Patent Application
20080082822
In the following description, like reference characters designate like or corresponding parts throughout the several views. Also in the following description, it is to be understood that such terms as “forward,” “rearward,” “front,” “back,” “right,” “left,” “upwardly,” “downwardly,” and the like are words of convenience and are not to be construed as limiting terms.
As referred to herein, the term “encryption” includes aspects of authentication, entitlement, data integrity, access control, confidentiality, segmentation, information control, and combinations thereof.
The present invention provides a key and policy management software-based solution that enables secure data access and user interactions, and that enables users to securely access and interact with data they need and are authorized to access on predetermined, regular, and/or transactional bases from any point on the network without requiring changes in the existing infrastructure. The present invention system and method controls and manages the establishment and activity for trusted, secure connections across a network that are created by end point security technologies. This flexible software solution does not require a separate infrastructure to affect changes in network access, key or policy management.
Preferably, the system and methods of the present invention provide a network-independent solution layer or overlay that functions over the existing network infrastructure to control the policies, secure associations (SAs), and keys provided by a universal key authority point (KAP) to a multiplicity of policy enforcement points (PEPs) for enabling secure communications and data access to authorized users at any point within the network to other points, based upon the policies managed and provided by a management and policy server (MAP). The present invention provides for essentially unlimited scalability and address management that is commercially practical to implement network-wide for all secure communication, data access, applications, and devices, regardless of the type or form of encryption used by a particular device or hardware within the network. Also, the flexible software overlay for MAP and KAP functions within the system provides for dynamic modifications in real time without requiring changes to existing infrastructure or hardware, and without regard to the form of encryption thereon. Therefore, use and implementation of the present invention is not limited to traditional networking or infrastructure and is not limited to a single encryption form or type.
The present invention provides a method and a system for automatically securing communication between two or more nodes in a distributed network that use a single shared key or separate keys generated and distributed by at least one key authority point based upon a policy or policies managed by a management and policy server for the entire network, wherein packet encryption and decryption are carried out by encryption/decryption units for load balancing and multicasting using a common key, preferably a symmetric key, provided by the KAP to the units. In preferred embodiments at the time of the present invention, all keys distributed by a KAP are symmetric keys.
The present invention provides for at least one encrypting/decrypting unit that receives symmetric keys from a key authority point (KAP) within a secure network having a software operating on a management and policy server (MAP) in communication with the KAP for providing key(s) to policy enforcement points (PEPs) on the network and at least one common key to encryption/decryption units for facilitating encrypting and decrypting packets and transmitting the packets securely through the network, including load balancing of the encryption/decryption functions and multicasting of the packets. The symmetric key distributed by the KAP is the common key used to encrypt traffic.
In one embodiment of the present invention, each of a multiplicity of encrypting/decrypting units have the same symmetric keys provided by a KAP, wherein any unit is operable to encrypt and/or decrypt a packet. Preferably, during the system start-up for operation, each unit is authenticated, by way of example and not limitation, by IKE and/or certificates for public-private key exchange.
Generally, IPSec encryption today is well defined and leverages IKE for key exchange. Using standard IKE, encryptors in the 10 Gb application could be paired so that the output of one encryptor would always be decrypted by the same peer on the remote side. However, by tying encryptors in matched pairs, resiliency and load sharing algorithms are greatly limited. If either of the paired units fails then a full lgig of bandwidth is lost, which is detrimental to the network functionality. Also, the switching algorithms that distribute traffic across both VLAN and non-VLAN trunks are limited in their function since traffic from one encryptor must always be switched to a specific encryption unit.
A distributed network includes multiple nodes that are interconnected by multiple routers, bridges, etc. and that may be connected in a variety of different network topologies. In a distributed network, a node may be part of a smaller network such as an office LAN, or even a single node directly connected to the internet. The node can be connected to an unprotected network such as the Internet either directly or through a gateway, router, firewall and/or other such devices that allow one or more nodes to connect to a network via a single point. The nodes include computing devices such as, by way of example and not limitation, laptops, desktops, handheld devices, mobile devices, cable access systems, and other devices capable of connecting to a network, or a network of such devices.
These nodes communicate with each other, or servers providing services such as web pages, email, voice over internet protocol (VoIP), video broadcasting, multicasting applications, streaming audio or video via unprotected networks. In certain cases, when the communication is between two nodes that are using the same network, this communication may be protected. However, most of the communication over the internet is unprotected. This means that the communication can be intercepted by anyone. This communication is protected by using cryptographic keys. One or more nodes are grouped together so that they communicate over the unprotected networks via at least one policy enforcement point (PEP). Typically there are several PEPs in a distributed network. The PEPs receives policies from a management and policy server (MAP). The MAP defines the policies that govern the communication of the PEPs and the nodes under the PEPs. There are one or more key authority points (KAP) that communicate with the MAP and generate one or more cryptographic keys for PEPs. There are several configurations operable for arranging PEPs and KAPs within a network according to the present invention. By way of example, the system is operable for multiple KAPs, including peer KAPs, for one or more PEPs. Alternatively, the system and methods are functional where there is a single KAP that provides the keys for all the PEPs in a distributed network.
Based on the policies received from the MAP, the universal KAP of the present invention generates one or more cryptographic keys for each of the PEPs, or a single key to be shared by PEPs, within its network as defined by the MAP. The PEPs use the cryptographic keys to encrypt communication from the nodes and networks that they protect to unprotected networks, decrypt communication from unprotected networks to the nodes and networks that they protect or both. The universal KAP receives the policy definition from a single MAP. This policy definition informs the KAP about the PEPs it is responsible for, which networks the PEPs protect, and which KAP units they use. The KAP distributes the keys and policies associated with its networks and nodes to the appropriate PEPs.
The present invention provides for at least one encrypting/decrypting unit that receives symmetric keys from a key authority point (KAP) within a secure network having a software operating on a management and policy server (MAP) in communication with the KAP for providing key(s) to policy enforcement points (PEPs) on the network.
The original IP address and the original MAC address is maintained for each packet. This enables a completely transparent implementation of encryption and decryption, especially at layer 2. In addition, using the end stations IP and MAC addresses enables a much more balanced load across a link aggregation group. It also allows for the packets to be transmitted across firewalls, routers and the like. For instance, in the 10 Gig encryption system, two switches communicating over a 10 Gig link have encryptors on each side sharing keys to encrypt and decrypt traffic. The switches employ standard link aggregation techniques to distribute traffic over the encryptors.
According to systems and methods of the present invention, multiple units are connected with a router or a switch on each side of a 10 Gb link. More particularly, two ports are provided, including an encrypted port for encrypting plain packets and sending the encrypted plain packets back to the router, and then to be sent to other side of 10 Gb link, and for decrypting a received packet and sending the decrypted received packet back to the router to be forwarded to a local address; and a clear port for sending a plain packet to be encrypted, and for receiving a decrypted packet.
Preferably, each encrypting/decrypting unit has an IP address and the router knows the IP address of each unit connected to the router. This provides for the units to be dynamically added and/or removed from routers so that each router performs a load balancing in deciding to which unit to send a given packet for encryption and/or decryption.
One method for the balancing is by a link aggregation. Another is by a round robin algorithm. Other methods or combinations are also operable for the load balancing according to the present invention.
In one embodiment, the KAP sends cryptographic keys to the PEPs or to peer KAPs based upon the policy communicated to the KAP by the MAP. The keys are encrypted at the universal KAP with an encrypting key, which may include a pre-shared private key. Preferably, the universal KAP includes a secure hardware module that stores the pre-shared private key and encrypts the cryptographic keys. The secure hardware module is tamper-proof and disables access if the KAP is attacked. The use of the secure hardware module prevents exposure of the cryptographic keys in memory or backplane, where they can be accessed in clear text. The secure hardware module's tamper-proof feature enables it to shut down when it detects that it has been removed from the KAP. Hence, during attack, the cryptographic keys cannot be accessed, since they are stored in the secure hardware module which shuts down when it detects attack. Attack can be in the form of removal of the secure hardware module so that its memory can be independently accessed to gain access to the cryptographic key.
Referring now to the drawings in general, the illustrations are for the purpose of describing a preferred embodiment of the invention and are not intended to limit the invention thereto. As best seen in
A 10 Gb Ethernet encryption service according to the present invention is established or built using 1 Gig encryptors on the “side” of a 10 Gig switch.
By contrast to prior art, in a preferred embodiment according to the present invention, EDPM technology employs a key authority point (KAP) that alleviates the limitations described above that describe the state of the art. Preferably, with a KAP, IPSec encryptors are grouped together (
The present invention also provides a method for providing secure interactivity between points on a network including the steps of: providing a communication network having a network infrastructure and a secure network topography between a multiplicity of policy enforcement points (PEPs) having nodes with any form of encryption associated therewith; a user providing at least one policy definition to a management and policy (MAP) server in communication with a key authority point (KAP); the KAP generating and distributing keys to the PEPs and at least one common key provided to a multiplicity of encryption/decryption units consistent with the MAP policy; the encryption/decryption units performing load balancing on the network to direct packets through routers using the common keys; and the PEPs enforcing the policy at the nodes to provide secure communication across the network topography.
Preferably, multiple encryption/decryption units are connected with a router on each side of a 10 Gb link, with any encryption/decryption unit being operable to encrypt and/or decrypt any packet, and each encrypting/decrypting unit has an IP address and the router knows the IP address of each unit connected to the router.
Also, the system includes two ports, including an encrypted port and a clear port, the ports providing the steps of: the encrypted port encrypting plain packets and sending the encrypted plain packets back to the router, then to other side of the 10 Gb link, and decrypting a received packet and sending the decrypted received packet back to the router to be forwarded to a local address; and the clear port sending a plain packet to be encrypted and for receiving a decrypted packet.
Preferably, the method provides for adding and/or removing units from association with the routers and providing a multiplicity of routers and units connected thereto, including the steps of each router performing a load balancing in deciding to which unit to send a given packet for encryption and/or decryption.
Certain modifications and improvements will occur to those skilled in the art upon a reading of the foregoing description. The above mentioned examples and embodiments are provided to serve the purpose of clarifying the aspects of the invention and it will be apparent to one skilled in the art that they do not serve to limit the scope of the invention. All modifications and improvements have been deleted herein for the sake of conciseness and readability but are properly within the scope of the following claims.
