System for providing security in a network comprising computerized devices

US 7,917,631 B2
Filed: 07/11/2007
Issued: 03/29/2011
Est. Priority Date: 07/30/1996
Status: Expired due to Fees

First Claim

Patent Images

1. A security system adapted to permit ad hoc and temporary security associations to exist between portable computerized devices that may or may not have communicated previously, comprising:

a first, substantially portable computerized device having a first communications and security card received substantially therein;

a second, substantially portable computerized device having a second communications and security card received substantially therein;

first computer programs operative to run on respective ones of said first and second computerized devices to establish a temporary ad hoc security association between said first and second devices, said first computer programs each comprising a key exchange algorithm that causes said first and second devices to exchange respective cryptographic keys over a physically non-secure network and generated substantially under control of respective ones of said cards while establishing said association, said keys being substantially unique to said association;

second computer programs operative to run on respective ones of said first and second devices and adapted to encrypt data sent to the other device using at least one of said cryptographic keys; and

third computer programs operative to run on respective ones of said first and second devices and each adapted to evaluate said encrypted data sent from the other device for at least data integrity using cryptographic residues generated by both of said devices.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system useful within a network and adapted to provide communication security. In one embodiment, the network comprises an untrusted network, and the system includes network security apparatus adapted to create security associations between devices on the network, including mutual authentication. Traffic between the associated devices may be encrypted for e.g., data confidentiality and integrity protection. In one variant, the network security apparatus comprises a software entity disposed at least partly within the software stack of the devices. The associated devices may be for example fixed or portable, and may also act as a gateway to other networks (including the Internet). The portable devices may be untrusted (e.g., have an untrusted operating system).

97 Citations

View as Search Results

64 Claims

1. A security system adapted to permit ad hoc and temporary security associations to exist between portable computerized devices that may or may not have communicated previously, comprising:
- a first, substantially portable computerized device having a first communications and security card received substantially therein;
  
  a second, substantially portable computerized device having a second communications and security card received substantially therein;
  
  first computer programs operative to run on respective ones of said first and second computerized devices to establish a temporary ad hoc security association between said first and second devices, said first computer programs each comprising a key exchange algorithm that causes said first and second devices to exchange respective cryptographic keys over a physically non-secure network and generated substantially under control of respective ones of said cards while establishing said association, said keys being substantially unique to said association;
  
  second computer programs operative to run on respective ones of said first and second devices and adapted to encrypt data sent to the other device using at least one of said cryptographic keys; and
  
  third computer programs operative to run on respective ones of said first and second devices and each adapted to evaluate said encrypted data sent from the other device for at least data integrity using cryptographic residues generated by both of said devices.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1, wherein said evaluation comprises comparing a first of said residues generated by a receiving one of said devices to a second of said residues generated by a sending one of said devices.
  - 3. The system of claim 2, wherein said second of said residues is included within a message sent from said sending one of said devices, said message further comprising said encrypted data encrypted by at least one of said cryptographic keys.
  - 4. The system of claim 2, wherein said establishment of an association comprises a mutual authentication procedure, said mutual authentication based on evaluating respective ones of digital signatures uniquely associated with said devices.

5. A security system comprising:
- a network access portal;
  
  one or more portable computerized devices having a first communications and security card received substantially therein;
  
  first computer programs operative to run on respective ones of said one or more computerized devices to establish an ad hoc security association between said one or more devices and said access portal, said first computer programs each comprising a key exchange algorithm that has said respective device and said portal exchange respective cryptographic keys via an unsecure transmission, with said cryptographic keys generated substantially while establishing said association, said keys being substantially unique to said association, said establishment of said association further comprising at least authentication of said one or more devices to said portal;
  
  second computer programs operative to run on respective ones of said one or more devices and adapted to encrypt data sent to the portal using at least one of said cryptographic keys; and
  
  a third computer program operative to run on said portal and adapted to evaluate said encrypted data sent from the one or more devices for at least data integrity using cryptographic residues generated by both of said devices.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 6. The system of claim 5, wherein said evaluation comprises comparing a first of said residues generated by said portal to a second of said residues generated by a sending one of said devices.
  - 7. The system of claim 6, wherein said second of said residues is included within a message sent from said sending one of said devices, said message further comprising said encrypted data encrypted by at least one of said cryptographic keys.
  - 8. The system of claim 6, wherein said at least authentication of said one or more devices to said portal comprises a mutual authentication procedure between said portal and each of said one or more devices, said mutual authentication based on evaluating respective ones of digital signatures uniquely associated with said devices.
  - 9. The system of claim 5, wherein said portal comprises a trusted computing base comprising hardware and software, said base being adapted to enforce one or more security policies.
  - 10. The system of claim 9, wherein said one or more security policies comprises authentication of said one or more portable devices.
  - 11. The system of claim 10, wherein said trusted computing base comprises hardware and software disposed at a different physical location from that of said portal.
  - 12. The system of claim 11, wherein said portal comprises an untrusted operating system and physically non-secure device.
  - 13. The system of claim 12, wherein said one or more devices each comprise an untrusted operating system and a physically non-secure device.
  - 14. The system of claim 13, wherein said trusted computing base comprises at least one of:
    - (i) a trusted operating system; and
      
      (ii) physically secure hardware.
  - 15. The system of claim 11, wherein said portal is in data communication with a second network, and is configured not to pass communications from a requesting one of said one or more devices over said second network until said requesting device is properly authenticated to said portal.
  - 16. The system of claim 15, wherein said second network comprises an untrusted and at least partly physically non-secure network.
  - 17. The system of claim 15, wherein said second network comprises the Internet, and further comprises at least one website in communication with said Internet, and wherein said at least one website and said requesting device are placed in secure data communication with one another via at least said portal and said Internet.

18. A security system, comprising:
- a first computerized device comprising a first network security apparatus; and
  
  a second computerized device, remote from said first computerized device, and comprising a second network security apparatus;
  
  wherein said first network security apparatus is adapted to communicate data with said second network security apparatus resident on said second computerized device over a data network through association establishment, said association comprising a non-permanent trusted communications channel between and unique to said first network security apparatus and said second network security apparatus of said second computerized device, and where said first network security apparatus is configured to;
  
  receive a message sent from said second network security apparatus of said second computerized device;
  
  determine whether an association between said first network security apparatus and said second network security apparatus exists;
  
  execute a mutual authentication process, wherein said first network security apparatus is adapted to authenticate said second network security apparatus, and further adapted to authenticate itself to said second network security apparatus;
  
  convert at least a portion of said received message to a format utilized by said network; and
  
  transmit said message received from said second network security apparatus to a third network security apparatus when said association does exist;
  
  wherein said association between said first network security apparatus and said second network security apparatus is based at least in part on the execution of a key exchange algorithm in which said first and second computerized devices remotely exchange cryptographic keys; and
  
  wherein said first network security apparatus is adapted to dynamically generate at least one encryption key for each association, said at least one key being specific to a particular session between said first network security apparatus and said second network security apparatus, said generation not requiring either (i) intervention by a network administrator;
  
  or (ii) intervention by a user of either of said computerized devices.

19. A network security system, comprising:
- a first, substantially portable computerized device;
  
  a second, substantially fixed computerized device;
  
  a first computer program operative to run on said first computerized device and to obtain at least one network address for said first computerized device when placed in data communication with a network;
  
  a second computer program operative to run on said first computerized device and establish a non-permanent security association between said first and second devices, said second computer program comprising a key exchange algorithm that causes said first computerized device and said second device to exchange cryptographic keys over a physically non-secure network while establishing said association, said keys being substantially unique to said association; and
  
  a third computer program operative to run on said first computerized device and adapted to seal or encrypt data sent from said first device using at least one of said cryptographic keys;
  
  wherein said first device comprises a network communications interface, and a card-like structure adapted to fit at least partly within a receptacle of said first device, said card-like structure adapted to generate at least one of said cryptographic keys.
- View Dependent Claims (20)
- - 20. The system of claim 19, wherein said card-like structure further comprises a device driver having an application programming interface (API).

21. A network security system, comprising:
- a first, substantially portable computerized device comprising a first network security apparatus;
  
  a substantially fixed computerized device adapted to provide network security functions and bridging between two physically unsecure networks, said substantially fixed computerized device comprising;
  
  a software stack operative to run on said substantially fixed computerized device; and
  
  a second network security apparatus for use with said stack, said second network security apparatus adapted to communicate data with said first network security apparatus over at least one of first and second physically unsecure data networks in data communication with said fixed computerized device by establishing an association, and where said second network security apparatus is configured to;
  
  determine whether an association between said first network security apparatus and said second network security apparatus in communication with said at least one network exists;
  
  convert at least a portion of a received message to a format utilized by said at least one network;
  
  transmit at least portions of said message to said first network security apparatus when said association does exist; and
  
  establish an association with said first network security apparatus if said association does not exist by dynamically generating at least one encryption key for each association, said act of generating not requiring intervention by an external entity other then said first, substantially portable computerized device and said substantially fixed computerized device, said at least one key being specific to a particular session between said first network security apparatus and said second network security apparatus;
  
  wherein said substantially fixed computerized device provides said network security functions while being directly coupled only to unsecure networks.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46)
- - 22. The system of claim 21, wherein said first portable computerized device further comprises a network protocol used to resolve an IP address from a given hardware or network address.
  - 23. The system of claim 22, wherein said given hardware or network address comprises an Ethernet address.
  - 24. The system of claim 22, wherein said given hardware or network address comprises a 48-bit address.
  - 25. The system of claim 21, wherein said substantially fixed computerized device further comprises a network protocol used to resolve a given hardware or network address from an IP address.
  - 26. The system of claim 25, wherein said given hardware or network address comprises an Ethernet address.
  - 27. The system of claim 25, wherein said given hardware or network address comprises a 48-bit address.
  - 28. The system of claim 21, wherein said first network apparatus is further adapted to authenticate at least one other device or associated network security apparatus requesting to form an association using a key-exchange algorithm.
  - 29. The system of claim 21, wherein said first and second network security apparatus are disposed substantially within said software stack above the Physical Layer thereof.
  - 30. The system of claim 29, wherein said first and second network security apparatus are disposed substantially within said software stack below the Network Layer thereof.
  - 31. The system of claim 30, wherein said first and second network security apparatus are disposed substantially within said software stack below the Transport Layer thereof.
  - 32. The system of claim 21, wherein said conversion of said at least portion of said received message to said format further comprises encrypting said at least portion using at least one key of a public/private key pair.
  - 33. The system of claim 21, wherein said association comprises a non-permanent trusted communications channel between and unique to said first network security apparatus and said second network security apparatus.
  - 34. The system of claim 21, wherein said association comprises a mutual authentication process, wherein said first network security apparatus is adapted to authenticate said second network security apparatus, and further adapted to authenticate itself to said second network security apparatus.
  - 35. The system of claim 21, wherein said act of generating not requiring intervention by said external entity comprises not requiring either:
    - (i) intervention by a network administrator;
      
      or (ii) an administration entity.
  - 36. The system of claim 21, wherein said second network security apparatus is adapted to encrypt at least portions of said message using a block cipher.
  - 37. The system of claim 21, wherein said second network security apparatus generates at least one encryption key for use in encrypting at least portions of said message, said at least one encryption key comprises at least a portion of a public/private key pair.
  - 38. The system of claim 21, wherein said second network security apparatus generates at least one encryption key for use in encrypting at least portions of said message, said at least one encryption key comprises a symmetric encryption key.
  - 39. The system of claim 21, wherein said second network security apparatus generates at least one encryption key, and said at least one encryption key provides confidentiality, integrity and authentication of user datagrams during a particular session or association between said first network security apparatus and said second network security apparatus.
  - 40. The system of claim 21, wherein said second network security apparatus comprises an encryption algorithm that is initialized at least in part using an initialization vector (IV).
  - 41. The system of claim 40, wherein said encryption algorithm is configured so that encrypting data using the same encryption key, but different IVs, will produce different ciphered output.
  - 42. The system of claim 40, wherein said second network security apparatus is adapted to generate a new IV for each encryption event.
  - 43. The system of claim 21, wherein said second network security apparatus, as part of establishing said association, generates random data that is transmitted to said first network security apparatus.
  - 44. The system of claim 21, wherein said second network security apparatus further comprises a cryptographic element exchange algorithm adapted to generate and transmit random data to said first network security apparatus.
  - 45. The system of claim 44, wherein said transmission of said random data is associated with a procedure that permits both said first network security apparatus and said second network security apparatus to possess encryption keys that permit the two apparatus to decrypt encrypted data sent by the other.
  - 46. The system of claim 21, wherein said association is established at least in part based on an authentication of said second network security apparatus by said first network security apparatus that does not require access to a physically secure storage device.

47. A security system comprising:
- a network access portal having a first communications and network security apparatus disposed therein;
  
  one or more portable computerized devices having respective second communications and network security apparatus disposed therein;
  
  first computer programs operative to run on respective ones of said one or more portable computerized devices to establish a security association between said one or more devices and said network access portal, said first computer programs each comprising a key information exchange algorithm that has said respective device and said portal dynamically generate respective cryptographic keys via information exchanged over an unsecure transmission, with said cryptographic keys generated substantially while establishing said association and said keys being substantially unique to said association, said establishment of said association further comprising at least authentication of said one or more devices to said portal;
  
  second computer programs operative to run on respective ones of said one or more devices to encrypt data sent to the network access portal using at least one of said cryptographic keys; and
  
  a third computer program operative to run on respective ones of said one or more devices to evaluate encrypted data received from the network access portal for at least data integrity using integrity information that accompanies the encrypted data received from the network access portal;
  
  wherein said network access portal and said one or more portable computerized devices are capable of providing said network security functions while being directly coupled only to unsecure networks.
- View Dependent Claims (48, 49, 50, 51, 52, 53, 54, 55)
- - 48. The system of claim 47, wherein said evaluation comprises comparing a first of said residues generated by said network access portal to a second of said residues generated by a receiving one of said devices.
  - 49. The system of claim 47, wherein said at least authentication of said one or more devices to said portal comprises a mutual authentication procedure between said portal and each of said one or more devices, said mutual authentication based at least in part on evaluating respective ones of digital signatures uniquely associated with said devices.
  - 50. The system of claim 47, wherein said portal comprises a trusted computing base comprising hardware and software, said base being adapted to enforce one or more security policies.
  - 51. The system of claim 50, wherein said portal comprises an untrusted operating system and physically non-secure device.
  - 52. The system of claim 51, wherein said one or more devices each comprise an untrusted operating system and a physically non-secure device.
  - 53. The system of claim 47, wherein said portal is in data communication with a second network, and is configured not to pass communications from a requesting one of said one or more devices over said second network until said requesting device is properly authenticated to said portal.
  - 54. The system of claim 53, wherein said second network comprises an untrusted and at least partly physically non-secure network.
  - 55. The system of claim 54, wherein said second network comprises the Internet, and further comprises at least one website in communication with said Internet, and wherein said at least one website and said requesting device are placed in secure data communication with one another via at least said portal and said Internet.

56. A security system comprising:
- a network access apparatus having a first communications apparatus and a first network security apparatus disposed therein;
  
  a portable computerized device having respective second communications and network security apparatus disposed therein;
  
  a first computer program operative to run on said portable computerized device to establish a security association between said device and said network access apparatus, said first computer program comprising an information exchange algorithm that enables said portable computerized device and said network access apparatus to dynamically generate respective cryptographic keys via information exchanged between them, with said cryptographic keys generated substantially pursuant to establishing said association, said keys being substantially unique to said association, said establishment of said association further comprising at least authentication of said portable computerized device to said network access apparatus;
  
  a second computer program operative to run on said portable computerized device to encrypt data sent to the network access apparatus using at least one of said cryptographic keys; and
  
  a third computer program operative to run on said portable computerized device to evaluate encrypted data received from the network access apparatus for at least data integrity using integrity information that accompanies the encrypted data received from the network access apparatus;
  
  wherein said network access apparatus and said portable computerized device are capable of providing said network security functions while being directly coupled to unsecure networks.
- View Dependent Claims (57, 58, 59, 60, 61, 62, 63, 64)
- - 57. The system of claim 56, wherein said evaluation comprises comparing a first of said residues generated by said network access apparatus to a second of said residues generated by said portable computerized device.
  - 58. The system of claim 56, wherein said at least authentication of said device to said network access apparatus comprises a mutual authentication procedure between said access apparatus and said device, said mutual authentication based at least in part on evaluating respective ones of digital signatures uniquely associated with said portable computerized device.
  - 59. The system of claim 56, wherein said network access apparatus comprises a trusted computing base comprising hardware and software, said base being adapted to enforce one or more security policies.
  - 60. The system of claim 56, wherein said network access apparatus comprises an untrusted operating system and physically non-secure hardware.
  - 61. The system of claim 60, wherein said portable computerized device comprises an untrusted operating system and a physically non-secure device.
  - 62. The system of claim 56, wherein said network access apparatus is in data communication with a second network, and is configured not to pass communications from said portable device over said second network until said portable device is properly authenticated to said network access apparatus.
  - 63. The system of claim 62, wherein said second network comprises an untrusted and at least partly physically non-secure network.
  - 64. The system of claim 63, wherein said second network comprises the Internet, and further comprises at least one website in communication with said Internet, and wherein said at least one website and said portable device are placed in secure data communication with one another via at least said network access apparatus and said Internet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Round Rock Research LLC
Original Assignee
Round Rock Research LLC
Inventors
Holden, James M, Levin, Stephen E, Nickel, James O, Wrench, Edwin H
Primary Examiner(s)
VU, VIET DUY

Application Number

US11/776,424
Publication Number

US 20080016344A1
Time in Patent Office

1,357 Days
Field of Search

709/217, 709/219, 709/227, 709/228, 709/237, 709/250
US Class Current

709/227
CPC Class Codes

G06F 21/31   User authentication

G06F 21/606   by securing the transmissio...

G06F 21/85   interconnection devices, e....

G06F 2211/001   In-Line Device

G06F 2211/005   Network, LAN, Remote Access...

G06F 2211/007   Encryption, En-/decode, En-...

G06F 2211/009   Trust

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

G06F 2221/2153   Using hardware token as a s...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/02   for separating internal fro...

H04L 63/0218   Distributed architectures, ...

H04L 63/0442   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0869   for achieving mutual authen...

H04L 63/101   Access control lists [ACL]

H04L 63/105   Multiple levels of security

H04L 63/126   the source of the received ...

H04L 63/14 : for detecting or protecting...

H04L 67/141 : Setup of application sessio...

H04L 67/563 : Data redirection of data ne...

H04L 9/3247 : involving digital signatures

H04L 9/3268 : using certificate validatio...

H04L 9/3273 : for mutual authentication n...

H04L 9/40 : Network security protocols

H04W 12/069 : using certificates or pre-s...

View All

System for providing security in a network comprising computerized devices

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

97 Citations

64 Claims

Specification

Solutions

Use Cases

Quick Links

System for providing security in a network comprising computerized devices

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

97 Citations

64 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links