Administration of multiple network system with a single trust module

US 9,774,630 B1
Filed: 09/28/2009
Issued: 09/26/2017
Est. Priority Date: 09/28/2009
Status: Active Grant

First Claim

Patent Images

1. A secure internetwork system comprising:

at least two networks each having a local encryption/decryption module to encrypt and decrypt data that does not include security control information;

a communication channel directly connecting the at least two networks over which the at least two networks communicate only data that does not include security control information to each other;

a first control channel, independent of the communication channel, over which to convey only security control information;

a second control channel, independent of the communication channel, over which to convey only security control information; and

a trust module isolated from the communication channel so as to not receive data and independent of the at least two networks to convey the security control information over the first control channel to the local encryption/decryption module of one of the at least two networks and to convey the security control information over the second control channel to the local encryption/decryption module of another of the at least two networks in order to manage authentication and rules for secure communication between and/or among the at least two networks, wherein the security control information that is conveyed over the first control channel and the second control channel to the local encryption/decryption module of the at least two networks is isolated from the communication channel over which data is conveyed in order to prevent the security control information from being conveyed on a same channel as the data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A trust module suitable for providing and managing network administration across multiple networks with different security levels. The trust module comprises an administration module to provide secure communication rules between and among the networks that define the manner in which the networks exchange secure communication over a data channel. The administration module includes a user interface to enable an administrator to define the secure communication rules and an encryption module to encrypt the secure communication rules. Advantageously, the trust module of the present invention allows for secure communication and attestation across an unsecure network and a secure network.

21 Citations

View as Search Results

20 Claims

1. A secure internetwork system comprising:
- at least two networks each having a local encryption/decryption module to encrypt and decrypt data that does not include security control information;
  
  a communication channel directly connecting the at least two networks over which the at least two networks communicate only data that does not include security control information to each other;
  
  a first control channel, independent of the communication channel, over which to convey only security control information;
  
  a second control channel, independent of the communication channel, over which to convey only security control information; and
  
  a trust module isolated from the communication channel so as to not receive data and independent of the at least two networks to convey the security control information over the first control channel to the local encryption/decryption module of one of the at least two networks and to convey the security control information over the second control channel to the local encryption/decryption module of another of the at least two networks in order to manage authentication and rules for secure communication between and/or among the at least two networks, wherein the security control information that is conveyed over the first control channel and the second control channel to the local encryption/decryption module of the at least two networks is isolated from the communication channel over which data is conveyed in order to prevent the security control information from being conveyed on a same channel as the data.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The secure internetwork system of claim 1, wherein the at least two networks, further comprise:
    - an unsecure network and a secure network.
  - 3. The secure internetwork system of claim 2, wherein the security control information is provided to the trust module from the unsecure network.
  - 4. The secure internetwork system of claim 3, wherein the trust module authenticates the security control information provided from the unsecure network and then propagates the rules for secure communication to the at least two networks over the control channel.
  - 5. The secure internetwork system of claim 1, wherein the trust module, further comprises:
    - a control switch communicatively positioned between the trust module and the at least two networks.
  - 6. The secure internetwork system of claim 1, wherein the trust module distributes public and private keys to the local encryption/decryption module of the at least two networks.
  - 7. The secure internetwork system of claim 1, further comprising:
    - a plurality of networks each having a local encryption/decryption module to encrypt and decrypt data, wherein each of the networks has a security level and at least one of the plurality of networks is an unsecure network and at least one of the plurality of networks is a secure network;
      
      an Ethernet switch communicatively positioned between the trust module and the plurality of networks; and
      
      wherein the trust module distributes public and private keys to the local encryption/decryption module of the plurality of networks through the Ethernet switch, and wherein the trust module authenticates the security control information provided from the unsecure network and then propagates the rules for secure communication to the plurality networks over the control channel through the Ethernet switch.

8. A method for providing secure communication between and among multiple networks, wherein each of the multiple networks has a local encryption/decryption module to encrypt and decrypt information that does not include security control information, the method comprising:
- providing a trust module to manage secure communication between and among the networks;
  
  enabling an administrator to access the trust module in order to provide authorizations that define secure communication rules between and among the networks;
  
  providing a first control channel from the trust module to the local encryption/decryption module of a first network of the multiple networks and providing a second control channel from the trust module to the local encryption/decryption module of a second network of the multiple networks, the first control channel and the second control channel convey only the secure communication rules;
  
  sending the secure communication rules to the local encryption/decryption modules over the control channel;
  
  providing a data channel independent of the control channel over which the networks exchange only data that does not include security control information; and
  
  isolating the trust module from the data channel so as to not receive data;
  
  conveying data between or among the respective networks over the data channel in accordance with the secure communication rules received from the trust module.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The method of claim 8, further comprising:
    - authenticating at least two of the networks prior to enabling intercommunication therebetween.
  - 10. The method of claim 8, further comprising:
    - encrypting the secure communication rules with the trust module prior to sending the secure communication rules to the local encryption/decryption modules of the respective networks.
  - 11. The method of claim 10, further comprising:
    - decrypting the secure communication rules with the local encryption/decryption module.
  - 12. The method of claim 8, further comprising:
    - propagating secure communication rules among a plurality of networks with one of multiple levels of security.
  - 13. The method of claim 8, wherein in the step of sending the secure communication rules to the local encryption/decryption modules, further comprises:
    - sending the secure communication rules from an unsecured network.
  - 14. The method of claim 13, further comprising:
    - authenticating the secure communication rules at the trust module.
  - 15. The method of claim 14, further comprising:
    - propagating secure communication rules from the trust module to and/or among a plurality of networks with one of multiple levels of security.

16. A trust module for an internetwork communication system that includes at least two independent networks each having a local encryption/decryption module to encrypt and decrypt data that does not include security control information, a data channel over which the networks communicate only the data, a control channel to convey only security control information with each of the local encryption/decryption modules of the at least two independent networks, the trust module comprising:
- an administration module to provide secure communication rules between and among the networks that define the manner in which the networks exchange secure communication over the data channel;
  
  a user interface of the administration module to enable an administrator to define the secure communication rules;
  
  an encryption module of the administration module to encrypt the secure communication rules; and
  
  a first control channel entirely separate and independent of the data channel through which to send only the encrypted secure communication rules to the local encryption/decryption modules of a first network of the at least two independent networks and a second control channel physically separate from the first control channel and entirely and physically separate and independent of the data channel through which to send only the encrypted secure communication rules to the local encryption/decryption modules of a second network of the at least two independent networks, whereby to enable the respective networks to intercommunicate with each other according to rules defined by the administration module, wherein the trust module is isolated from the data channel so as to not receive the data.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The trust module of claim 16, wherein the control channel and the data channel are physical channels.
  - 18. The trust module of claim 17, wherein the security control information is provided to the trust module from an unsecured network.
  - 19. The trust module of claim 18, further comprising a key administration database, wherein the key administration database stores corresponding public private key pairs for authentication of encrypted data.
  - 20. The trust module of claim 17, further comprising:
    - an Ethernet switch communicatively positioned between the trust module and the at least two independent networks; and
      
      wherein the trust module distributes public and private keys to the local encryption/decryption module of the at least two independent networks through the Ethernet switch, and wherein the trust module authenticates the security control information provided from an unsecured network and then propagates the rules for secure communication to the at least two independent networks over the control channel through the Ethernet switch.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Rockwell Collins, Inc. (Raytheon Technologies Corporation d/b/a RTX)
Original Assignee
Rockwell Collins, Inc. (Raytheon Technologies Corporation d/b/a RTX)
Inventors
Kamin, III, Raymond A.
Primary Examiner(s)
Zee, Edward
Assistant Examiner(s)
Nguy, Chi

Application Number

US12/568,616
Time in Patent Office

2,920 Days
Field of Search

380278
US Class Current
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/0823   using certificates cryptogr...

H04L 63/105   Multiple levels of security

H04L 63/18   using different networks or...

H04L 63/20   for managing network securi...

H04L 9/0827   involving distinctive inter...

H04L 9/3215   using a plurality of channe...

Administration of multiple network system with a single trust module

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

21 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Administration of multiple network system with a single trust module

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others