Method of negotiating security parameters and authenticating users interconnected to a network

US 8,275,989 B2
Filed: 07/09/2009
Issued: 09/25/2012
Est. Priority Date: 11/14/2003
Status: Active Grant

First Claim

Patent Images

1. A method for executing a security policy at a first network device wherein the first network device is communicatively coupled to a second network device over a computer network, comprising:

initiating a first main mode negotiation at the first network device by sending a first main mode message with a first set of proposed security parameters;

determining, at the first network device, that the first main mode negotiation is unsuccessful, wherein the determination is based at least in part on a first response message received from the second network device;

in response to receiving the first response message, initiating a second main mode negotiation, at the first network device, by sending a second main mode message with a second set of proposed security parameters; and

receiving a second response message comprising at least part of a response to the second main mode message and at least part of a quick mode negotiation, wherein the second response message includes a main mode pseudo random number and a separate quick mode pseudo random number.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for authenticating and negotiating security parameters among two or more network devices is disclosed. The method has a plurality of modes including a plurality of messages exchanged between the two or more network devices. In a main mode, the two or more network devices establish a secure channel and select security parameters to be used during a quick mode and a user mode. In the quick mode, the two or more computers derive a set of keys to secure data sent according to a security protocol. The optional user mode provides a means of authenticating one or more users associated with the two or more network devices. A portion of the quick mode is conducted during the main mode thereby minimizing the plurality of messages that need to be exchanged between the initiator and the responder.

63 Citations

19 Claims

1. A method for executing a security policy at a first network device wherein the first network device is communicatively coupled to a second network device over a computer network, comprising:
- initiating a first main mode negotiation at the first network device by sending a first main mode message with a first set of proposed security parameters;
  
  determining, at the first network device, that the first main mode negotiation is unsuccessful, wherein the determination is based at least in part on a first response message received from the second network device;
  
  in response to receiving the first response message, initiating a second main mode negotiation, at the first network device, by sending a second main mode message with a second set of proposed security parameters; and
  
  receiving a second response message comprising at least part of a response to the second main mode message and at least part of a quick mode negotiation, wherein the second response message includes a main mode pseudo random number and a separate quick mode pseudo random number.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the unsuccessful first main mode negotiation results from the first set of proposed security parameters failing to conform to a security policy of the second network device and wherein the second set of proposed security parameters conform to the security policy of the second network device.
  - 3. The method of claim 1, wherein the unsuccessful first main mode negotiation results from a first certificate sent from the second network device to the first network device, wherein the first certificate is invalid, the second main mode negotiation further comprising:
    - sending a certificate request from the first network device to the second network device that includes an identification payload requesting a second certificate from the responder such that the second certificate is distinct from the first certificate.
  - 4. The method of claim 1, further comprising before initiating the first main mode negotiation, receiving a packet at the first network device for the second device and determining whether the packet must be sent securely to the second network device.
  - 5. The method of claim 4, wherein the packet must complies with an encapsulating security protocol (ESP).
  - 6. The method of claim 4, wherein the packet must complies with an authentication header (AH) protocol.
  - 7. The method of claim 4, wherein if the packet a standard IP packet.
  - 8. The method of claim 7, further comprising determining if the second network device initiates a main mode negotiation.
  - 9. The method of claim 8, wherein if the second network device initiates a security policy, the first network device initiates a main mode negotiation according to the security policy initiated by the second network device.

10. A computer storage medium not consisting of a propagated signal for executing computer-readable instructions for executing a security policy at a first network device wherein the first network device is communicatively coupled to a second network device over a computer network, comprising:
- initiating a first main mode negotiation at the first network device by sending a first main mode message with a first set of proposed security parameters;
  
  determining, at the first network device, that the first main mode negotiation is unsuccessful, wherein the determination is based at least in part on a first response message received from the second network device;
  
  in response to receiving the first response message, initiating a second main mode negotiation at the first network device by sending a second main mode message with a second set of proposed security parameters; and
  
  receiving a second response message comprising at least part of the second main mode negotiation and at least part of a quick mode negotiation, wherein the second response message comprises a main mode pseudo random number and a separate quick mode pseudo random number.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The computer storage medium of claim 10, wherein the unsuccessful first main mode negotiation results from the first set of security parameters failing to conform to a security policy of the second network device and wherein the second set of proposed security parameters conform to the security policy of the second network device.
  - 12. The computer storage medium of claim 10, wherein the unsuccessful first main mode negotiation results from a first certificate sent from the second network device to the first network device, wherein the first certificate is invalid, the second main mode negotiation further comprising:
    - sending a certificate request from the first network device to the second network device that includes an identification payload requesting a second certificate from the responder such that the second certificate is distinct from the first certificate.
  - 13. The computer storage medium of claim 10, further comprising before initiating the first main mode negotiation, receiving a packet at the first network device for the second device and determining whether the packet must be sent securely to the second network device.
  - 14. The computer storage medium of claim 13, wherein the packet complies with an encapsulating security protocol (ESP).
  - 15. The computer storage medium of claim 13, wherein the packet complies with an authentication header (AH) protocol.
  - 16. The computer storage medium of claim 13, wherein if the packet is a standard Internet Protocol (IP) packet.
  - 17. The computer storage medium of claim 13, further comprising determining if the second network device initiates a main mode negotiation.
  - 18. The computer storage medium of claim 17, wherein if the second network device initiates a security policy, the first network device initiates a main mode negotiation according to the security policy initiated by the second network device.

19. A system for executing a security policy at a first network device wherein the first network device is communicatively coupled to a second network device over a computer network, the system comprising:
- one or more processing units;
  
  a memory coupled with and readable by the one or more processing units, the memory containing a series of instructions that, when executed by the one or more processing units, cause the one or more processing units to perform a method of executing a security policy comprising the steps of;
  
  receiving a packet;
  
  determining if the packet must be sent securely;
  
  if the packet must be sent securely, initiating a security policy, wherein initiating a security policy comprises;
  
  initiating a first main mode negotiation at a first network device by sending a first main mode message with a first set of proposed security parameters;
  
  determining, at the first network device, that the first main mode negotiation is unsuccessful, wherein the determination is based at least in part on a response message received from the second network device;
  
  in response to receiving the first response message, initiating a second main mode negotiation at the first network device by sending a second main mode message with a second set of proposed security parameters;
  
  receiving a second response message in response to the second main mode message, wherein the second response message comprises at least part of a quick mode negotiation for deriving a set of keys.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Huitema, Christian, Mayfield, Paul G., Swander, Brian D., Bitan, Sara, Simon, Daniel R.
Primary Examiner(s)
Zee, Edward
Assistant Examiner(s)
Paliwal, Yogesh

Application Number

US12/500,381
Publication Number

US 20090276828A1
Time in Patent Office

1,174 Days
Field of Search

713/171
US Class Current

713/171
CPC Class Codes

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0823   using certificates cryptogr...

H04L 63/164   at the network layer

H04L 63/20   for managing network securi...

H04L 9/0844   with user authentication or...

Method of negotiating security parameters and authenticating users interconnected to a network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

63 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Method of negotiating security parameters and authenticating users interconnected to a network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links