Method of negotiating security parameters and authenticating users interconnected to a network

US 7,574,603 B2
Filed: 11/14/2003
Issued: 08/11/2009
Est. Priority Date: 11/14/2003
Status: Active Grant

First Claim

Patent Images

1. A method for negotiating a set of security parameters usable by an initiator and a responder to create a secure path over a network for exchanging information, the method including a plurality of modes, comprising:

conducting an internet key management and exchange protocol (TKE) main mode negotiation for establishing the secure path and selecting the set of security parameters including a security protocol;

conducting an internet key management and exchange protocol (IKE) quick mode negotiation for deriving a set of keys usable with the security protocol;

wherein a message is exchanged between the responder and the initiator before the completion of the IKE main mode negotiation, the message comprising at least part of the IKE quick mode negotiation, and the message including both a main mode pseudo random number and a separate quick mode pseudo random number; and

wherein a protocol security process establishes inbound and outbound protocol security associations.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for authenticating and negotiating security parameters among two or more network devices is disclosed. The method has a plurality of modes including a plurality of messages exchanged between the two or more network devices. In a main mode, the two or more network devices establish a secure channel and select security parameters to be used during a quick mode and a user mode. In the quick mode, the two or more computers derive a set of keys to secure data sent according to a security protocol. The optional user mode provides a means of authenticating one or more users associated with the two or more network devices. A portion of the quick mode is conducted during the main mode thereby minimizing the plurality of messages that need to be exchanged between the initiator and the responder.

42 Citations

View as Search Results

16 Claims

1. A method for negotiating a set of security parameters usable by an initiator and a responder to create a secure path over a network for exchanging information, the method including a plurality of modes, comprising:
- conducting an internet key management and exchange protocol (TKE) main mode negotiation for establishing the secure path and selecting the set of security parameters including a security protocol;
  
  conducting an internet key management and exchange protocol (IKE) quick mode negotiation for deriving a set of keys usable with the security protocol;
  
  wherein a message is exchanged between the responder and the initiator before the completion of the IKE main mode negotiation, the message comprising at least part of the IKE quick mode negotiation, and the message including both a main mode pseudo random number and a separate quick mode pseudo random number; and
  
  wherein a protocol security process establishes inbound and outbound protocol security associations.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - conducting a first user mode for authenticating a first user associated with the initiator or responder.
  - 3. The method of claim 2, wherein the initiator and the responder exchange authentication data that is calculated by application of a hash function incorporating a secret key on data exchanged during the IKE main mode negotiation.
  - 4. The method of claim 2, further comprising:
    - conducting a second user mode for authenticating a second user associated with the initiator or the responder.
  - 5. The method of claim 1, wherein the IKE main mode comprises:
    - sending, from the initiator to the responder, a set of proposed security parameters and authentication data;
      
      selecting, by the responder, the set of security parameters from the set of proposed security parameters;
      
      sending the set of security parameters from the responder to the initiator.
  - 6. The method of claim 1, wherein the initiator identifies a public key of the responder prior to the IKE main mode negotiation and wherein at least a portion a first message sent from the initiator to the responder is encrypted using the public key.
  - 7. The method of claim 1, wherein the IKE main mode negotiation comprises:
    - sending a group advertisement from the initiator to the responder;
      
      comparing the group advertisement to a set of authorized groups; and
      
      sending a response from the responder to the initiator.
  - 8. The method of claim 1, further comprising:
    - exchanging Diffie Hellman key data between the initiator and the responder during IKE main mode for deriving keys for use with an encryption algorithm.
  - 9. The method of claim 1, further comprising:
    - exchanging a pair of notify payloads between the initiator and the responder;
      
      wherein the pair of notify payloads are used by the protocol security process for establishing the protocol security associations.

10. A computer storage medium encoding computer-readable instructions for negotiating a set of security parameters usable by an initiator and a responder to create a secure path over a network for exchanging information, the method including a plurality of modes, comprising:
- conducting an internet key management and exchange protocol (11(E) main mode negotiation for establishing the secure path and selecting the set of security parameters including a security protocol;
  
  conducting an internet key management and exchange protocol (IKE) quick mode negotiation for deriving a set of keys usable with the security protocol;
  
  wherein a message is exchanged between the responder and the initiator before completion of the IKE main mode negotiation, the message comprising at least part of the IKE quick mode negotiation, and the message including both a main mode pseudo random number and a separate quick mode pseudo random number; and
  
  wherein a protocol security process establishes protocol security associations.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The computer storage medium of claim 10, further comprising:
    - conducting a user mode for authenticating one or more users associated with the initiator or the responder.
  - 12. The computer storage medium of claim 11, wherein the initiator and the responder exchange authentication data that is calculated by application of a hash function incorporating a secret key on data exchanged during the IKE main mode negotiation.
  - 13. The computer storage medium of claim 10, wherein the initiator identifies a public key of the responder prior to the IKE main mode negotiation and wherein at least a portion a first message sent from the initiator to the responder is encrypted using the public key.
  - 14. The computer storage medium of claim 10, wherein the IKE main mode comprises:
    - sending a group advertisement from the initiator to the responder;
      
      comparing the group advertisement to a set of authorized groups; and
      
      sending a response from the responder to the initiator.

15. A method for negotiating a set of security parameters usable by an initiator and a responder to create a secure path over a network for exchanging information, the method comprising:
- sending, from the initiator, a first message, wherein the first message comprises part of an internet key management and exchange protocol (IKE) main mode negotiation and the IKE main mode negotiation comprises establishing the secure path and selecting a set of security parameters including a security protocol;
  
  receiving, at the initiator, a second message, wherein the second message comprises at least part of the IKE main mode negotiation and at least part of an internet key management and exchange protocol (IKE) quick mode negotiation and the IKE quick mode negotiation comprises deriving a set of keys usable with the security protocol and wherein the second message includes both a main mode pseudo random number and a separate quick mode pseudo random number;
  
  sending, from the initiator, a third message after receiving the second message, wherein the third message comprises at least part of the IKE main mode negotiation; and
  
  wherein a protocol security process establishes inbound and outbound protocol security associations at the initiator.

16. A method for negotiating a set of security parameters usable by an initiator and a responder to create a secure path over a network for exchanging information, the method comprising:
- receiving, at the responder, a first message, wherein the first message comprises at least part of an internet key management and exchange protocol (IKE) main mode negotiation and the IKE main mode negotiation comprises establishing the secure path and selecting a set of security parameters including a security protocol;
  
  sending, from the responder, a second message, wherein the second message comprises at least part of the IKE main mode negotiation and at least part of an internet key management and exchange protocol (IKE) quick mode negotiation and wherein the IKE quick mode negotiation comprises deriving a set of keys usable with the security protocol and wherein the second message includes both a main mode pseudo random number and a separate quick mode pseudo random number; and
  
  wherein a protocol security process establishes inbound and outbound protocol security associations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Bitan, Sara, Huitema, Christian, Simon, Daniel R., Swander, Brian D., Mayfield, Paul G.
Primary Examiner(s)
Vu; Kimyen
Assistant Examiner(s)
Paliwal; Yogesh

Application Number

US10/713,980
Publication Number

US 20050108531A1
Time in Patent Office

2,097 Days
Field of Search

713/166, 713/171
US Class Current

713/171
CPC Class Codes

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0823   using certificates cryptogr...

H04L 63/164   at the network layer

H04L 63/20   for managing network securi...

H04L 9/0844   with user authentication or...

Method of negotiating security parameters and authenticating users interconnected to a network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

42 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Method of negotiating security parameters and authenticating users interconnected to a network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

42 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links