowing the second endpoint to derive the shared secret; and
  
  initializing a tunnel to the second endpoint, the tunnel using the shared secret to derive encryption keys used for IPsec-secured communications by the first endpoint; and
  
  the second endpoint including a second computing system communicatively connected to the computing system at the first endpoint, the second endpoint comprising a non-transitory computer-readable medium comprising instructions which, when executed by a second processor of the second computing system of the second endpoint, cause the second processor to perform the steps of;
  
  receiving the first message;
  
  for each community of interest associated with both the first user and the second user, decrypting an associated entry in the token to obtain the encryption key and validation key associated with the first endpoint;
  
  creating a second key pair;
  
  transmitting the second message to the first endpoint, the second message including the second authorization token and the second key pair;
  
  receiving the third message;
  
  deriving at the second endpoint the shared secret from the key pair created at the first endpoint and the key pair created at the second endpoint; and
  
  initializing a tunnel to the first endpoint using the shared secret to derive encryption keys used for IPsec-secured communications by the second endpoint.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Unisys Corporation
Original Assignee
Unisys Corporation
Inventors
Inforzato, Sarah K, Johnson, Robert A, Wild, Kathleen, Hinaman, Ted
Primary Examiner(s)
KIM, TAE K

Application Number

US14/042,212
Publication Number

US 20150095649A1
Time in Patent Office

1,261 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/53   by executing in a restricte...

H04L 63/02   for separating internal fro...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0485   Networking architectures fo...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/164   at the network layer

H04L 63/166   at the transport layer

H04L 63/205   involving negotiation or de...

H04L 69/18   Multiprotocol handlers, e.g...

H04L 9/0838   Key agreement, i.e. key est...

H04L 9/0841   involving Diffie-Hellman or...

Community of interest-based secured communications over IPsec

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

26 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Community of interest-based secured communications over IPsec

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links