Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Particular communication authentication technique
Reexamination Certificate
2003-05-14
2004-10-12
Barron, Gilberto (Department: 2132)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Particular communication authentication technique
C713S153000, C713S168000, C713S152000
Reexamination Certificate
active
06804777
ABSTRACT:
BACKGROUND OF INVENTION
The invention relates generally to network security, and more specifically to secure message and file transfers across public or private networks using an application-level virtual private network. It provides a means for specifying and validating the application being used to access a remote resource over a dynamic dedicated secure conduit or tunnel that is established over existing network pathways.
The need for providing and accessing information throughout small and large enterprise organizations spawned rapid a growth in intranets and extranets to satisfy these organizational communications requirements. With the rapid growth of the Internet as a public network communication medium, organizations found substantial cost savings by using the Internet as an worldwide vehicle for providing and accessing organizational information. The result was a shift from closed and protected to open and less secure, open information infrastructure. Gateways were provided to connect existing private networks to the Internet to replace many private dedicated networks providing access to disparate parts of the world. It is not unusual in today's business environment to have multiple computer workstations and servers interconnected by complex and widely dispersed communications networks. These communications networks are critical to many businesses that rely on these information networks to provide services for the day-today operation of their enterprises.
With the growth of these communications networks came an increase in incidences of unauthorized access to these networks by individuals and software programs for accessing confidential information and causing disruptions or irreparable harm to these informational networks. These intrusions, oftentimes resulting in economic losses, have created a demand for means for detecting and preventing malicious and unauthorized access to these networks by users and organizations that seek to find and exploit the smallest security hole. In addition to enterprises instituting safeguards to prevent harm caused to business enterprises and individuals, the government has instituted regulations to protect the privacy of information on individuals that may be available on these information networks.
The Gramm-Leach-Bliley Act requires financial institutions and financial services companies to comply with stringent privacy and security standards. The health care market has similar legislation called the Health Insurance Portability and Accountability Act (HIPAA). While the details of HIPAA are still being completed, it will clearly establish uniform information security standards for health care organizations. Since the late 1980s, the government agencies have been under legislative pressure to secure networked systems. Emerging homeland defense initiatives will add additional and enforceable network security requirements to the government agencies.
In response to unauthorized intrusions into informational networks, various protective measures have been implemented to eliminate or reduce intrusion incidences. Some of these measures include Public Key Infrastructure (PKI) encryption, S/MIME Email security, Secure Sockets Layer (SSL) 128 bit encryption, Virtual Private Network (VPN), firewalls, and vulnerability scanners. Some of these network protection schemes may work at cross-purposes to one another by inhibiting other protection schemes from operating effectively. For example, a firewall may inhibit a vulnerability scanner form assessing the intrusion vulnerability of a system protected by the firewall.
Traditional VPN solutions have typically provided network-to-network secure communications, and machine-to-machine secure communications. In the former case, one network gateway can establish a secure channel to another network's gateway by employing encryption technologies and using the public Internet as a medium. This approach has the benefit of using public resources in a secure manner, but has several notable disadvantages as well. The disadvantages include: (1) all resources on one side of the connection can access all resources on the other side of the connection, unless additional (often overlooked or too restrictive) measures are taken; and (2) if one side of the connection has multiple VPN channels to other locations, all locations can potentially access each other.
Although machine-to-machine VPN solutions seem to address these problems, they still have issues of their own that are often ignored due to the inability of current technologies to address them. The issues include: (1) if an intruder gains access to the one machine in the connection, she can use whatever application is available on the compromised machine to attack resources on the other side of the connection; and if the user of one machine contracts a virus or worm that corrupts his applications, that virus can spread across the VPN to attack resources on the other side of the connection.
SUMMARY OF INVENTION
The present invention provides a solution that overcomes many of the disadvantages and issues encountered in the use of network-to-network VPN secure communications and machine-to-machine VPN secure communications. It enables users to securely share application information and resources by granting resource owners access to user-application combinations, and ensuring that only approved and unaltered applications can access the resources being made available. A process of negotiation is a necessary preamble to any secure connection attempt from an application to a resource. This negotiation allows both ends of a communication channel to agree upon an application and version of an application to be used to access a target resource. Upon agreement by both ends of the communication channel, channel encryption may be established using an encryption key and a signature verified using the hash of the negotiated application.
Each application that runs on a client workstation is subject to a check upon all attempts to use an established application-level VPN channel. This check involves a query to the host operating system to determine which application has requested access and then a calculation of that application's hash. As traffic passes into the VPN channel, the discovered hash and encryption process with a provided session key is used to establish secure communication. As packets emerge on the other side of the channel, the hash of the pre-coordinated application is used as a signature to validate the connection. Therefore, if a rogue or tainted application attempts to use the channel once it has been established, the hash-encryption step will not match the hash-signature step, and communications will not be successful. An embodiment of a network that satisfies these requirements is disclosed in U.S. patent application Ser. No. 10/249,668 filed on Apr. 29, 2003, and incorporated herein by reference.
An embodiment of the present invention is a method for application-level virtual private networking, comprising the steps of requesting access for sending requester messages to an external resource by a requester application within a user workstation, identifying the requestor application and calculating a hash value of the requestor application by a connection manager within the user workstation, forwarding the requestor messages and the calculated application hash value by the connection manager over a network to a channel gateway, receiving the requestor messages and the calculated application hash value by a channel receiver within the channel gateway, authenticating the received requester messages using the calculated application hash value and forwarding the requester messages to the external resource, and receiving the requestor messages by the external resource. The step of requesting access for sending requestor messages to an external resource by a requestor application within a user workstation may comprise the step of requesting access for sending requestor messages to an external server application program within the channel gateway b
Engelbach R. Gunnar
Enger J. Marc
Hollis Robert L.
Barron Gilberto
Lanier Benjamin E.
Taylor Russell & Russell P.C.
ThreatGuard, Inc.
LandOfFree
System and method for application-level virtual private network does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with System and method for application-level virtual private network, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and System and method for application-level virtual private network will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3262797