Method of negotiating security parameters and authenticating users interconnected to a network

US 20050108531A1
Filed: 11/14/2003
Published: 05/19/2005
Est. Priority Date: 11/14/2003
Status: Active Grant

First Claim

Patent Images

1. A method for negotiating a set of security parameters usable by an initiator and a responder to create a secure path over a network for exchanging information, the method including a plurality of modes, comprising:

conducting a main mode negotiation for establishing the secure path and selecting the set of security parameters including a security protocol;

conducting a quick mode negotiation for deriving a set of keys usable with the security protocol;

wherein at least a portion of the quick mode occurs during the main mode and a quick mode pseudo random number is exchanged between the responder and the initiator; and

wherein a protocol security process establishes inbound and outbound protocol security associations.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for authenticating and negotiating security parameters among two or more network devices is disclosed. The method has a plurality of modes including a plurality of messages exchanged between the two or more network devices. In a main mode, the two or more network devices establish a secure channel and select security parameters to be used during a quick mode and a user mode. In the quick mode, the two or more computers derive a set of keys to secure data sent according to a security protocol. The optional user mode provides a means of authenticating one or more users associated with the two or more network devices. A portion of the quick mode is conducted during the main mode thereby minimizing the plurality of messages that need to be exchanged between the initiator and the responder.

49 Citations

View as Search Results

25 Claims

1. A method for negotiating a set of security parameters usable by an initiator and a responder to create a secure path over a network for exchanging information, the method including a plurality of modes, comprising:
- conducting a main mode negotiation for establishing the secure path and selecting the set of security parameters including a security protocol;
  
  conducting a quick mode negotiation for deriving a set of keys usable with the security protocol;
  
  wherein at least a portion of the quick mode occurs during the main mode and a quick mode pseudo random number is exchanged between the responder and the initiator; and
  
  wherein a protocol security process establishes inbound and outbound protocol security associations.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - conducting a first user mode for authenticating a first user associated with the initiator or responder.
  - 3. The method of claim 2, wherein the initiator and the responder exchange authentication data that is calculated by application of a hash function incorporating a secret key on data exchanged during the main mode.
  - 4. The method of claim 2, further comprising:
    - conducting a second user mode for authenticating a second user associated with the initiator or the responder.
  - 5. The method of claim 1, wherein the main mode comprises:
    - sending, from the initiator to the responder, a set of proposed security parameters and authentication data;
      
      selecting, by the responder, the set of security parameters from the set of proposed security parameters;
      
      sending the set of security parameters from the responder to the initiator.
  - 6. The method of claim 1, wherein the initiator identifies a public key of the responder prior to the main mode negotiation and wherein at least a portion a first message sent from the initiator to the responder is encrypted using the public key.
  - 7. The method of claim 1, wherein the main mode comprises:
    - sending a group advertisement from the initiator to the responder; and
      
      comparing the group advertisement to a set of authorized groups; and
      
      sending a response from the responder to the initiator.
  - 8. The method of claim 1, further comprising:
    - exchanging Diffie Hellman key data between the initiator and the responder during main mode for deriving keys for use with an encryption algorithm.
  - 9. The method of claim 1, further comprising:
    - exchanging a pair of notify payloads between the initiator and the responder;
      
      wherein the pair of notify payloads are used by the protocol security process for establishing the protocol security associations.

10. A method for a first computer to dynamically discover a security policy of a second computer, wherein the first computer and the second computer are communicatively coupled to a computer network, comprising:
- receiving, at the second computer, a request message from the first computer, wherein the request fails to conform to the security policy of the second computer;
  
  sending, from the second computer to the first computer, a response message with a payload that identifies a subset of the security policy of the second computer; and
  
  initiating, by the first computer, a security negotiation by sending a message including a proposed set of security parameters conforming to the security policy of the second computer.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The method of claim 10, wherein the request message is a standard IP packet with a clear text payload.
  - 12. The method of claim 10, wherein the second computer is a responder and the first computer is an initiator, the initiator and the responder being in a main mode negotiation process and wherein the request message is sent from the initiator to the responder and includes one or more proposed security associations that fail to conform to the security policy of the responder.
  - 13. The method of claim 10, wherein the second computer is an initiator and the first computer is a responder, the initiator and the responder being in a main mode negotiation process and wherein the request message is sent from the responder to the initiator and includes certificate data that fails to conform to the security policy of the initiator.
  - 14. The method of claim 10, wherein the response message further includes an R-Cookie value used to prevent a denial of service attack, and the first computer includes a stateful firewall filter that permits the response message and blocks unsolicited packets received over the computer network.

15. A method for executing a security policy at a first network device wherein the first network device is communicatively coupled to a second network device over a computer network, comprising:
- initiating a first security negotiation at the first network device by sending a first message with a first proposed set of security parameters;
  
  determining, at the first network device, that the first security negotiation is unsuccessful and identifying a basis for the unsuccessful security negotiation;
  
  initiating a second security negotiation, at the first network device by sending a second message with a second set of proposed security parameters.
- View Dependent Claims (16, 17)
- - 16. The method of claim 15 wherein the unsuccessful security negotiation results from the first set of security parameters failing to conform to a security policy of the second network device and wherein the second set of proposed security parameters conform to the security policy of the second network device.
  - 17. The method of claim 15 wherein the unsuccessful security negotiation results from a first certificate sent from the responder to the initiator, wherein the first certificate is invalid, the second security negotiation further comprising:
    - sending a certificate request from the initiator to the responder that includes an identification payload requesting a second certificate from the responder such that the second certificate is distinct from the first certificate.

18. A computer-readable medium for executing computer-readable instructions for negotiating a set of security parameters usable by an initiator and a responder to create a secure path over a network for exchanging information, the method including a plurality of modes, comprising:
- conducting a main mode negotiation for establishing the secure path and selecting the set of security parameters including a security protocol;
  
  conducting a quick mode negotiation for deriving a set of keys usable with the security protocol;
  
  wherein at least a portion of the quick mode occurs during the main mode and a quick mode pseudo random number is exchanged between the responder and the initiator; and
  
  wherein a protocol security process establishes protocol security associations.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The computer-readable medium of claim 18, further comprising:
    - conducting a user mode for authenticating one or more users associated with the initiator or the responder.
  - 20. The computer-readable medium of claim 19, wherein the initiator and the responder exchange authentication data that is calculated by application of a hash function incorporating a secret key on data exchanged during the main mode.
  - 21. The computer-readable medium of claim 18, wherein the initiator identifies a public key of the responder prior to the main mode negotiation and wherein at least a portion a first message sent from the initiator to the responder is encrypted using the public key.
  - 22. The computer-readable medium of claim 18, wherein the main mode comprises:
    - sending a group advertisement from the initiator to the responder;
      
      comparing the group advertisement to a set of authorized groups; and
      
      sending a response from the responder to the initiator.

23. A computer-readable medium for executing computer-readable instructions for executing a security policy at a first network device wherein the first network device is communicatively coupled to a second network device over a computer network, comprising:
- initiating a first security negotiation at the first network device by sending a first message with a first proposed set of security parameters;
  
  determining, at the first network device, that the first security negotiation is unsuccessful and identifying a basis for the unsuccessful security negotiation;
  
  initiating a second security negotiation at the first network device by sending a second message with a second set of proposed security parameters.
- View Dependent Claims (24, 25)
- - 24. The computer-readable medium of claim 23, wherein the unsuccessful security negotiation results from the first set of security parameters failing to conform to a security policy of the second network device and wherein the second set of proposed security parameters conform to the security policy of the second network device.
  - 25. The computer-readable medium of claim 23, wherein the unsuccessful security negotiation results from a first certificate sent from the responder to the initiator, wherein the first certificate is invalid, the second security negotiation further comprising:
    - sending a certificate request from the initiator to the responder that includes an identification payload requesting a second certificate from the responder such that the second certificate is distinct from the first certificate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Bitan, Sara, Huitema, Christian, Simon, Daniel R., Swander, Brian D., Mayfield, Paul G.

Granted Patent

US 7,574,603 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/171
CPC Class Codes

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0823   using certificates cryptogr...

H04L 63/164   at the network layer

H04L 63/20   for managing network securi...

H04L 9/0844   with user authentication or...

Method of negotiating security parameters and authenticating users interconnected to a network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

49 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Method of negotiating security parameters and authenticating users interconnected to a network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links