Secure network method and apparatus

US 5,369,707 A
Filed: 01/27/1993
Issued: 11/29/1994
Est. Priority Date: 01/27/1993
Status: Expired due to Term

First Claim

Patent Images

1. A system for the secure routing of encrypted data within a communications network, comprising:

A) first digital logic means and second digital logic means, the first digital logic means being electronically linked for communication with the second digital logic means;

B) the first digital logic means comprising;

1) a first system memory for storing data;

2) a first access control subsystem, comprising logic for limiting system access to authorized users, the first access control subsystem being electronically connected to the first system memory for accessing data stored in the first system memory;

3) an encryption algorithm module, comprising logic for converting plain text messages into encrypted text messages, the encryption algorithm module being electronically connected to the first system memory for accessing data stored in the first system memory and the encryption algorithm module being further electronically connected to the first access control subsystem to accept inputs from the first access control subsystem;

4) a message header labelling subsystem, comprising logic for limiting system access, subject to label conditions, the message header labelling subsystem being electronically connected to the first system memory for accessing data stored in the first system memory and the message header labelling subsystem being further electronically connected to the encryption algorithm module to accept inputs from the encryption algorithm module; and

5) message transmission means for transmitting data to the second digit logic means;

C) the second digital logic means comprising;

1) a second system memory for storing data;

2) a second access control subsystem, comprising logic for limiting system access to authorized users, the second access control subsystem being electronically connected to the second system memory for accessing data stored in the second system memory;

3) a decryption algorithm module, comprising logic for converting encrypted text messages into plain text messages, the decryption algorithm module being electronically connected to the second system memory for accessing data stored in the second system memory and the decryption algorithm module being further electronically connected to the second access control subsystem to accept inputs from the second access control subsystem;

4) a message header identification subsystem, comprising logic for limiting system access, subject to label conditions, the message header identification subsystem being electronically connected to the second system memory for accessing data stored in the second system memory and the message header identification subsystem being further electronically connected to the decryption algorithm module to accept inputs from the decryption algorithm module; and

5) receiver means for receiving data transmitted by the first digital logic means;

D) the encryption algorithm module working in conjunction with the message header labelling subsystem to create an outgoing message transmitted from the transmission means of the first digital logic means to the receiver means of the second digital logic means;

E) the message header identification subsystem limiting access to an incoming message prior to conversion of a received encrypted text message into a plain text message by the decryption algorithm module by providing a cryptographic key to the encryption algorithm module;

F) the first access control subsystem and the second access control subsystem being adapted to manipulate passphrase information entered by users to generate a passkey;

G) the first access control subsystem further comprising a check key which is compared to the passkey;

H) the passkey being an input to the encryption algorithm module which allows editions of cryptographic information stored within the first system memory to be inputs to the encryption algorithm module only if the passkey exactly matches the check key;

I) the second access control subsystem further comprising a check key which is compared to the passkey;

J) the passkey being an input to the decryption algorithm module which allows editions of cryptographic information stored within the second system memory to be inputs to the decryption algorithm module only if the passkey exactly matches the check key;

K) the passkey inputs to the encryption algorithm module allowing the encryption algorithm module to convert a plain text message to an encrypted text message;

L) the passkey inputs to the decryption algorithm module allowing the decryption algorithm module to convert an encrypted text message to a plain text message;

M) the first digital logic means being adapted to exclusive OR all possible pairings of the editions of cryptographic information and an organizational account number to generate scrambled editions of cryptographic information;

N) the first digital logic means being further adapted to exclusive OR the scrambled editions of cryptographic information with label conditions to generate scrambled label conditions; and

O) the first digital logic means being further adapted to manipulate the scrambled label conditions and the editions of cryptographic data to generate an encryption key for allowing the encryption algorithm module to convert a plain text message to an encrypted text message.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for ensuring the security of messages communicated on a network. The system employs different levels of security to ensure that communication integrity is not breached. A user must first enter a valid password to clear the access control subsystem. The sending user must also possess valid cryptographic information and belong to a particular organization and/or be located at a particular device in order to encrypt a plain text message that is to be transmitted over the network. The device and organization information, along with receiving user information specified by the sending user, will then be grouped into a header which will be appended to the outgoing encrypted message. In order to receive a transmitted message, a receiving user must be the particular receiving user and be part of the particular group specified by the sending user, and must be attempting to receive the communication at the device specified in the message header. If these conditions are satisfied, cryptographic information must be entered into the system in order to decrypt the message, resulting in the original plain text message.

317 Citations

28 Claims

1. A system for the secure routing of encrypted data within a communications network, comprising:
- A) first digital logic means and second digital logic means, the first digital logic means being electronically linked for communication with the second digital logic means;
  
  B) the first digital logic means comprising;
  
  1) a first system memory for storing data;
  
  2) a first access control subsystem, comprising logic for limiting system access to authorized users, the first access control subsystem being electronically connected to the first system memory for accessing data stored in the first system memory;
  
  3) an encryption algorithm module, comprising logic for converting plain text messages into encrypted text messages, the encryption algorithm module being electronically connected to the first system memory for accessing data stored in the first system memory and the encryption algorithm module being further electronically connected to the first access control subsystem to accept inputs from the first access control subsystem;
  
  4) a message header labelling subsystem, comprising logic for limiting system access, subject to label conditions, the message header labelling subsystem being electronically connected to the first system memory for accessing data stored in the first system memory and the message header labelling subsystem being further electronically connected to the encryption algorithm module to accept inputs from the encryption algorithm module; and
  
  5) message transmission means for transmitting data to the second digit logic means;
  
  C) the second digital logic means comprising;
  
  1) a second system memory for storing data;
  
  2) a second access control subsystem, comprising logic for limiting system access to authorized users, the second access control subsystem being electronically connected to the second system memory for accessing data stored in the second system memory;
  
  3) a decryption algorithm module, comprising logic for converting encrypted text messages into plain text messages, the decryption algorithm module being electronically connected to the second system memory for accessing data stored in the second system memory and the decryption algorithm module being further electronically connected to the second access control subsystem to accept inputs from the second access control subsystem;
  
  4) a message header identification subsystem, comprising logic for limiting system access, subject to label conditions, the message header identification subsystem being electronically connected to the second system memory for accessing data stored in the second system memory and the message header identification subsystem being further electronically connected to the decryption algorithm module to accept inputs from the decryption algorithm module; and
  
  5) receiver means for receiving data transmitted by the first digital logic means;
  
  D) the encryption algorithm module working in conjunction with the message header labelling subsystem to create an outgoing message transmitted from the transmission means of the first digital logic means to the receiver means of the second digital logic means;
  
  E) the message header identification subsystem limiting access to an incoming message prior to conversion of a received encrypted text message into a plain text message by the decryption algorithm module by providing a cryptographic key to the encryption algorithm module;
  
  F) the first access control subsystem and the second access control subsystem being adapted to manipulate passphrase information entered by users to generate a passkey;
  
  G) the first access control subsystem further comprising a check key which is compared to the passkey;
  
  H) the passkey being an input to the encryption algorithm module which allows editions of cryptographic information stored within the first system memory to be inputs to the encryption algorithm module only if the passkey exactly matches the check key;
  
  I) the second access control subsystem further comprising a check key which is compared to the passkey;
  
  J) the passkey being an input to the decryption algorithm module which allows editions of cryptographic information stored within the second system memory to be inputs to the decryption algorithm module only if the passkey exactly matches the check key;
  
  K) the passkey inputs to the encryption algorithm module allowing the encryption algorithm module to convert a plain text message to an encrypted text message;
  
  L) the passkey inputs to the decryption algorithm module allowing the decryption algorithm module to convert an encrypted text message to a plain text message;
  
  M) the first digital logic means being adapted to exclusive OR all possible pairings of the editions of cryptographic information and an organizational account number to generate scrambled editions of cryptographic information;
  
  N) the first digital logic means being further adapted to exclusive OR the scrambled editions of cryptographic information with label conditions to generate scrambled label conditions; and
  
  O) the first digital logic means being further adapted to manipulate the scrambled label conditions and the editions of cryptographic data to generate an encryption key for allowing the encryption algorithm module to convert a plain text message to an encrypted text message.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The system of claim 1, wherein the passphrase information entered by a user comprises alphanumeric characters.
  - 3. The system of claim 2, wherein the system converts the alphanumeric characters input by the user to digital data.
  - 4. The system of claim 1, wherein the first access control subsystem manipulates the passphrase information with BIOS information stored in the first system memory and the second access control subsystem manipulates the passphrase information with BIOS information stored in the second system memory.
  - 5. The system of claim 4, wherein the BIOS information includes the date of origin of the BIOS information.
  - 6. The system of claim 5, wherein a system serial number, stored in the first system memory and in the second system memory, is manipulated with the passphrase information and the BIOS information to generate the passkey.
  - 7. The system of claim 1, wherein the first digital logic means is adapted to manipulate filename/date/time information stored in the first system memory with one edition of cryptographic information to generate scrambled filename/date/time information.
  - 8. The system of claim 7, wherein the first digital logic means is adapted to manipulate the scrambled filename/date/time information with the scrambled label conditions and the editions of cryptographic information to generate the encryption key for allowing the encryption algorithm module to convert a plain text message into an encrypted text message.
  - 9. The system of claim 1, wherein the header labelling subsystem is adapted to combine the scrambled label conditions to form a message header.
  - 10. The system of claim 9, wherein the message header further comprises the scrambled filename/date/time information.
  - 11. The system of claim 10, wherein the message header further comprises a code word.
  - 12. The system of claim 9, 10, or 11, wherein the first digital logic means is adapted to append the encrypted text message to the message header prior to transmission.
  - 13. The system of claim 1, wherein the header identification subsystem is adapted to separate a message header from the encrypted text message and into separate scrambled label conditions.
  - 14. The system of claim 13, wherein the header identification subsystem is further adapted to separate scrambled filename/date/time information from the message header.
  - 15. The system of claim 14, wherein the header identification subsystem is further adapted to separate a code word from the message header.
  - 16. The system of claim 15, wherein:
    - A) the second digital logic means is adapted to generate scrambled editions by manipulating the editions of cryptographic information;
      
      B) the second digital logic means is adapted to recapture label conditions by manipulating the scrambled editions with scrambled label conditions;
      
      C) the second digital logic means is adapted to manipulate the scrambled label conditions and the editions of cryptographic data to generate a decryption key for allowing the decryption algorithm module to convert an encrypted text message into a plain text message.
  - 17. The system of claim 16, further comprising an organizational account number stored in the second system memory, the second digital logic means being adapted to manipulate the organizational account number with the editions of cryptographic data to generate the scrambled editions.
  - 18. The system of claim 17, wherein the second digital logic means is adapted to recapture the filename/date/time information by manipulating the scrambled filename/date/time information with one edition of cryptographic information.
  - 19. The system of claim 11, wherein the second digital logic means is adapted to manipulate the scrambled filename/date/time information with the scrambled label conditions and the editions of encryption information to generate the decryption key for allowing the decryption algorithm module to convert an encrypted text message into a plain text message.

20. A method for the secure routing of data in a communications system, comprising the following steps performed in the order given:
- A) limiting access to the communications system to an authorized sending user at a transmit port;
  
  B) retrieving and converting a plain text message to an encrypted text message according to the following substeps;
  
  1) reading a plain text message file from communications system memory;
  
  2) modulo-2 adding all possible pairings of the editions of cryptographic information and an organizational account number stored in communications system memory by digital logic means to generate scrambled editions of cryptographic information;
  
  3) modulo-2 adding the scrambled editions of cryptographic information with message access conditions to generate scrambled access conditions;
  
  4) modulo-2 adding filename/date/time information stored in communications system memory with one edition of cryptogphic information to generate scrambled filename/date/time information;
  
  5) modulo-2 adding the scrambled filename/date/time information with the scrambled access conditions and the editions of cryptographic information to generate an encryption key;
  
  6) applying the encryption key to the encryption means;
  
  7) converting the plain text message to an encrypted text message by applying the encryption means to the plain text message; and
  
  8) applying the encrypted text message to a header labeling subsystem located within the communications system;
  
  C) creating a message header which specifies message access conditions and is a key to the encryption means;
  
  D) adding the message header to the front of the encrypted text message to create the secure message;
  
  E) transmitting the secure message from the transmit port to a receive port via the communications system;
  
  F) limiting access to the communications system to an authorized receiving user at a receive port;
  
  G) stripping the message header from the secure message;
  
  H) decoding the message header to recover the message access conditions and encryption means key; and
  
  I) converting the encrypted text message to a plain text message.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28)
- - 21. The method of claim 20, wherein the step of limiting access to the communications system to an authorized sending user at a transmit port comprises the substeps of:
    - A) initializing the contents of an attempt counter located in the communications system to zero;
      
      B) having the sending user enter passphrase information into the transmit port;
      
      C) manipulating the passphrase information with BIOS information and a serial number stored in the communications system using digital logic means, in order to generate a passkey;
      
      D) comparing the passkey to a check key stored in the communications system;
      
      E) applying the passkey to a communication systems encryption means if the passkey matches the check key exactly; and
      
      F) copying a file containing editions of cryptographic information, stored in the communications system, into the encryption means.
  - 22. The method of claim 21, wherein the following steps occur if the passkey does not match the check key exactly:
    - A) incrementing the attempt counter by one;
      
      B) refusing access by the sending user to the communication system if the contents of the attempt counter equals three;
      
      C) having the sending user enter passphrase information into the transmit port;
      
      D) manipulating the passphrase information with BIOS information and a serial number stored in the communications system using digital logic means, in order to generate a passkey;
      
      E) comparing the passkey to a check key stored in the communications system;
      
      F) repeating steps B) through E) if the passkey does not exactly match the check key;
      
      G) applying the passkey to a communication systems encryption means if the passkey matches the check key exactly; and
      
      H) copying a file containing editions of cryptographic information, stored in the communications system, into the encryption means.
  - 23. The method of claim 20 wherein the step of creating a message header which specifies message access conditions comprises the substeps of:
    - A) combining the scrambled filename/date/time information with the scrambled access conditions to form the scrambled cluster/device/user/filename/date/time header; and
      
      B) appending a code word to the scrambled cluster/device/user/filename/date/time header to form the message header.
  - 24. The method of claim 20, wherein the step of limiting access to the communications system to an authorized receiving user at a receive port comprises the substeps of:
    - A) initializing the contents of an attempt counter located in the communications system to zero;
      
      B) having the receiving user enter passphrase information into the receive port;
      
      C) manipulating the passphrase information with BIOS information and a serial number stored in the communications system using digital logic means, in order to generate a passkey;
      
      D) comparing the passkey to a check key stored in the communications system;
      
      E) applying the passkey to a communications system decryption means if the passkey matches the check key exactly; and
      
      F) copying a file containing editions of cryptographic information, stored in the communications system, into the decryption means.
  - 25. The method of claim 24, wherein the following steps occur if the passkey does not match the check key exactly:
    - A) incrementing the attempt counter by one;
      
      B) refusing access by the receiving user to the communications system if the contents of the attempt counter equals three;
      
      C) having the receiving user enter passphrase information into the receive port;
      
      D) manipulating the passphrase information with BIOS information and a serial number stored in the communications system using digital logic means, in order to generate a passkey;
      
      E) comparing the passkey to a check key stored in the communications system;
      
      F) repeating steps B) through E) if the passkey does not exactly match the check key;
      
      G) applying the passkey to a communication systems decryption means if the passkey matches the check key exactly; and
      
      H) copying a file containing editions of cryptographic information, stored in the communications system, into the decryption means.
  - 26. The method of claim 20 wherein the step of stripping the message header from the secure message comprises the substeps of:
    - A) separating the message header from the encrypted data message;
      
      B) dividing the message header into the code word and the cluster/device/user/filename/date/time header; and
      
      C) dividing the cluster/device/user/filename/date/time header into the filename/date/time information and the scrambled access conditions.
  - 27. The method of claim 20 wherein the step of decoding the message header to recover the message access conditions comprises the substeps of:
    - A) manipulating the editions of cryptographic information with the organizational account number located in communications system memory to generate scrambled editions of cryptographic information; and
      
      P1 B) manipulating the scrambled editions of cryptographic information with scrambled access conditions to recapture the access conditions.
  - 28. The method of claim 27 wherein the step of converting the encrypted text message to a plain text message comprises the substeps of:
    - A) manipulating the scrambled filename/date/time information with one edition of cryptographic information to recapture the filename/date/time information;
      
      B) manipulating the scrambled access conditions with the scrambled filename/date/time information and the editions of cryptographic information to generate a decryption key;
      
      C) applying the decryption key to a communications system decryption means; and
      
      D) converting the encrypted text message to a plain text message by applying the decryption means to the encrypted text message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
TecSec, Incorporated
Original Assignee
TecSec, Incorporated
Inventors
Follendore, Roy D. III
Primary Examiner(s)
CANGIALOSI, SALVATORE A

Application Number

US08/009,741
Time in Patent Office

671 Days
Field of Search

380/23, 380/25, 380/28, 380/30
US Class Current

713/155
CPC Class Codes

G06F 12/1408   by using cryptography for d...

G06F 21/606   by securing the transmissio...

G06F 2221/2107   File encryption

H04L 2209/60   Digital content management,...

H04L 63/04   for providing a confidentia...

H04L 63/083   using passwords cryptograph...

H04L 9/3226   using a predetermined code,...

H04L 9/40   Network security protocols

Secure network method and apparatus

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

317 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Secure network method and apparatus

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

317 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links