COMPUTERIZED ACCESS DEVICE WITH NETWORK SECURITY

US 20080010454A1
Filed: 07/11/2007
Published: 01/10/2008
Est. Priority Date: 07/30/1996
Status: Active Grant

First Claim

Patent Images

1. A network access device adapted to provide network security functions, comprising:

a software stack operative to run on said access device; and

first network security apparatus for use with said stack, said security apparatus adapted to communicate data with other like network security apparatus resident on a portable computing device over a data network by establishing an association, and where said first network security apparatus is configured to;

receive a message sent from said network security apparatus of said computing device;

determine whether an association between said network security apparatus and said network security apparatus of said portable computing device on said network exists;

convert at least a portion of said received message to a format utilized by said network; and

transmit said message received from said network security apparatus of said portable computing device to a third network security apparatus when said association does exist.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computerized access device useful within a network and adapted to provide communication security. In one embodiment, the network comprises an untrusted network, and the access device comprises stand-alone network security apparatus adapted to create associations with other network security devices on the network. Traffic between the associated devices may be encrypted for e.g., data confidentiality and integrity protection. In one variant, the network security apparatus comprises a software entity disposed at least partly within the software stack of a stand-alone hardware device. In another variant, the device functions as a gateway or portal to another network (e.g., the Internet or another untrusted network), or to another device within the same network.

104 Citations

View as Search Results

101 Claims

1. A network access device adapted to provide network security functions, comprising:
- a software stack operative to run on said access device; and
  
  first network security apparatus for use with said stack, said security apparatus adapted to communicate data with other like network security apparatus resident on a portable computing device over a data network by establishing an association, and where said first network security apparatus is configured to;
  
  receive a message sent from said network security apparatus of said computing device;
  
  determine whether an association between said network security apparatus and said network security apparatus of said portable computing device on said network exists;
  
  convert at least a portion of said received message to a format utilized by said network; and
  
  transmit said message received from said network security apparatus of said portable computing device to a third network security apparatus when said association does exist.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44)
- - 2. The device of claim 1, wherein said access device further comprises a network protocol used to resolve an IP address from a given hardware or network address.
  - 3. The device of claim 2, wherein said given hardware or network address comprises an Ethernet address.
  - 4. The device of claim 2, wherein said given hardware or network address comprises a 48-bit address.
  - 5. The device of claim 1, wherein said access device further comprises a network protocol used to resolve a given hardware or network address from an IP address.
  - 6. The device of claim 5, wherein said given hardware or network address comprises an Ethernet address.
  - 7. The device of claim 5, wherein said given hardware or network address comprises a 48-bit address.
  - 8. The device of claim 1, wherein said access device is further adapted to authenticate said third network security apparatus to form an association using a key-exchange algorithm.
  - 9. The device of claim 1, wherein said access device is further adapted to authenticate said third network security apparatus from which said access device has first requested authentication.
  - 10. The device of claim 1, wherein said network security apparatus is disposed substantially within said software stack above the Physical Layer thereof.
  - 11. The device of claim 10, wherein said network security apparatus is disposed substantially within said software stack below the Network Layer thereof.
  - 12. The device of claim 10, wherein said network security apparatus is disposed substantially within said software stack below the Transport Layer thereof.
  - 13. The device of claim 1, wherein said conversion of said at least portion of said received message to said format further comprises encrypting said at least portion using at least one key of a public/private key pair.
  - 14. The device of claim 1, wherein said association comprises a non-permanent trusted communications channel between and unique to said first network security apparatus and said other network security apparatus of said portable computing device.
  - 15. The device of claim 14, wherein said access device comprises a substantially fixed and stand-alone device.
  - 16. The device of claim 1, wherein said portable computing device comprises an untrusted operating system.
  - 17. The device of claim 16, wherein said portable computing device is physically non-secure.
  - 18. The device of claim 1, wherein said association comprises a mutual authentication process, wherein said network security apparatus is adapted to authenticate said other network security apparatus, and further adapted to authenticate itself to said other network security apparatus.
  - 19. The device of claim 1, wherein said first network security apparatus comprises a gateway function, said gateway function permitting secure data communication over a second network.
  - 20. The device of claim 19, wherein said second data network comprises the Internet, and said second data network is in data communication with a website.
  - 21. The device of claim 1, wherein said network further comprises an auditor function in data communication therewith.
  - 22. The device of claim 1, wherein said first network security apparatus of said access device comprises at least one interface port, access to which is based at least in part on identification of a user of said portable computing device.
  - 23. The device of claim 22, wherein said identification of a user is accomplished based at least in part on a cryptographic element associated with said portable computing device.
  - 24. The device of claim 1, wherein said network security apparatus is adapted to dynamically generate at least one encryption key for each association, said act of generating not requiring either (i) intervention by a network administrator;
    - or (ii) intervention by a user of said portable computing device.
  - 25. The device of claim 1, wherein at least one encryption key is dynamically generated by said network security apparatus pursuant to establishing an association with said another network security apparatus, said at least one key being specific to a particular session between said network security device and said another network security device.
  - 26. The device of claim 1, wherein said network security apparatus is adapted to encrypt at least portions of said message using a block cipher.)
  - 27. The device of claim 1, wherein said network security apparatus generates at least one encryption key for use in encrypting at least portions of said message, said at least one encryption key comprises at least a portion of a public/private key pair.
  - 28. The device of claim 1, wherein said network security apparatus generates at least one encryption key for use in encrypting at least portions of said message, said at least one encryption key comprises a symmetric encryption key.
  - 29. The device of claim 1, wherein said network security apparatus generates at least one encryption key, and said at least one encryption key provides confidentiality, integrity and authentication of user datagrams during a particular session or association between said network security apparatus and said other network security apparatus.
  - 30. The device of claim 1, wherein said network security apparatus comprises an encryption algorithm that is initialized at least in part using an initialization vector (IV).
  - 31. The device of claim 30, wherein said encryption algorithm is configured so that encrypting data using the same encryption key, but different IVs, will produce different ciphered output.
  - 32. The device of claim 30, wherein said network security apparatus is adapted to generate a new IV for each encryption event.
  - 33. The device of claim 1, wherein said network security apparatus, as part of establishing said association, generates random data that is transmitted to said other network security apparatus.
  - 34. The device of claim 1, wherein said network security apparatus further comprises a cryptographic element exchange algorithm adapted to generate and transmit random data to said other network security apparatus.
  - 35. The device of claim 34, wherein said transmission of said random data is associated with a procedure that permits both said network security apparatus and said other network security apparatus to possess encryption keys that permit the two apparatus to decrypt encrypted data sent by the other.
  - 36. The device of claim 1, wherein at least a portion of said received message is evaluated by said first network security apparatus using a first cryptographic residue generated at said first network security apparatus using at least locally stored information, and a second residue of said received message.
  - 37. The device of claim 36, wherein said evaluation of said first and second residues comprises comparing said residues to see if they match.
  - 38. The device of claim 37, wherein if said first and second residue does not match, a change in the operation of said first network security apparatus is invoked.
  - 39. The device of claim 38, wherein said change in the operation comprises performing a network audit function.
  - 40. The device of claim 1, wherein no pre-positioned network configuration data is used in establishing said association between said first network security apparatus and said other network security apparatus resident on said portable computing device.
  - 41. The device of claim 1, wherein said association is established at least in part based on an authentication of other network security apparatus resident on said portable computing device by said first network security apparatus that does not require access to a physically secure storage device.
  - 42. The device of claim 1, wherein said association between said network apparatus and said other network apparatus resident on said portable computing device is established using only:
    - a first message from the other network security apparatus resident on said portable computing device to the first network security apparatus; and
      
      a second message from the first network security apparatus to the other network security apparatus.
  - 43. The device of claim 42, wherein said first message comprises a request message, and said second message comprises a grant message.
  - 44. The device of claim 1, wherein said association between said first network apparatus and said other network security apparatus resident on said portable computing device is established without resort to an entity external to said first network security apparatus or said other network security apparatus.

45. A portal device in communication with one or more devices via a data network and further adapted to provide network security functions, comprising:
- a software stack operative to run on said portal device; and
  
  network security apparatus for use with said stack, said security apparatus adapted to communicate data between a second network security apparatus resident on an untrusted computerized device on said data network and said one or more devices also located on said data network;
  
  said network security apparatus operative to;
  
  establish an ad hoc and temporary association between said portal device and said second network security apparatus of said computerized device;
  
  receive a message sent from said computerized device;
  
  modify at least a part of said received message to produce a modified message; and
  
  transmit said modified message to at least one of said one or more devices resident on said data network.
- View Dependent Claims (46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61)
- - 46. The device of claim 45, wherein said network security apparatus, further comprises:
    - an interface for receiving said message sent from said computerized device, wherein said message is intended for transmission over said data network;
      
      an association determination process configured to determine whether an association exists between the network security apparatus and said second network security apparatus;
      
      a session management process in communication with said interface and configured to transmit said message to said data network if said association determination process determines that said association exists; and
      
      an association manager in communication with said interface for establishing an association with said second network security apparatus if said association does not exist.
  - 47. The device of claim 46, further comprising apparatus adapted to, when said association does not exist, buffer or queue said message for at least a period of time prior to releasing said message for transmission over said data network.
  - 48. The device of claim 46, wherein said session manager is adapted to encrypt said message using a block cipher encryption algorithm prior to transmitting said message to said data network.
  - 49. The device of claim 48, wherein said association manager is configured to authenticate a received message from said second network security apparatus during said establishing an association.
  - 50. The device of claim 49, wherein said association comprises an ad hoc trusted communications path between said network security apparatus and said second network security apparatus.
  - 51. The device of claim 46 further comprising an apparatus adapted to generate an encryption key that is substantially unique to said association.
  - 52. The device of claim 45, wherein said network security apparatus operates according to a trusted session-based protocol, said trusted session-based protocol adapted to establishes one or more encryption keys during said establishing an association, said one or more keys being substantially unique to said association.
  - 53. The device of claim 52, wherein said trusted session-based protocol provides at least one mechanism to verify that said message is unaltered during transmission between said computerized device and said security apparatus device.
  - 54. The device of claim 53, wherein said at least one mechanism to verify that said message is unaltered during transmission over said network comprises a cryptographic residue.
  - 55. The device of claim 45, wherein said network security apparatus comprises at least one mechanism to authenticate at least one other computerized device or network security apparatus in communication with said network.
  - 56. The device of claim 55, wherein said at least one mechanism comprises a cryptographic residue.
  - 57. The device of claim 45, wherein said data network comprises an untrusted network.
  - 58. The device of claim 57, wherein said computerized device comprises an untrusted operating system.
  - 59. The device of claim 58, wherein said portal device comprises a gateway, said gateway being in data communication with said network.
  - 60. The device of claim 59, wherein said network comprises the Internet, and said network is in data communication with a website.
  - 61. The device of claim 60, wherein said computerized device comprises a portable computing device.

62. A substantially stand-alone gateway device adapted to provide network security functions and bridging between two networks, comprising:
- a software stack operative to run on said device; and
  
  first network security apparatus for use with said stack, said security apparatus adapted to communicate data with other like network security apparatus over at least one of first and second data networks in data communication with said gateway device by establishing an association, and where said first network security apparatus is configured to;
  
  receive a message sent from a higher layer process in said device for transmission over at least one of said networks;
  
  determine whether an association between said first network security apparatus and another network security apparatus in communication with said at least one network exists;
  
  convert at least a portion of said received message to a format utilized by said at least one network; and
  
  transmit at least portions of said message to said another network security apparatus when said association does exist.
- View Dependent Claims (63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88)
- - 63. The device of claim 62, wherein said device further comprises a network protocol used to resolve an IP address from a given hardware or network address.
  - 64. The device of claim 63, wherein said given hardware or network address comprises an Ethernet address.
  - 65. The device of claim 63, wherein said given hardware or network address comprises a 48-bit address.
  - 66. The device of claim 62, wherein said device further comprises a network protocol used to resolve a given hardware or network address from an IP address.
  - 67. The device of claim 66, wherein said given hardware or network address comprises an Ethernet address.
  - 68. The device of claim 66, wherein said given hardware or network address comprises a 48-bit address.
  - 69. The device of claim 62, wherein said first network apparatus is further adapted to authenticate at least one other device or associated network security apparatus requesting to form an association using a key-exchange algorithm.
  - 70. The device of claim 62, wherein said network security apparatus is disposed substantially within said software stack above the Physical Layer thereof.
  - 71. The device of claim 70, wherein said network security apparatus is disposed substantially within said software stack below the Network Layer thereof.
  - 72. The device of claim 70, wherein said network security apparatus is disposed substantially within said software stack below the Transport Layer thereof.
  - 73. The device of claim 62, wherein said conversion of said at least portion of said received message to said format further comprises encrypting said at least portion using at least one key of a public/private key pair.
  - 74. The device of claim 62, wherein said association comprises a non-permanent trusted communications channel between and unique to said first network security apparatus and said other network security apparatus.
  - 75. The device of claim 62, wherein said association comprises a mutual authentication process, wherein said first network security apparatus is adapted to authenticate said other network security apparatus, and further adapted to authenticate itself to said other apparatus.
  - 76. The device of claim 62, wherein said first network security apparatus is adapted to dynamically generate at least one encryption key for each association, said act of generating not requiring either (i) intervention by a network administrator.
  - 77. The device of claim 62, wherein at least one encryption key is dynamically generated by said first network security apparatus pursuant to establishing an association with said other network security apparatus, said at least one key being specific to a particular session between said first network security device and said other network security device.
  - 78. The device of claim 62, wherein said first network security apparatus is adapted to encrypt at least portions of said message using a block cipher.)
  - 79. The device of claim 62, wherein said first network security apparatus generates at least one encryption key for use in encrypting at least portions of said message, said at least one encryption key comprises at least a portion of a public/private key pair.
  - 80. The device of claim 62, wherein said first network security apparatus generates at least one encryption key for use in encrypting at least portions of said message, said at least one encryption key comprises a symmetric encryption key.
  - 81. The device of claim 62, wherein said first network security apparatus generates at least one encryption key, and said at least one encryption key provides confidentiality, integrity and authentication of user datagrams during a particular session or association between said first network security apparatus and said other network security apparatus.
  - 82. The device of claim 62, wherein said first network security apparatus comprises an encryption algorithm that is initialized at least in part using an initialization vector (IV).
  - 83. The device of claim 82, wherein said encryption algorithm is configured so that encrypting data using the same encryption key, but different IVs, will produce different ciphered output.
  - 84. The device of claim 82, wherein said first network security apparatus is adapted to generate a new IV for each encryption event.
  - 85. The device of claim 62, wherein said first network security apparatus, as part of establishing said association, generates random data that is transmitted to said other network security apparatus.
  - 86. The device of claim 62, wherein said first network security apparatus further comprises a cryptographic element exchange algorithm adapted to generate and transmit random data to said other network security apparatus.
  - 87. The device of claim 86, wherein said transmission of said random data is associated with a procedure that permits both said first network security apparatus and said other network security apparatus to possess encryption keys that permit the two apparatus to decrypt encrypted data sent by the other.
  - 88. The device of claim 62, wherein said association is established at least in part based on an authentication of said other network security apparatus by said first network security apparatus that does not require access to a physically secure storage device.

89. An access portal comprising;
- a host computerized device;
  
  a first computer program operative to run on said host computerized device to establish an ad hoc security association between said portal and a portable computer device, said first computer program comprising a key exchange algorithm adapted to cause said portal and said portable device to exchange respective cryptographic keys generated substantially while establishing said association, said keys being substantially unique to said association, said establishment of said association further comprising at least authentication of said portable device to said portal;
  
  a second computer program operative to run on said host computer and adapted to decrypt data sent to the portal using at least one of said cryptographic keys; and
  
  a third computer program operative to run on said host computer and adapted to evaluate said encrypted data sent from the portable device for at least data integrity using cryptographic residues generated by both said portable device and said residue.
- View Dependent Claims (90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101)
- - 90. The portal of claim 89, wherein said evaluation comprises comparing a first of said residues generated by said portal to a second of said residues generated by said portable device.
  - 91. The portal of claim 90, wherein said second of said residues is included within a message sent from said portable device, said message further comprising said encrypted data encrypted by at least one of said cryptographic keys.
  - 92. The portal of claim 90, wherein said at least authentication of said portable device to said portal comprises a mutual authentication procedure between said portal and said device, said mutual authentication based on evaluating a digital signature uniquely associated with said device.
  - 93. The portal of claim 89, wherein said portal comprises a trusted computing base comprising hardware and software, said base being adapted to enforce one or more security policies.
  - 94. The portal of claim 93, wherein said one or more security policies comprises authentication of said portable device.
  - 95. The portal of claim 94, wherein said trusted computing base comprises hardware and software disposed at a different physical location from that of said portal.
  - 96. The portal of claim 95, wherein said portal comprises an untrusted operating system and physically non-secure host device.
  - 97. The portal of claim 96, wherein said portable device comprises an untrusted operating system and a physically non-secure device.
  - 98. The portal of claim 97, wherein said trusted computing base comprises at least one of:
    - (i) a trusted operating system; and
      
      (ii) physically secure hardware.
  - 99. The portal of claim 95, wherein said portal is in data communication with a second network, and is configured not to pass communications from said portable device over said second network until said device is properly authenticated to said portal.
  - 100. The portal of claim 99, wherein said second network comprises an untrusted and at least partly physically non-secure network.
  - 101. The portal of claim 99, wherein said second network comprises the Internet, and further comprises at least one website in communication with said Internet, and wherein said at least one website and said portable device are capable of secure data communication with one another via at least said portal and said Internet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Round Rock Research LLC
Original Assignee
Micron Technology, Inc.
Inventors
Holden, James, Levin, Stephen, Wrench, Edwin, Nickel, James

Granted Patent

US 7,797,423 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/166
CPC Class Codes

G06F 21/31   User authentication

G06F 21/606   by securing the transmissio...

G06F 21/85   interconnection devices, e....

G06F 2211/001   In-Line Device

G06F 2211/005   Network, LAN, Remote Access...

G06F 2211/007   Encryption, En-/decode, En-...

G06F 2211/009   Trust

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

G06F 2221/2153   Using hardware token as a s...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/02   for separating internal fro...

H04L 63/0218   Distributed architectures, ...

H04L 63/0442   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0869   for achieving mutual authen...

H04L 63/101   Access control lists [ACL]

H04L 63/105   Multiple levels of security

H04L 63/126   the source of the received ...

H04L 63/14 : for detecting or protecting...

H04L 67/141 : Setup of application sessio...

H04L 67/563 : Data redirection of data ne...

H04L 9/3247 : involving digital signatures

H04L 9/3268 : using certificate validatio...

H04L 9/3273 : for mutual authentication n...

H04L 9/40 : Network security protocols

H04W 12/069 : using certificates or pre-s...

View All

COMPUTERIZED ACCESS DEVICE WITH NETWORK SECURITY

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

104 Citations

101 Claims

Specification

Solutions

Use Cases

Quick Links

COMPUTERIZED ACCESS DEVICE WITH NETWORK SECURITY

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

104 Citations

101 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links