Security system for a data communications network

US 7,302,487 B2
Filed: 03/22/2002
Issued: 11/27/2007
Est. Priority Date: 03/22/2001
Status: Active Grant

First Claim

Patent Images

1. Method for setting up a secured communications network, which network comprises at least two security nodes connected to a packet data network, comprising at least the steps ofproducing configuration information for the security nodes,encrypting at least a part of configuration information,digitally signing said at least a part of configuration information,storing said encrypted and digitally signed configuration information in a memory means accessible to a distribution entityinserting a part of configuration information corresponding to at least one of said at least two security nodes into a certain hardware token,storing a public and secret key pair in the hardware token for use in authenticating the security nodes and for decryption of configuration information,storing a certificate in the hardware token for authenticating a management entity and checking of a digital signature of the configuration data,reading of configuration information from said certain hardware token by said at least one security node,obtaining the rest of produced configuration information for said at least one security node by said at least one security node on the basis of data read from said certain hardware token,setting of communication parameters within said at least one security node on the basis of said obtained configuration information.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is presented for setting up communication parameters in a virtual private network node for connecting to at least one other node in the virtual private network. The method may include reading information from a hardware token for determining how to connect to a packet data network; reading information from the hardware token for determining how to obtain configuration information for the virtual private network node; connecting to a packet data network on the basis of information read from the hardware token; obtaining configuration information for the virtual private network node on the basis of information read from the hardware token; and using obtained configuration information for setting up the communication parameters.

157 Citations

18 Claims

1. Method for setting up a secured communications network, which network comprises at least two security nodes connected to a packet data network, comprising at least the steps ofproducing configuration information for the security nodes,encrypting at least a part of configuration information,digitally signing said at least a part of configuration information,storing said encrypted and digitally signed configuration information in a memory means accessible to a distribution entityinserting a part of configuration information corresponding to at least one of said at least two security nodes into a certain hardware token,storing a public and secret key pair in the hardware token for use in authenticating the security nodes and for decryption of configuration information,storing a certificate in the hardware token for authenticating a management entity and checking of a digital signature of the configuration data,reading of configuration information from said certain hardware token by said at least one security node,obtaining the rest of produced configuration information for said at least one security node by said at least one security node on the basis of data read from said certain hardware token,setting of communication parameters within said at least one security node on the basis of said obtained configuration information.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A method according to claim 1 further comprising the steps ofreading a network address from said certain hardware token by said at least one security node, andreading a first security item from said certain hardware token by said at least one security node;
    - wherein said step of obtaining the rest of produced configuration information further includes;
      
      making a connection to said network address by said at least one security node,verifying the identity of the computer node responding to said connection to said network address on the basis of said first security item, andconfirming the identity of said at least one security node to said computer node on the basis of a second security item stored in said certain hardware token.
  - 3. A method according to claim 1 further comprising the steps ofreading a network address from said certain hardware token by said at least one security node, andreading a security item from said certain hardware token by said at least one security node;
    - wherein said step of obtaining the rest of produced configuration information further includes;
      
      making a connection to said network address by said at least one security node,obtaining a set of information from a computer node responding to said connection to said network address, andverifying the authenticity of said set of information on the basis of said security item.
  - 4. A method according to claim 3 further comprising the step of decrypting said obtained set of information by said at least one security node on the basis of a security item stored in the hardware token for obtaining the rest of configuration information for said at least one security node.
  - 5. A method according to claim 1 further comprising the step of encrypting at least a part of configuration information corresponding to said at least one security node on the basis of a public key corresponding to a secret key caused to be stored in said certain hardware token corresponding to said at least one security node.
  - 6. A method according to claim 1 further comprising the step of encrypting at least a part of configuration information corresponding to said at least one security node on the basis of a shared secret stored in said certain hardware token corresponding to said at least one security node.
  - 7. A method according to claim 1 further comprising the step of digitally signing said at least part of configuration information.

8. Method for producing and distributing configuration data for a virtual private network, which network comprises at least two security nodes connected to a packet data network, comprising at least the steps ofproducing configuration information for the security nodes;
- and for each security node for which configuration information was produced,storing a part of said produced configuration information of the security node in a hardware token corresponding to the security node,encrypting at least a part of configuration information corresponding to the security node,storing a public and secret key pair in the hardware token for use in authenticating the security node and for decrypting of configuration information,storing a certificate in the hardware token for authenticating a management entity and checking of the digital signature of configuration data.digitally signing said at least a part of configuration information, andstoring said encrypted and digitally signed configuration information in a memory means accessible to a distribution entity.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
- - 9. A method according to claim 8 further comprising the steps ofreading information from a hardware token for determining how to connect to a packet data network,reading information from the hardware token for determining how to obtain configuration information for the virtual private network node,connecting to a packet data network on the basis of information read from the hardware token,obtaining configuration information for the virtual private network node on the basis of information read from the hardware token,using obtained configuration information for setting up the communication parameters.
  - 10. Method according to claim 9 wherein said information for determining how to connect to a packet data network comprises IP address, network mask, and default gateway information for the virtual private network node.
  - 11. Method according to claim 9 wherein said information for determining how to connect to a packet data network comprises an indication that the virtual private network node shall obtain an IP address and basic routing information dynamically.
  - 12. Method according to claim 9 wherein said information for determining how to obtain configuration information for the virtual private network node comprises a network address from which to obtain the configuration information.
  - 13. Method according to claim 9 wherein said information for determining how to obtain configuration information for the virtual private network node comprises an URL from which to obtain the configuration information.
  - 14. Method according to claim 9 wherein said information for determining how to obtain configuration information for the virtual private network node comprises an indication of a service from where to request further network address and/or URL information for obtaining the configuration information.
  - 15. Method according to claim 9 wherein said information for determining how to obtain configuration information for the virtual private network node comprises an identifier with which to obtain further network address and/or URL information for obtaining the configuration information.
  - 16. Method according to claim 9 further comprising at least the steps ofmaking a connection to a network address by a certain security node,obtaining a set of information from the computer node responding to said connection to said network address,reading a first security item from said hardware token,verifying the authenticity of said set of information on the basis of said first security item, and decrypting said obtained set of information on the basis of a second security item stored in the hardware token.

17. A system for managing configuration information of a secure communications network, said secure communications network having a plurality of security nodes connected to a packet data network, comprising at leasta first computer node,a configuration management entity in said first computer node,a second computer node,a distribution entity in said second computer node,a memory means accessible by said distribution entity,connected to said first computer node, means for inserting information in a hardware token,computer software code means for generating configuration information,computer software code means for encrypting a set of configuration information,computer software code means for digitally signing a set of configuration information,computer software code means for causing a set of encrypted and digitally signed configuration information to be stored in said memory means,computer software code means for causing a public and secret key pair to be stored in the hardware token for use in authenticating the security node and for decrypting of configuration information,computer software code means for causing a certificate to be stored in the hardware token for authenticating a management entity and checking of the digital signature of configuration data, andcomputer software code means in said distribution entity for receiving a request for configuration information from a security node and for transmitting a set of configuration information as a response to receiving a request for configuration information.
- View Dependent Claims (18)
- - 18. The system of claim 17 further comprising a security device for a secured communications network which security device has at least two network interfaces, a memory module and a processor, comprising at least:
    - a hardware token reader for connecting to a hardware token and for reading information from a hardware token,computer software code means for reading information from a hardware token,computer software code means for transmitting a request of configuration information to a network address,computer software code means for receiving a set of configuration information,computer software code means for decrypting a received set of configuration information,computer software code means for verifying authenticity of a received set of configuration information on the basis of the public and secret key pair and the certificate obtained from a hardware token, andcomputer software code means for setting of communication parameters on the basis of a received set of configuration information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Rambus Inc.
Original Assignee
SafeNet Incorporated (Thales SA)
Inventors
Ylonen, Tatu, Kivinen, Tero, Teiste, Marko
Primary Examiner(s)
Dalencourt; Yves

Application Number

US10/104,790
Publication Number

US 20020191548A1
Time in Patent Office

2,076 Days
Field of Search

709/229, 713/153, 713/201
US Class Current

709/229
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0442   wherein the sending and rec...

H04L 63/0823   using certificates cryptogr...

H04L 63/0853   using an additional device,...

Security system for a data communications network

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

157 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Security system for a data communications network

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

157 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others