Secured networks and endpoints applying internet protocol security

US 9,794,237 B2
Filed: 06/29/2015
Issued: 10/17/2017
Est. Priority Date: 01/31/2005
Status: Active Grant

First Claim

Patent Images

1. A method of managing secure communications states in an endpoint within a secure network, the method comprising:

in a disconnected state, transmitting from a first endpoint to a second endpoint a first message including an authorization token, the authorization token including one or more entries, each entry corresponding to a community of interest associated with a user of the first endpoint and including an encryption key and a validation key associated with the first endpoint and encrypted with a corresponding community of interest key and entering a pending state;

in the pending state, receiving from the second endpoint a second message including a second authorization token at the first endpoint, the second authorization token including one or more entries, each entry corresponding to a community of interest associated with the second endpoint and including an encryption key and a validation key associated with the second endpoint and encrypted with the corresponding community of interest key;

based on receipt of the second message, entering an open state and initializing a tunnel between the first and second endpoints using an IPsec-based secured connection; and

upon termination of the tunnel due to a termination or timeout message issued by at least one of the first and second endpoints, entering a closed state;

wherein a community of interest includes a plurality of users having common user rights and segregating user groups by way of assignment of different cryptographic keys used for each user group, and any message from by an unauthorized endpoint that is not a member of the community of interested are not responded to in any way.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of managing secure communications states in an endpoint within a secure network is disclosed. The method includes, in a disconnected state, transmitting from a first endpoint to a second endpoint a first message including an authorization token. The method further includes, in the pending state, receiving from the second endpoint a second message including a second authorization token at the first endpoint. The method includes, based on the receipt of the second message, entering an open state and initializing a tunnel between the first and second endpoints using an IPsec-based secured connection. The method also includes, upon termination of the tunnel due to a termination or timeout message issued by at least one of the first and second endpoints, entering a closed state.

6 Citations

View as Search Results

20 Claims

1. A method of managing secure communications states in an endpoint within a secure network, the method comprising:
- in a disconnected state, transmitting from a first endpoint to a second endpoint a first message including an authorization token, the authorization token including one or more entries, each entry corresponding to a community of interest associated with a user of the first endpoint and including an encryption key and a validation key associated with the first endpoint and encrypted with a corresponding community of interest key and entering a pending state;
  
  in the pending state, receiving from the second endpoint a second message including a second authorization token at the first endpoint, the second authorization token including one or more entries, each entry corresponding to a community of interest associated with the second endpoint and including an encryption key and a validation key associated with the second endpoint and encrypted with the corresponding community of interest key;
  
  based on receipt of the second message, entering an open state and initializing a tunnel between the first and second endpoints using an IPsec-based secured connection; and
  
  upon termination of the tunnel due to a termination or timeout message issued by at least one of the first and second endpoints, entering a closed state;
  
  wherein a community of interest includes a plurality of users having common user rights and segregating user groups by way of assignment of different cryptographic keys used for each user group, and any message from by an unauthorized endpoint that is not a member of the community of interested are not responded to in any way.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein in the open state, the method her includes:
    - for each community of interest associated with the user and including the first and second endpoints, decrypting an associated entry in the second authorization token to obtain the encryption key and validation key associated with the second endpoint;
      
      decrypting and validating a public key to be used in a Diffie-Hellman key agreement algorithm;
      
      creating a key pair at the first endpoint and generating a shared secret based on the key pair and the public key received from the second endpoint;
      
      transmitting a third message including the public key created at the first endpoint to the second endpoint, thereby allowing the second endpoint to derive the shared secret; and
      
      initializing the tunnel between the first and second endpoints using the shared secret to derive encryption keys used for IPsec-secured communication between the first and second endpoints.
  - 3. The method of claim 2, wherein messages passed within the tunnel remain obscured to a third endpoint having a community of interest in common with the first endpoint and the second endpoint.
  - 4. The method of claim 1, further comprising, after initializing the tunnel, transmitting one or more keep-alive messages from the first endpoint to the second endpoint via the tunnel.
  - 5. The method of claim 1, Wherein the second message further includes a signature, an encryption value, and one or more response codes identifying a status of the second endpoint to the first endpoint.
  - 6. The method of claim 5, wherein the one or more response codes identify the second endpoint to the first endpoint as a proxy for a third endpoint.
  - 7. The method of claim 1, further comprising, in the pending state, upon receiving a third message from the second endpoint that includes a third token including one or more entries, each entry corresponding to a community of interest associated with a user of the second endpoint and including an encryption key and a validation key associated with the second endpoint and encrypted with the corresponding community of interest key:
    - transmitting a fourth message to the second endpoint, the fourth message including a fourth authorization token at the first endpoint, the fourth authorization token including one or more entries, each entry corresponding to a community of interest associated with the user of the first endpoint and including an encryption key and a validation key associated with the first endpoint and encrypted with the corresponding community of interest key; and
      
      entering an open final state;
      
      wherein a community of interest includes a plurality of users having common user rights and segregating user groups by way of assignment, of different cryptographic keys used for each user group, and any message from by an unauthorized endpoint that is not a member of the community of interested are not responded to in any way.
  - 8. The method of claim 1, wherein the first endpoint has a plurality modes including an on demand mode and an always on mode.
  - 9. The method of claim 1, further comprising allowing a user to remotely access the first endpoint in each of the disconnected state, the pending state, the open state, and the closed state via an administrator-selected, predetermined IP-based protocol.
  - 10. The method of claim 9, wherein the administrator-selected, predetermined IP-based protocol comprises Remote Desktop Protocol.
  - 11. The method of claim 1, wherein the first message includes IPsec connectivity options supported by the endpoint.
  - 12. The method of claim 1, further comprising, prior to transmitting the first message, establishing a licensing tunnel to a licensing server.
  - 13. The method of claim 12, wherein the licensing tunnel is established using a second security protocol different from an IPsec security protocol that provides IPsec-secured communication between the first and second endpoints.
  - 14. The method of claim 1, wherein the second endpoint is included in a filter, wherein the filter defines one or more endpoints with which the first endpoint is authorized to communicate.

15. An endpoint computing system comprising:
- a processor;
  
  a memory communicatively connected to the processor and storing secured communications software, the secured communications software, when executed by the processor, causing the endpoint computing system to perform a method of managing secure communications states within a secure network, the method comprising;
  
  in a disconnected state, transmitting from the endpoint computing system to a second endpoint a first message including an authorization token, the authorization token including one or more entries, each entry corresponding to a community of interest associated with a user of the endpoint computing system and including an encryption key and a validation key associated with the endpoint computing system and encrypted with a corresponding community of interest key and entering a pending state;
  
  in the pending state, receiving from the second endpoint a second message including a second authorization token at the endpoint computing system, the second authorization token including one or more entries, each entry corresponding to a community of interest associated with the second endpoint and including an encryption key and a validation key associated with the second endpoint and encrypted with the corresponding community of interest key;
  
  based on receipt of the second message, entering an open state and initializing a tunnel between the endpoint computing system and the second endpoint using an IPsec-based secured connection; and
  
  upon termination of the tunnel due to a termination or timeout message issued by at least one of the endpoint computing system and the second endpoint, entering a closed state;
  
  wherein a community of interest includes a plurality of users having common user rights and segregating user groups by way of assignment of different cryptographic keys used for each user group, and any message from by an unauthorized endpoint that is not a member of the community of interested are not responded to in any way.
- View Dependent Claims (16, 17)
- - 16. The endpoint computing system of claim 15, wherein the secured communications software includes an applet presenting a user interface to a user allowing the user to provide user credentials to a logon service included in the secured communications software at the endpoint computing system.
  - 17. The endpoint computing system of claim 15, Wherein the endpoint computing system has a plurality of modes including an on demand mode and an always on mode.

18. A system comprising:
- a first endpoint, the first endpoint including;
  
  a processor;
  
  a memory communicatively connected to the processor and storing secured communications software, the secured communications software, when executed by the processor, causing an endpoint computing system to perform a method of managing secure communications states within a secure network, the method comprising;
  
  in a disconnected state, transmitting from the first endpoint to a second endpoint a first message including an authorization token, the authorization token including one or more entries, each entry corresponding to a community of interest associated with a user of the first endpoint and including an encryption key and a validation key associated with the endpoint computing system and encrypted with a corresponding community of interest key and entering a pending state;
  
  in the pending state, receiving from the second endpoint a second message including a second authorization token at the first endpoint, the second authorization token including one or more entries, each entry corresponding to a community of interest associated with the second endpoint and including an encryption key and a validation key associated with the second endpoint and encrypted with the corresponding community of interest key, the second message further including a signature, an encryption value, and one or more response codes identifying a status of the second endpoint to the first endpoint;
  
  based on receipt of the second message, entering an open state and initializing a tunnel between the first endpoint and the second endpoint using an IPsec-based secured connection; and
  
  upon termination of the tunnel due to a termination or timeout message issued by at least one of the first endpoint and the second endpoint, entering a closed state;
  
  wherein the one or more response codes identify the second endpoint to the first endpoint as a proxy for a third endpoint;
  
  wherein a community of interest includes a plurality of users having common user rights and segregating user groups by way of assignment of different cryptographic keys used for each user group, and any message from by an unauthorized endpoint that is not a member of the community of interested are not responded to in any way.
- View Dependent Claims (19, 20)
- - 19. The system of claim 18, further comprising the second endpoint, the third endpoint, and a fourth endpoint.
  - 20. The system of claim 19, wherein communication between the first endpoint and the second endpoint are obscured to the fourth endpoint.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Unisys Corporation
Original Assignee
Unisys Corporation
Inventors
Johnson, Robert A, Inforzato, Sarah K
Primary Examiner(s)
TRAN, ELLEN C

Application Number

US14/753,120
Publication Number

US 20160380984A1
Time in Patent Office

841 Days
Field of Search
US Class Current
CPC Class Codes

H04L 12/4633   Interconnection of networks...

H04L 63/0272   Virtual private networks

H04L 63/0485   Networking architectures fo...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0853   using an additional device,...

H04L 63/102   Entity profiles

H04L 63/164   at the network layer

Secured networks and endpoints applying internet protocol security

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

6 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Secured networks and endpoints applying internet protocol security

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

6 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others