Method of negotiating security parameters and authenticating users interconnected to a network
First Claim
1. A method for executing a security policy at a first network device wherein the first network device is communicatively coupled to a second network device over a computer network, comprising:
- initiating a first main mode negotiation at the first network device by sending a first main mode message with a first set of proposed security parameters;
determining, at the first network device, that the first main mode negotiation is unsuccessful, wherein the determination is based at least in part on a first response message received from the second network device;
in response to receiving the first response message, initiating a second main mode negotiation, at the first network device, by sending a second main mode message with a second set of proposed security parameters; and
receiving a second response message comprising at least part of a response to the second main mode message and at least part of a quick mode negotiation, wherein the second response message includes a main mode pseudo random number and a separate quick mode pseudo random number.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for authenticating and negotiating security parameters among two or more network devices is disclosed. The method has a plurality of modes including a plurality of messages exchanged between the two or more network devices. In a main mode, the two or more network devices establish a secure channel and select security parameters to be used during a quick mode and a user mode. In the quick mode, the two or more computers derive a set of keys to secure data sent according to a security protocol. The optional user mode provides a means of authenticating one or more users associated with the two or more network devices. A portion of the quick mode is conducted during the main mode thereby minimizing the plurality of messages that need to be exchanged between the initiator and the responder.
63 Citations
19 Claims
-
1. A method for executing a security policy at a first network device wherein the first network device is communicatively coupled to a second network device over a computer network, comprising:
-
initiating a first main mode negotiation at the first network device by sending a first main mode message with a first set of proposed security parameters; determining, at the first network device, that the first main mode negotiation is unsuccessful, wherein the determination is based at least in part on a first response message received from the second network device; in response to receiving the first response message, initiating a second main mode negotiation, at the first network device, by sending a second main mode message with a second set of proposed security parameters; and receiving a second response message comprising at least part of a response to the second main mode message and at least part of a quick mode negotiation, wherein the second response message includes a main mode pseudo random number and a separate quick mode pseudo random number. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer storage medium not consisting of a propagated signal for executing computer-readable instructions for executing a security policy at a first network device wherein the first network device is communicatively coupled to a second network device over a computer network, comprising:
-
initiating a first main mode negotiation at the first network device by sending a first main mode message with a first set of proposed security parameters; determining, at the first network device, that the first main mode negotiation is unsuccessful, wherein the determination is based at least in part on a first response message received from the second network device; in response to receiving the first response message, initiating a second main mode negotiation at the first network device by sending a second main mode message with a second set of proposed security parameters; and receiving a second response message comprising at least part of the second main mode negotiation and at least part of a quick mode negotiation, wherein the second response message comprises a main mode pseudo random number and a separate quick mode pseudo random number. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A system for executing a security policy at a first network device wherein the first network device is communicatively coupled to a second network device over a computer network, the system comprising:
-
one or more processing units; a memory coupled with and readable by the one or more processing units, the memory containing a series of instructions that, when executed by the one or more processing units, cause the one or more processing units to perform a method of executing a security policy comprising the steps of; receiving a packet; determining if the packet must be sent securely; if the packet must be sent securely, initiating a security policy, wherein initiating a security policy comprises; initiating a first main mode negotiation at a first network device by sending a first main mode message with a first set of proposed security parameters; determining, at the first network device, that the first main mode negotiation is unsuccessful, wherein the determination is based at least in part on a response message received from the second network device; in response to receiving the first response message, initiating a second main mode negotiation at the first network device by sending a second main mode message with a second set of proposed security parameters; receiving a second response message in response to the second main mode message, wherein the second response message comprises at least part of a quick mode negotiation for deriving a set of keys.
-
Specification