Decoupling access control from key management in a network
First Claim
1. A distributed system comprising a network with a plurality of channels having nodes on devices, the system further comprising:
- an access control program that authenticates a new node and performs admission control for all of the nodes on the network;
for each of the plurality of channels, a key management program unique to the channel that implements a key management policy for maintaining keys used by the nodes on the channel for communicating in a secure manner, each key management program being decoupled from the access control program; and
processors for running the access control program and the plurality of key management programs.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems consistent with the present invention provide a Supernet, a private network constructed out of components from a public-network infrastructure. Supernet nodes can be located on virtually any device in the public network (e.g., the Internet), and both their communication and utilization of resources occur in a secure manner. As a result, the users of a Supernet benefit from their network infrastructure being maintained for them as part of the public-network infrastructure, while the level of security they receive is similar to that of a private network. The Supernet has an access control component and a key management component which are decoupled. The access control component implements an access control policy that determines which users are authorized to use the network, and the key management component implements the network'"'"'s key management policies, which indicate when keys are generated and what encryption algorithm is used. Both access control and key management are separately configurable. Thus, the Supernet provides great flexibility by allowing different key management policies to be used with the same access control component.
136 Citations
19 Claims
-
1. A distributed system comprising a network with a plurality of channels having nodes on devices, the system further comprising:
-
an access control program that authenticates a new node and performs admission control for all of the nodes on the network; for each of the plurality of channels, a key management program unique to the channel that implements a key management policy for maintaining keys used by the nodes on the channel for communicating in a secure manner, each key management program being decoupled from the access control program; and processors for running the access control program and the plurality of key management programs. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method in a data processing system connected to a network with a plurality of channels having nodes, the data processing system having an access control program, a unique key management program for each of the plurality of channels, and a new node, the method comprising the steps of:
-
under the control of the new node, sending a request to the access control program for the new node to join the network, the sending initiated by a user; under the control of the access control program, receiving the request for the new node to join the network; authenticating the new node; accessing an admission policy for the user, the admission policy indicating admission criteria; determining whether the user satisfies the admission criteria; and when the new node has been authenticated successfully and the user satisfies the admission criteria, sending an indication to the key management program for a channel corresponding to the new node that the new node has joined the network; under the control of the key management program for the channel corresponding to the new node, receiving the indication; accessing a predefined key management policy for the channel corresponding to the new node; generating a key for use in communicating in a secure manner over the channel in accordance with the predefined key management policy; and sending the key to the new node; and under the control of the new node, receiving the key from the key management program for the channel corresponding to the new node; and sending a communication to the nodes over the channel corresponding to the new node in a secure manner using the key. - View Dependent Claims (8, 9, 10, 11)
-
-
12. A method in a data processing system for providing security in a network with a plurality of channels having nodes, the network having an access control program and each of the plurality of channels having a unique key management program, the method comprising the steps of:
-
receiving by the access control program a request from a new node to join the network; authenticating the new node by the access control program; generating a key by a key management program for a channel corresponding to the new node in accordance with a key management policy of the channel and sending the key to the new node upon successful authentication of the new node, the key for use by the new node in communicating with the nodes on the channel in a secure manner, the key management program being decoupled from the access control program. - View Dependent Claims (13, 14, 15)
-
-
16. A computer-readable medium containing instructions for controlling a data processing system to perform a method, the method for providing security in a network with a plurality of channels having nodes, the network having an access control program and each of the plurality of channels having a unique key management program, the method comprising the steps of:
-
receiving by the access control program a request from a new node to join the network; authenticating the new node by the access control program; and generating a key by a key management program unique to the channel corresponding to the new node in accordance with a key management policy of the channel and sending the key to the new node upon successful authentication of the new node, the key for use by the new node in communicating with the nodes on the channel in a secure manner, the key management program unique to the channel corresponding to the new node being decoupled from the access control program. - View Dependent Claims (17, 18)
-
-
19. A data processing system for providing security to a network with a plurality of channels having nodes, the network having an access control program and each of the plurality of channels having a key management program, the data processing system comprising:
-
means for receiving a request by the access control program from a new node to join the network; means for authenticating the new node by the access control program; and means for generating a key by a key management program for a channel corresponding to the new node in accordance with a key management policy of the channel and sending the key to the new node upon successful authentication of the new node, the key for use by the new node in communicating with the nodes in the channel in a secure manner, the key management program being decoupled from the access control program.
-
Specification