Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1998-09-09
2004-01-13
Sheikh, Ayaz (Department: 2131)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C707S793000
Reexamination Certificate
active
06678826
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention relates to a management system for distributed out-of-band security databases. More particularly, the management system relates to security for computer networks and maintains security whether the network server is in-service or out-of-service. As the encryption and decryption of the security system of this invention are asynchronous, the management system of the security database is independent of time and event monitoring. With the management system hereof, remote access obtained by a technician to any network element or to any related distributed database thereof is secure through in-band or out-of-band routing.
2. Background Information
In the current technology, for direct access to the functions of the router/server, most routers provide a console maintenance port which is typically connected to a modem for convenient remote access. When a network problem occurs, the technician has several options depending upon the topological and geographical configuration of the network. A technician servicing a simple network, which is in close proximity to the router/server, is able for diagnostic testing to access directly the console maintenance port. In a more diverse and complex network there are more options with different consequences.
When the technician and the router are not in geographical proximity and a network problem occurs, one of several options are available. The technician can have someone at the remote site where the router exists diagnose the problem and report back by telephone. This requires having, at the site of the router, a person of similar skills and tools as the technician. Another option is for the technician to travel to the site. Besides losing the services of the technician during travel, this may also require an overnight stay. Alternatively, when a dial-up modem has been placed on the console/maintenance port of the router, the technician can dial into the modem at anytime. While this solves the remote diagnostic problem, a breach of security is created as anybody can now access the router/server as there is absolutely no security or audit. To minimize the breach of security, the technician may, by contacting someone at the remote site, have the modem operational only when a problem occurs. The attendant turns on the modem for diagnostic and maintenance work and turns off the modem when the work is completed. This requires a person at the remote site at all times, off-site diagnostic and maintenance work is proceeding, and may require attendance twenty four hours a day, seven days a week. At this point, security is dependent upon human factors, e.g. the person at the remote site remembering to turn off the modem, or purposely leaving the modem on out of laziness, or intentionally leaving the modem on so as to connect after hours unnoticed by the global security system.
More recently, the technology of a RADIUS or TACACS+ authentication server has become available for authenticating the dial-up call to a remote network element. These technologies each utilize a single network security server which must be accessed via the network each time security is required. While this provides a two-factor authentication, utilizing a token, as the operation of RADIUS or TACACS+ protocol requires network connectivity for operation, such authentication is impractical. In this case, if the router/server has network connectivity, the technician usually may gain access to the network to access through the router/server (an in-band route) and then is not limited by the data transfer rate over the telephone line, and, if the router/server does not have network connectivity, the technician is limited to dialing access through the console/maintenance port. Now because of the lack of network connectivity, the RADIUS/TACACS+ authentication is also inoperative and provides either no security or only default password security into the console/maintenance port. Another alternative is that the technician can install password modems at all the remote sites requiring dial-up access. While this solves the remote access problems, an unacceptable system is created as: (1) password authentication is weak and (2) security management becomes cumbersome. While it is widely accepted that two factor authentication should be used, such strong authentication modems are not commonly available. The security management defect results from having possibly hundreds of individual databases scattered around the network. Then, the updating of these databases and the obtention of audit information, if available, become manpower intensive activities.
In summary, RADIUS and TACACS+ do not address the problems associated with remote technician access to router/server ports. This problem can only be adequately addressed by strong authentication, centrally managed, secure access modems.
In preparing for this patent application the inventor became familiar with several patents in the field of security systems and security for databases. In general, most of the patents in this technology teach the manner in which a user is authenticated prior to gaining access through a centralized security database to a remote network element.
The patent to Wirstrom et al., U.S. Pat. No. 4,694,492 teaches the generating of a sequentially assigned event identifier by the host computer and encrypted into the authorization request by a remote network element, which thereupon sends an event-coded encryption to the host computer for authorization. Wirstrom et al. has a fixed key and a stored transitory key. This patent deals with a two-part encryptor. One part the user carried from site to site. The other remains at each site to receive the other part similar to an electronic identification card that allows you through electronically locked doors.
The patent to Mihm, Jr., U.S. Pat. No. 5,249,230 teaches the generating by the host computer of an encrypted credential that is then transmitted to and embedded in a remote device. Public key technology is then used to authenticate. This patent teaches the use of public key technology to authenticate the terminal. The system first assigns an equipment identifier and a user identifier for the terminal. Then the two identifiers are encrypted with a secret key and the encrypted date is stored on the remote terminal. A public key is sent to authentication nodes which receive the encrypted data using a public key and the authentication nodes then decrypt and compare.
The patent to Boebert et al., U.S. Pat. No. 5,276,735 teaches a type of complex system usually associated with LAN security and describes keys, identifiers, and rights and privileges. This system only involves protecting stored data and does not extend to data in transit. Also Boebert et al. teaches chaining sequential transactions together so that a break-in is detected by a number being out of sequence.
The patent to Suzuki et al., U.S. Pat. No. 5,377,267, teaches a system is based on a wireless network where two communication networks are required to authenticate the user.
The patent to Heath, U.S. Pat. No. 5,451,757 teaches a portable terminal connection to an automated teller machine (ATM). In the Heath '757 teachings, the user enters a two-part access code comprised of a personal identification number (PIN) and the portable terminal identifier. This entry is then compared at the host computer to an access code generated by the ATM. In contradistinction to the present disclosure, infra, this is not an out-of-band application insofar as operational control is by and through the host computer. Here, a secured message is transmitted to a remote technician, who after authentication, receives an encrypted message. The technician decrypts the message and reads an instruction, e.g. where he has to go to repair a disabled ATM. The system, because the files are check summed, encrypts only parts of an executable file.
The patent to Boeber, U.S. Pat. No. 5,499,297 teaches a plurality of hosts authenticating to a central security s
Kelly Tadhg
McPherson James
Snook Don
Sung Wai Kong
Communications Devices, Inc.
Revak Christopher
Sheikh Ayaz
Siegmar Silber, Esq.
LandOfFree
Management system for distributed out-of-band security... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Management system for distributed out-of-band security..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Management system for distributed out-of-band security... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3217184