IPC분류정보
국가/구분 |
United States(US) Patent
등록
|
국제특허분류(IPC7판) |
|
출원번호 |
US-0846447
(2007-08-28)
|
등록번호 |
US-7454609
(2008-11-18)
|
발명자
/ 주소 |
|
출원인 / 주소 |
- Intertrust Technologies Corp.
|
대리인 / 주소 |
Finnegan, Henderson, Farabow, Garrett & Dunner LLP
|
인용정보 |
피인용 횟수 :
1 인용 특허 :
82 |
초록
▼
One embodiment of an inventive networking environment includes clients called sending clients because they send network content through a network, and clients called receiving clients because they receive the network content from the sending clients through the network. Both sending clients and rec
One embodiment of an inventive networking environment includes clients called sending clients because they send network content through a network, and clients called receiving clients because they receive the network content from the sending clients through the network. Both sending clients and receiving clients are "clients" in that they rely on a management server to orchestrate the secure transfer of information from sending clients to receiving clients.
대표청구항
▼
What is claimed is: 1. A method for implementing data security in a transfer of an event from a sending client to a receiving client located remotely therefrom across a network, the network further including a key server located remotely from each of the sending and receiving clients, the method co
What is claimed is: 1. A method for implementing data security in a transfer of an event from a sending client to a receiving client located remotely therefrom across a network, the network further including a key server located remotely from each of the sending and receiving clients, the method comprising: (a) at each of the sending and receiving clients, receiving keying information associated with the event from the key server, the keying information including a plurality of selector/security association pairs corresponding to different timewise intervals of the event; (b) at the sending client, populating a first database of selector/security association pairs local to the sending client using said keying information received from the key server; (c) at the receiving client, populating a second database of selector/security association pairs local to the receiving client using said keying information received from the key server; (d) at the sending client, receiving first data from a network application program interface (API) of the sending client, the first data comprising a portion of the event to be sent from the sending client to the receiving client; (e) at the sending client, determining if the first data is eligible for a first security operation, wherein eligibility is determined by first selector data contained in the first data; (f) at the sending client, creating a first selector based on the first selector data and using said first selector to search the first database for at least one selector/security association pair identifying a first security association corresponding to the first selector; (g) at the sending client, applying the first security operation to the first data if the first data is eligible, wherein applying the first security operation comprises using the first security association on the at least a portion of the first data; and (h) at the sending client, sending the first data to which the first security operation has been applied to a network protocol layer of the sending client for transfer over the network and reception by a network protocol layer of the receiving client; (i) at the receiving client, receiving second data from the network protocol layer of the receiving client, the second data including the first data to which the first security operation has been applied; (j) at the receiving client, determining if said second data is eligible for a second security operation, wherein eligibility is determined by second selector data contained in the second data; (k) at the receiving client, creating a second selector based on the second selector data and using said second selector to search the second database for at least one selector/security association pair identifying a second security association corresponding to the second selector; (l) at the receiving client, applying the second security operation to the second data if the second data is eligible, wherein applying the second security operation comprises using the second security association on the at least a portion of the second data; and (m) at the receiving client, sending the second data to which the second security operation has been applied to a network API of the receiving client. 2. The method of claim 1, wherein the first selector data is based at least in part on one of an internet protocol address taken from the first data and a port indicator taken from the first data. 3. The method of claim 1, wherein said applying the first security operation comprises at least one of attaching a header to the first data, said header including a security operation tag, and encrypting the first data. 4. The method of claim 1, wherein said determining if the second data is eligible for the second security operation comprises at least one of detecting a security operation tag in a header of the second data, and detecting failure of an integrity check on the second data. 5. The method of claim 1, wherein said determining if the second data is eligible for the second security operation comprises determining that the second data is not eligible for the second security operation if the second selector cannot be created based on the second selector data, and wherein said second data is sent to the network API of the receiving client without an applied security operation if it is so determined that the second data is not eligible. 6. The method of claim 1, wherein the second security association comprises at least one of applying encryption to the second data, removing special packaging from the second data, applying decryption to the second data, and performing an integrity check on the second data. 7. The method of claim 1, wherein said timewise intervals of said event are relatively short compared to an overall duration of said event. 8. The method of claim 7, wherein said applying the first security operation at the sending client comprises encrypting the first data using a first symmetric encryption key from the first database, and wherein said applying the second security operation at the receiving client comprises reversing said first security operation using a second symmetric encryption key from the second database corresponding to said first symmetric encryption key. 9. A method for implementing data security in a transfer of an event from a sending client to a receiving client located remotely therefrom across a network, the network further including a key server located remotely from each of the sending and receiving clients, the method comprising: at the sending client, receiving data from a network application program interface (API) of the sending client, the data comprising a portion of the event to be sent from the sending client to the receiving client; at the sending client, determining if the data is eligible for a security operation, wherein eligibility is determined by selector data contained in the data; at the sending client, creating a selector based on the selector data and using said selector to search a local sending client database of security associations for at least one selector/security association pair identifying a security association corresponding to the selector, said database storing a plurality of selector/security association pairs received from the key server corresponding to different timewise intervals of said event, wherein, at the receiving client, the receiving client stores a receiving client database comprising a corresponding plurality of selector/security association pairs received from the key server; at the sending client, applying the security operation to the data if the data is eligible, wherein applying the security operation comprises using the security association on the at least a portion of the data; and at the sending client, sending the data to which the security operation has been applied to a network protocol layer of the sending client. 10. The method of claim 9, wherein the selector data is based at least in part on one of an internet protocol address taken from the data and a port indicator taken from the data. 11. The method of claim 9, wherein said applying the security operation comprises at least one of attaching a header to the data, said header including a security operation tag, and encrypting the data. 12. The method of claim 9, wherein said timewise intervals of said event are relatively short compared to an overall duration of said event. 13. A method for implementing data security in a transfer of an event from a sending client to a receiving client located remotely therefrom across a network, the network further including a key server located remotely from each of the sending and receiving clients, the method comprising: at the receiving client, receiving data from a network protocol layer of the receiving client, the data comprising a portion of the event being received at the receiving client; at the receiving client, determining if the data is eligible for a security operation, wherein eligibility is determined by selector data contained in the data; at the receiving client, creating a selector based on the selector data and using said selector to search a local receiving client database of security associations for at least one selector/security association pair identifying a security association corresponding to the selector, said local receiving client database storing a plurality of selector/security association pairs received from the key server corresponding to different timewise intervals of said event, wherein, at the sending client, the sending client stores a sending client database comprising a corresponding plurality of selector/security association pairs received from the key server; at the receiving client, applying the security operation to the data if the data is eligible, wherein applying the security operation comprises using the security association on the at least a portion of the data; and at the receiving client, sending the data to which the security operation has been applied to a network API of the receiving client. 14. The method of claim 13, wherein determining if the data is eligible for a security operation comprises at least one of detecting a security operation tag in a header of the data, and detecting failure of an integrity check on the data. 15. The method of claim 13, further comprising blocking the data from being sent to the network API if no security association corresponding to the selector is found. 16. The method of claim 13, wherein determining if the data is eligible for the security operation comprises determining that the data is not eligible for the security operation if the selector cannot be created based on the selector data, and wherein said data is sent to the network API of the receiving client without an applied security operation if it is so determined that the data is not eligible. 17. The method of claim 13, further comprising blocking the data from being sent to the network API if the data includes selector data but no selector can be created from it. 18. The method of claim 13, wherein the security association comprises at least one of applying encryption to the data, removing special packaging from the data, applying decryption to the data; and performing an integrity check on the data. 19. The method of claim 13, wherein said timewise intervals of said event are relatively short compared to an overall duration of said event. 20. The method of claim 19, wherein said applying the security operation to the data comprises reversing a previous security operation applied to the data by the sending client.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.