Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
2000-05-31
2004-06-29
Barrön, Gilberto (Department: 2132)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S164000, C713S152000, C709S224000, C709S227000
Reexamination Certificate
active
06757822
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates to network security, and more particularly to providing secure communications between applications over a network.
BACKGROUND OF THE INVENTION
Today, more and more critical information systems, including commercial and U.S. Departrnent of Defense (DoD) sites, are the constant target of network and system attacks. These attacks range from simple and well-known strikes often conducted by young hackers by means of widely available and ready-to-use scripts, to very elaborated attacks led by well-funded organizations or foreign countries.
During operation, systems often rely on security service providers in order to add security enhancements for combating the foregoing attacks. Prior Art
FIG. 1
illustrates a system
100
which provides such security enhancements using security service providers in a manner known in the art. As shown, applications
102
are connected to a network
104
by way of network providers
106
for communication purposes. Coupled between the applications
102
and the network providers
106
are security service providers
108
. It should be noted that the security service providers
108
may be invoked by the applications
102
, the network providers
106
, and/or any other third parties. During use, such security service providers
108
may afford security components including, but not limited to authentication, confidentiality, integrity, policy enforcement, etc. Often, these security components may become a likely target of attacks.
In particular, the foregoing security components afforded by the security service providers
108
may employ a set of techniques for encoding data and messages such that the data and messages can be stored and transmitted securely. Such techniques can be used to achieve secure communications, even when the transmission media (for example, the Internet) is untrustworthy. Further, they may also be used to encrypt sensitive files so that an intruder cannot understand them, to ensure data integrity as well as to maintain secrecy, and to verify the origin of data and messages. This may be accomplished using certificates, cryptographic policies, and cryptographic keys.
A certificate may be thought of as a data structure containing information or data representing information, associated with assurance of integrity and/or privacy of encrypted data. A certificate binds an identity of a holder to a key of that holder, and may be signed by a certifying authority. A signature is sometimes spoken of as binding an identity of a holder to a key in a certificate. As a practical matter, a certificate may be very valuable in determining some level of confidence in keys associated with encryption.
Government authorities throughout the world have interests in controlling the use of cryptographic algorithms and keys. Many nations have specific policies directed to creation, use, import, and export of cryptographic devices and software. Numerous policies may exist within a single government. Moreover, these policies are periodically undergoing constant change.
When using cryptographic methods, the only part that may be required to remain secret is the cryptographic key. The algorithms, key sizes, and file formats can be made public without compromising security. One example of security service providers are the set of Cryptographic Security Providers that can be invoked using the Microsoft Cryptographic API (Crypto API). Another example of security service providers are the set of Cryptographic Security Providers that can be invoked in accordance with the Java Cryptography Extension (JCE), which currently include JCE 1.2-compliant offerings from RSA, Inc., and Entrust Technologies. Application developers can use any of these cryptographic providers to manually add cryptography and certificate functionality.
Despite the foregoing techniques, systems
100
such as that shown in Prior Art
FIG. 1
often fail as a result of a run-time software or hardware fault, or an intrusion by a hacker. In such situations, the system
100
often provides a notification of the problem, and allows the user to react. In response to the notification, a user has little choice but to re-instantiate the security service provider
108
, or manually “plug-in” a different security service provider
108
. This provides for a very static, cumbersome solution.
There is therefore a need for a system that allows for a more dynamic, fault-tolerant means of providing secure communication over networks.
DISCLOSURE OF THE INVENTION
A system, method and computer program product are provided for managing the use of a plurality of security service providers during network communication. A first security service provider is utilized for affording secure communication between applications using a network. During operation, the system is monitored for events relating to the secure communication between the applications. Upon the detection of an event, a second security service provider is utilized for affording secure communication between the applications using the network.
In one preferred embodiment, the event is a security-related event including a run-time error and/or an intrusion by a hacker. As an option, the use of the first security service provider may be discontinued in response to the detection of the event. Further, a notification may be generated in response to the detection of the event.
In another preferred embodiment, the second security service provider may be of a type similar to that of the first security service provider. Further, the second security service provider may be executed on a host different from that of the first security service provider. In still yet another preferred embodiment, the second security service provider may be of a type different from that of the first security service provider.
In order to prevent a failure from affecting the applications, an address space of the applications may be different from that of the security service providers. Further, a host on which each of the applications is executed may be different from a host on which each of the security service providers is executed.
In another aspect of the preferred embodiments, a method may be provided for initially establishing secure communication over a network using a plurality of security service providers. First, an indication is received that communication is to be established on a network between a first application and a second application. In response thereto, at least one of a plurality of security service providers may be chosen for affording secure communication between the first application and the second application. During operation, the chosen security service provider may be used for affording secure communication between the first application and the second application utilizing the network.
The security service provider may be chosen by exchanging a set of acceptable security service providers between the first application and the second application utilizing the network. Subsequently, at least one of the security service providers may be chosen from the set.
As such, the security service provider may be chosen based on whether it is acceptable to both the first application and the second application. In the alternative, the security service provider may be chosen based on security requirements associated with the secure communication between the first application and the second application.
In still another preferred embodiment, each of the security service providers may use a single, common network provider for affording secure communication between the first application and the second application. In the alternative, separate network providers may be employed by each of the security service providers. Similarly, a single, common network connection or separate network connections may be employed by each of the security service providers.
REFERENCES:
patent: 5265164 (1993-11-01), Matyas et al.
patent: 5784566 (1998-07-01), Viavant et al.
patent: 5841870 (1998-11-01), Fieres et al.
patent: 5933503 (1999-08-
Cohen Eve L.
Feiertag Richard J.
Redmond Timothy
Rho Jaisook
Rosset Sebastien T.
Barrón Gilberto
Dinh Minh
Hamaty Christopher J.
Networks Associates Technology Inc.
Silicon Valley IP Group PC
LandOfFree
System, method and computer program product for secure... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with System, method and computer program product for secure..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and System, method and computer program product for secure... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3302341