Who is the assignee on this patent?

Grewal Karanvir, Long Men, Dewan Prashant, and 1 more

What technology area does this patent fall under?

Primary CPC classification H04L9/083. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue Apr 19 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Method and apparatus for secure network enclaves

US9319220B2 · US · B2

Patent metadata
Field	Value
Publication number	US-9319220-B2
Application number	US-3261808-A
Country	US
Kind code	B2
Filing date	Feb 15, 2008
Priority date	Mar 30, 2007
Publication date	Apr 19, 2016
Grant date	Apr 19, 2016

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

Methods and apparatus are disclosed to provide for security within a network enclave. In one embodiment authentication logic initiates authentication with a central network authority. Packet processing logic receives a key and an identifier from the central network authority. Security protocol logic then establishes a client-server security association through a communication that includes a client identifier and an encrypted portion and/or an authorization signature, wherein a client authorization key allocated by the central network authority can be reproduced by a server, other than said central network authority, from the client identifier and a derivation key provided to the server by the central network authority to decrypt the encrypted portion and/or to validate the communication using the authorization signature. The server may also provide the client with new session keys and/or new client session identifiers using server-generated derivation keys if desired, protecting these with the client authorization key.

First claim

Opening claim text (preview).

What is claimed is: 1. A method for secure network communications, the method comprising: initiating, by a server, authentication with a central network authority, wherein the server is different from the central network authority; receiving, by the server, from the central network authority a first derivation key; receiving, by the server from a client, a first communication including (i) a client identifier that is provided by the central network authority and (ii) an encrypted portion and/or an authorization signature; generating, by the server, a client authorization key as a pseudo-random function of (i) the client identifier and (ii) the first derivation key; performing, by the server, a cryptographic operation using the client authorization key, wherein the cryptographic operation comprises decrypting the encrypted portion using the client authorization key or validating the first communication using the authorization signature and the client authorization key; establishing, by the server, a client-server security association with the client using the first communication; producing, by the server, a new session key and a new session identifier for the client and encrypting the new session key and the new session identifier using the client authorization key, wherein the new session key and the new session identifier are produced using a second derivation key generated by the server; and encrypting, by the server, the second derivation key using the first derivation key to securely transmit the second derivation key to a network appliance. 2. The method of claim 1 wherein the server confirms the client-server security association from the first communication, the server using the first derivation key and the client identifier to reproduce the client authorization key provided to the client by the central network authority to decrypt the encrypted portion or to validate the first communication using the authorization signature. 3. The method of claim 1 further comprising: confirming, by the server, the client-server security association from the first communication, the server using the first derivation key and the client identifier to reproduce the client authorization key provided to the client by the central network authority to decrypt the encrypted portion or to validate the first communication using the authorization signature. 4. The method of claim 3 further comprising: the server producing a refreshed session key for the client and encrypting the refreshed session key using the client authorization key. 5. A network apparatus comprising: authentication hardware logic to initiate authentication by the network apparatus with a central network authority; packet processing hardware logic to receive from the central network authority a first derivation key; and security protocol hardware logic to: establish a client-server security association between a client and a server different than said central network authority using a first communication including (i) a client identifier that is provided by the central network authority and (ii) an encrypted portion and/or an authorization signature, generate a client authorization key as a pseudo-random function of (i) the client identifier and (ii) the first derivation key provided to the network apparatus by the central network authority, wherein the client authorization key is separately generated by the central network authority, perform a cryptographic operation using the client authorization key, wherein the cryptographic operation comprises to decrypt the encrypted portion using the client authorization key or to validate the first communication using the authorization signature and the client authorization key, and securely receive a second derivation key from the server, wherein the server encrypts the second derivation key using the first derivation key to securely transmit the second derivation key to the network apparatus; wherein the server produces a new session key and a new session identifier for the client and encrypts the new session key and the new session identifier using the client authorization key, wherein the new session key and the new session identifier are produced using the second derivation key generated by the server. 6. The apparatus of claim 5 wherein the server confirms said client-server security association from the first communication, and the server using the first derivation key and the client identifier to reproduce the client authorization key provided to the client by the central network authority to decrypt the encrypted portion or to validate the first communication using the authorization signature. 7. One or more non-transitory, computer-readable storage media comprising a plurality of instructions that in response to being executed cause a client to: initiate authentication with a central network authority; receive, from the central network authority, a client authorization key generated by the central network authority and a client identifier; initiate a client-server security association using a first communication to a server different than the central network authority, the first communication including (i) the client identifier and (ii) an encrypted portion and/or an authorization signature; and receive a second communication from the server in response to the server confirming the client-server security association from the first communication; wherein the client authorization key is separately generated by the server as a pseudo-random function of (i) the client identifier and (ii) a first derivation key provided to the server by the central network authority, to decrypt the encrypted portion or to validate the first communication using the authorization signature; and wherein the second communication is to include a new session key and a new session identifier for the client, wherein the new session key and the new session identifier are produced by the server using a second derivation key generated by the server and encrypted using the client authorization key by the server, and wherein the server is to encrypt the second derivation key using the first derivation key to securely transmit the second derivation key to a network appliance. 8. The one or more non-transitory, computer-readable storage media of claim 7 wherein the server is to produce a refreshed session key for the client and encrypt the refreshed session key using the client authorization key. 9. One or more non-transitory, computer-readable storage media comprising a plurality of instructions that in response to being executed cause a server to: initiate authentication with a central network authority, wherein the server is different from the central network authority; receive from the central network authority a first derivation key; receive, from a client, a first communication including (i) a client identifier that is provided by the central network authority and (ii) an encrypted portion and/or an authorization signature; generate a client authorization key as a pseudo-random function of (i) the client identifier and (ii) the first derivation key; perform a cryptographic operation using the client authorization key, wherein the cryptographic operation comprises decrypting the encrypted portion using the client authorization key or validating the first communication using the authorization signature and the client authorization key; and establish a client-server security association with the client using the first communication; produce a new session key and a new session identifier for the client and encrypt the new session key and the new session identifier using the client authorization key, wherein the new session key and the

Assignees

Inventors

Classifications

H04L9/083Primary
involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] · CPC title
H04L9/3247
involving digital signatures · CPC title
H04L9/321
involving a third party or a trusted authority · CPC title
H04L63/061Primary
for key exchange, e.g. in peer-to-peer networks (cryptographic mechanisms or cryptographic arrangements for key agreement H04L9/0838) · CPC title

Patent family

Related publications grouped by family.

View patent family 40956235

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US9319220B2 cover?: Methods and apparatus are disclosed to provide for security within a network enclave. In one embodiment authentication logic initiates authentication with a central network authority. Packet processing logic receives a key and an identifier from the central network authority. Security protocol logic then establishes a client-server security association through a communication that includes a cl…
Who is the assignee on this patent?: Grewal Karanvir, Long Men, Dewan Prashant, and 1 more
What technology area does this patent fall under?: Primary CPC classification H04L9/083. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue Apr 19 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).