WO2016173750A1 - Network based encryption - Google Patents

Network based encryption Download PDF

Info

Publication number
WO2016173750A1
WO2016173750A1 PCT/EP2016/054869 EP2016054869W WO2016173750A1 WO 2016173750 A1 WO2016173750 A1 WO 2016173750A1 EP 2016054869 W EP2016054869 W EP 2016054869W WO 2016173750 A1 WO2016173750 A1 WO 2016173750A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
client
server
encryption
data session
Prior art date
Application number
PCT/EP2016/054869
Other languages
French (fr)
Inventor
Saurabh Gupta
Reuti Raman Babu
Original Assignee
Longsand Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Longsand Limited filed Critical Longsand Limited
Publication of WO2016173750A1 publication Critical patent/WO2016173750A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes

Definitions

  • Clients utilize backup servers to securely store sensitive data (e.g., images, documents, videos, etc.).
  • the client devices e.g., personal computers, mobile devices, etc.
  • the client devices may access the backup servers using various protocols
  • the client devices may access the backup servers regardless of the locations of the client device and the backup servers, respectively.
  • FIG. 1 is a schematic diagram of an example client/server system including an access manager that may be implemented in accordance with an aspect of this disclosure.
  • FIG. 2 a block diagram of an example access manager that may be used to implement the access manager of FIG. 1 .
  • FIG. 3 is a message diagram representative of communications in the client/server system of FIG. 1 .
  • FIG. 4 is a flowchart representative of example machine readable instructions that may be executed to implement the access manager of FIG. 2.
  • FIG. 5 is a block diagram of an example processor platform capable of executing the instructions of FIG. 4 to implement the access manager of FIG. 2.
  • Examples disclosed herein involve dynamically setting an encryption level for a data session between a client and a server based on characteristics of a network.
  • an access manager may determine a security level of a network through which a client is attempting to access the server.
  • the security level of the network may depend on whether the network is public or private, includes a firewall, includes a secure
  • the access manager selects an appropriate encryption technology for the data session to provide an efficient secure data session between the client and server.
  • Encryption provides secure data between two devices, such as a client and a server (e.g., a backup server).
  • a server e.g., a backup server.
  • Advanced encryption technologies or encryption technologies that provide a high level of encryption increase security over data transmitted in a data session.
  • the advanced encryption e.g., cascading encryption, multiple encryption, etc.
  • Examples disclosed herein provide an access manager that analyzes a network through which a client is seeking to access a server and determines an appropriate encryption technology for a data session between the client and the server based on the characteristics (e.g., level of security, geographic location, etc.) of the network (or a portion thereof).
  • characteristics e.g., level of security, geographic location, etc.
  • Examples disclosed herein involve determining a level of security of the network in response to receiving a request, via the network, to establish a data session between a client and a server, and selecting an encryption technology for use by the client and the server in the data session based on the level of security of the network.
  • An example method includes receiving a request to initiate a data session between a client and a server via a network, analyzing characteristics of the network, and selecting an encryption technology for the data session based on the characteristics of the network.
  • An example apparatus includes a session manager to receive a request from a client to initiate a data session between the client and a server via a network, a network analyzer to determine a level of security of the network, and an encryption selector to select an encryption technology for the data session based on the level of security of the network.
  • FIG. 1 is a schematic diagram of an example client/server system 100 including an access manager 1 10 that may be implemented in accordance with an aspect of this disclosure.
  • the example client server system 100 includes the access manager 1 10, a client 120, a server 130, and a network 140.
  • the client communicates with the access manager 1 10 and the server 130 via the network 140.
  • the access manager 1 10 allows the client 120 to access the server 130 using an encryption technology based on the characteristics of the network 140.
  • the example client 120 of FIG. 1 may access the server 130 using any suitable communication techniques via the network 140.
  • the client 120 may be a personal computer (e.g., a laptop computer, a desktop computer, etc.), a mobile device (e.g., a tablet, a smartphone, a cellular phone, etc.), or any other type of device.
  • the client 120 may access the server to backup data from the client 120 to the server 130 or to retrieve backup data from the server 130.
  • the client 120 may be seeking to backup data to the server 130 or retrieve backed up data from the server 130.
  • the example server 130 of FIG. 1 may be any suitable type of server.
  • the server 130 may be a backup server for storing backup data of the client 120.
  • the server 130 may periodically (or aperiodically) receive data (e.g., images, documents, videos, texts, messages, emails, etc.) locally stored on the client 120 to safely secure the data.
  • the server 130 may be a different type of server that provides a service (e.g., gaming, security, identity, etc.) to the client 120.
  • the example network 140 may be any type of network (e.g., the Internet, a local area network (LAN), a wide area network (WAN), a cellular network).
  • the network 140 may include a plurality of networks (e.g., a cellular network, the Internet, and a LAN).
  • the example network 140 may include a public network, a private network, a virtual private network, a firewall, etc.
  • the network 140 may employ any suitable communication protocol.
  • the network 140 may utilize secure communication protocols (e.g., Secure Socket Layer (SSL)
  • Transport Layer Security (TSL) communication etc.
  • insecure communication protocols TSL
  • the access manager 1 10 analyzes the characteristics of the communication link between the client 120 and the server 130. For example, the access manager 1 10 may analyze characteristics of the network 140 to determine a type of encryption technology that is to be used for a data session between the client 120 and the server 130. Such characteristics may include whether the network 140 is a public network or a private network (e.g., a managed private network). Additionally or alternatively, the access manager 1 10 may identify whether the client 120 is attempting to access the server 130 via secure communication link. For example, the access manager 1 10 may determine whether the client 120 is behind a firewall or if the client 120 is communicating via the network 140 using SSL communication or TSL communication.
  • characteristics of the network 140 may include whether the network 140 is a public network or a private network (e.g., a managed private network).
  • the access manager 1 10 may identify whether the client 120 is attempting to access the server 130 via secure communication link. For example, the access manager 1 10 may determine whether the client 120 is behind a firewall or if the client 120 is communicating via the network 140
  • FIG. 2 is a block diagram of an example access manager 1 10 that may be used to implement the access manager 1 10 of FIG. 1 .
  • the example access manager 1 10 of FIG. 2 includes a session manager 210, a network analyzer 220, and an encryption selector 230.
  • a communication bus 240 facilitates communication between the session manager 210, the network analyzer 220, and the encryption selector 230.
  • the session manager 210 facilitates establishing a connection between the client 120 and the server 130 via the network 140 and the network analyzer 220 and encryption selector 230 determine encryption settings for the data session.
  • the example session manager 210 of the access manager 1 10 of FIG. 2 facilitates communication with the client 120 and the server 130.
  • the session manager 210 may receive/identify requests from the client 120 to initiate a data session (e.g., to send data or backup data from the client 120, to retrieve data from the server 130, etc.).
  • the session manager 210 may communicate encryption settings to the client 120 and/or the server 130 for a data session to facilitate establishing the data session.
  • the network analyzer 220 of FIG. 2 analyzes characteristics of the network 140 to determine a level of security of the network.
  • the network analyzer 220 may analyze network or
  • network information e.g., address information, security information,
  • the network analyzer 220 may analyze whether the network is a public or a managed private network, whether the network includes a firewall, whether the communication protocol used by the client is a secure communication protocol (e.g., SSL communication, TSL communication, etc.). The network analyzer 220 forwards network characteristics to the encryption selector 230 to select an encryption technology for a data session between the client 120 and the server 130 based on the characteristics of the network (or the communication link between the client 120 and the server 130).
  • a secure communication protocol e.g., SSL communication, TSL communication, etc.
  • the encryption selector 130 of FIG. 2 selects an encryption technology for a data session between the client 120 and the server 130 of FIG. 1 . Based on the characteristics of the network determined by the network analyzer 220, the encryption selector 230 selects an appropriate encryption technology for the data session. For example, if the network analyzer 220 determines that the characteristics of the network 140 indicate that the network 140 is secure (e.g., the network 140 is a managed private network, the network 140 includes a firewall, the network 140 utilizes a secure communication protocol, etc.), the encryption selector 230 may select a low level of encryption (e.g., bit level encryption, such as 40-bit encryption, 128-bit encryption, etc.) for the data session because the data session may be secured via the network 140.
  • a low level of encryption e.g., bit level encryption, such as 40-bit encryption, 128-bit encryption, etc.
  • the low level of encryption may allow for a quicker, more efficient data session because encrypting the data transmitted between the client 120 and the server 130 takes less time than using a high level of encryption for the data session.
  • the network analyzer 220 determines that the characteristics of the network indicate that the network 140 is insecure (e.g., the network 140 is a public network, the network 140 does not use a secure communication protocol, the network 140 (or a portion thereof) or the server 130 is physically located in geographical location that is considered to be insecure, etc.)
  • the encryption selector 230 may select a high level of encryption (e.g., cascading encryption, multiple encryption, etc.) for the data session to provide a secure data session via the network 140.
  • the access manager 1 10 provides dynamic encryption settings for data sessions between the client 120 and the server 130 based on characteristics of the network 140 (or characteristics of the
  • a first data session between the client 120 and the server 130 may use a first encryption technology (e.g., a low level encryption technology) when the client 120 is accessing the server via a secure network (e.g., a managed private network), and a second data session between the client 120 and the server 130 may use a second encryption technology (e.g., a high level encryption technology) when the client 120 is accessing the server 130 via an insecure network (e.g., a public network).
  • a first encryption technology e.g., a low level encryption technology
  • a secure network e.g., a managed private network
  • a second data session between the client 120 and the server 130 may use a second encryption technology (e.g., a high level encryption technology) when the client 120 is accessing the server 130 via an insecure network (e.g., a public network).
  • an insecure network e.g., a public network
  • FIG. 2 While an example manner of implementing the access manager 1 10 of FIG. 1 is illustrated in FIG. 2, at least one of the elements, processes and/or devices illustrated in FIG. 2 may be combined, divided, re-arranged, omitted, eliminated and/or implemented in any other way. Further, the session manager 210, the network analyzer 220, the encryption selector 230 and/or, more generally, the example access manager 1 10 of FIG. 2 may be
  • any of the session manager 210, the network analyzer 220, the encryption selector 230 and/or, more generally, the example access manager 1 10 may be implemented by at least one of an analog or digital circuit, a logic circuit, a programmable processor, an application specific integrated circuit (ASIC), a programmable logic device (PLD) and/or a field programmable logic device (FPLD).
  • ASIC application specific integrated circuit
  • PLD programmable logic device
  • FPLD field programmable logic device
  • At least one of the session manager 210, the network analyzer 220, and/or the encryption selector 230 is/are hereby expressly defined to include a tangible computer readable storage device or storage disk such as a memory, a digital versatile disk (DVD), a compact disk (CD), a Blu-ray disk, etc. storing the executable instructions.
  • the example access manager 1 10 of FIG. 2 may include at least one element, process, and/or device in addition to, or instead of, those illustrated in FIG. 2, and/or may include more than one of any or all of the illustrated elements, processes and devices.
  • FIG. 3 is a communication diagram representative of an example sequence of communications that may be sent within the example client/server system 100 of FIG. 1 .
  • the sequence of communications of FIG. 3 are representative of communications that may establish a data session between the client 120 and the server 130 of FIG. 1 in accordance with the teachings of this disclosure.
  • Communications illustrated in the example communication diagram 300 of FIG. 3 are sent between the client 120, the access manager 1 10, and the server 130, which are representative of the respective components of the communication system 100 of FIG. 1 .
  • the example communications (302-310) of FIG. 3 are sent/received between T s and Tf, denoted by the dotted lines.
  • Each communication 302-310 may include or represent a single communication interaction (e.g., a message, a request, a response, an acknowledgement, a beacon, a ping, etc.), a plurality of communications, or a communication session.
  • the client 120 sends a request 302 to initiate a data session with the server 130.
  • the request 302 is received by the access manager 1 10.
  • the access manager 1 10 determines an appropriate encryption level for the data session in accordance with the teachings of this disclosure. The access manager 1 10 then
  • the client 120 communicates the encryption technology to the client 120 via the response message 304 and to the server 130 via the communication 306.
  • the client 120 initiates the data session with the server 130 via communication 308 using the selected encryption technology.
  • the server 130 may initiate the data session via communication 308.
  • the data session 310 is established between the client and the server 130 and may send or receive data (e.g., backup data) via the data session 310.
  • FIG. 4 A flowchart representative of example machine readable instructions for implementing the access manager 1 10 of FIG. 2 is shown in FIG. 4.
  • the machine readable instructions comprise a program/process for execution by a processor such as the processor 512 shown in the example processor platform 500 discussed below in connection with FIG. 4.
  • the program/process may be embodied in executable instructions (e.g., software) stored on a tangible computer readable storage medium such as a CD-ROM, a floppy disk, a hard drive, a digital versatile disk (DVD), a Blu-ray disk, or a memory associated with the processor 512, but the entire
  • program/process and/or parts thereof could alternatively be executed by a device other than the processor 512 and/or embodied in firmware or dedicated hardware.
  • example program is described with reference to the flowchart illustrated in FIG. 4, many other methods of implementing the example access manager 1 10 may alternatively be used.
  • the order of execution of the blocks may be changed, and/or some of the blocks described may be changed, eliminated, or combined.
  • the example process 400 of FIG. 4 begins with an initiation of the access manager 1 10 (e.g., upon startup, upon instructions from a user, upon startup of a device implementing the code access manager 1 10 (e.g., the server 130, a server controller associated with the server 130, etc.), etc.).
  • the example process 400 may be executed to select an encryption technology for a data session between the client 120 and the server 130.
  • the session manager 210 receives a request to initiate a data session between the client 120 and the server 130. In examples disclosed herein, the request may be received from the client 120 and/or the server 130.
  • the network analyzer 220 analyzes characteristics of the network (e.g., the network from which the request was received).
  • the network analyzer 220 determines a type of network (e.g., public or private) that the network 140 is, determines geographic locations of all or portions of the network 140, whether the network 140 includes a firewall, whether the network 140 uses a secure communication protocol, etc. In other words, at block 420, the network analyzer 220 may determine a security level of the network 140.
  • a type of network e.g., public or private
  • the network analyzer 220 may determine a security level of the network 140.
  • the encryption selector 230 selects an encryption technology for the data session based on the characteristics of the network. For example, the more secure the network 140 is determined to be by the network analyzer, the lesser a level of encryption selected for the data session by the encryption selector 230. On the other hand, the less secure the network 140 is determined to be by the network analyzer 220, the higher the level of encryption selected for the data session by the encryption selector 230.
  • the example process 400 ends.
  • the session manager 210 may communicate the selected encryption level to the client 120 and the server 130 to establish the data session.
  • the example process(es) of FIG. 4 may be implemented using coded instructions (e.g., computer and/or machine readable instructions) stored on a tangible computer readable storage medium such as a hard disk drive, a flash memory, a read-only memory (ROM), a compact disk (CD), a digital versatile disk (DVD), a cache, a random-access memory (RAM) and/or any other storage device or storage disk in which information is stored for any duration (e.g., for extended time periods, permanently, for brief instances, for temporarily buffering, and/or for caching of the information).
  • coded instructions e.g., computer and/or machine readable instructions
  • a tangible computer readable storage medium such as a hard disk drive, a flash memory, a read-only memory (ROM), a compact disk (CD), a digital versatile disk (DVD), a cache, a random-access memory (RAM) and/or any other storage device or storage disk in which information is stored for any duration (e.g., for extended time periods, permanently
  • tangible computer readable storage medium is expressly defined to include any type of computer readable storage device and/or storage disk and to exclude propagating signals and to exclude transmission media.
  • tangible computer readable storage medium and “tangible machine readable storage medium” are used interchangeably. Additionally or alternatively, the example processes of FIG.
  • non-transitory computer and/or machine readable medium such as a hard disk drive, a flash memory, a read-only memory, a compact disk, a digital versatile disk, a cache, a random-access memory and/or any other storage device or storage disk in which information is stored for any duration (e.g., for extended time periods, permanently, for brief instances, for temporarily buffering, and/or for caching of the information).
  • a non-transitory computer and/or machine readable medium such as a hard disk drive, a flash memory, a read-only memory, a compact disk, a digital versatile disk, a cache, a random-access memory and/or any other storage device or storage disk in which information is stored for any duration (e.g., for extended time periods, permanently, for brief instances, for temporarily buffering, and/or for caching of the information).
  • a non-transitory computer and/or machine readable medium such as a hard disk drive, a flash memory, a read-only memory, a compact disk,
  • FIG. 5 is a block diagram of an example processor platform 500 capable of executing the instructions of FIG. 4 to implement the access manager 1 10 of FIG. 2.
  • the example processor platform 500 may be any apparatus or may be included in any type of apparatus, such as a server, a personal computer, a mobile device (e.g., a cell phone, a smart phone, a tablet, etc.), or any other type of computing device.
  • the processor platform 500 of the illustrated example of FIG. 5 includes a processor 512.
  • the processor 512 of the illustrated example is hardware.
  • the processor 512 can be implemented by at least one integrated circuit, logic circuit, microprocessor or controller from any desired family or manufacturer.
  • the processor 512 of the illustrated example includes a local memory 513 (e.g., a cache).
  • the processor 512 of the illustrated example is in communication with a main memory including a volatile memory 514 and a nonvolatile memory 516 via a bus 518.
  • the volatile memory 514 may be
  • the non-volatile memory 516 may be implemented by flash memory and/or any other desired type of memory device. Access to the main memory 514, 516 is controlled by a memory controller.
  • the processor platform 500 of the illustrated example also includes an interface circuit 520.
  • the interface circuit 520 may be implemented by any type of interface standard, such as an Ethernet interface, a universal serial bus (USB), and/or a peripheral component interconnect (PCI) express interface.
  • At least one input device 522 is connected to the interface circuit 520.
  • the input device(s) 522 permit(s) a user to enter data and commands into the processor 512.
  • the input device(s) can be implemented by, for example, an audio sensor, a microphone, a keyboard, a button, a mouse, a touchscreen, a track-pad, a trackball, and/or a voice recognition system.
  • At least one output device 524 is also connected to the interface circuit 520 of the illustrated example.
  • the output device(s) 524 can be implemented, for example, by display devices (e.g., a light emitting diode (LED), an organic light emitting diode (OLED), a liquid crystal display, a cathode ray tube display (CRT), a touchscreen, a tactile output device, a light emitting diode (LED), a printer and/or speakers).
  • the interface circuit 520 of the illustrated example thus, may include a graphics driver card, a graphics driver chip or a graphics driver processor.
  • the interface circuit 520 of the illustrated example also includes a communication device such as a transmitter, a receiver, a transceiver, a modem and/or network interface card to facilitate exchange of data with external machines (e.g., computing devices of any kind) via a network 526 (e.g., an Ethernet connection, a digital subscriber line (DSL), a telephone line, coaxial cable, a cellular telephone system, etc.)-
  • a network 526 e.g., an Ethernet connection, a digital subscriber line (DSL), a telephone line, coaxial cable, a cellular telephone system, etc.
  • the network 526 may implement the network 140 of FIG. 1 or be in communication with the network 140.
  • the processor platform 500 of the illustrated example also includes at least one mass storage device 528 for storing executable
  • mass storage device(s) 528 examples include floppy disk drives, hard drive disks, compact disk drives, Blu-ray disk drives, RAID systems, and digital versatile disk (DVD) drives.
  • the coded instructions 532 of FIGS. 4 may be stored in the mass storage device 528, in the local memory 513 in the volatile memory 514, in the non-volatile memory 516, and/or on a removable tangible computer readable storage medium such as a CD or DVD.
  • Examples disclosed herein provide for fast, efficient data sessions when a secure network is identified for the data session by using a low level encryption technology, and secure, robust data sessions when an insecure network is identified for the data session.

Abstract

An example disclosed herein involves receiving (410), via a network, a request to initiate a data session between a client and a server; analyzing (420) characteristics of the network; and selecting (430) an encryption technology for the data session based on the characteristics of the network.

Description

NETWORK BASED ENCRYPTION
BACKGROUND
[0001] Clients utilize backup servers to securely store sensitive data (e.g., images, documents, videos, etc.). The client devices (e.g., personal computers, mobile devices, etc.) may access the backup servers using various
communication networks, communications protocols, or communication devices. With the use of the Internet, cloud computing, etc. the client devices may access the backup servers regardless of the locations of the client device and the backup servers, respectively.
BRIEF DESCRIPTION OF THE DRAWINGS
[0002] FIG. 1 is a schematic diagram of an example client/server system including an access manager that may be implemented in accordance with an aspect of this disclosure.
[0003] FIG. 2 a block diagram of an example access manager that may be used to implement the access manager of FIG. 1 .
[0004] FIG. 3 is a message diagram representative of communications in the client/server system of FIG. 1 .
[0005] FIG. 4 is a flowchart representative of example machine readable instructions that may be executed to implement the access manager of FIG. 2.
[0006] FIG. 5 is a block diagram of an example processor platform capable of executing the instructions of FIG. 4 to implement the access manager of FIG. 2.
[0007] Wherever possible, the same reference numbers will be used throughout the drawing(s) and accompanying written description to refer to the same or like parts. DETAILED DESCRIPTION
[0008] Examples disclosed herein involve dynamically setting an encryption level for a data session between a client and a server based on characteristics of a network. In examples disclosed herein, an access manager may determine a security level of a network through which a client is attempting to access the server. The security level of the network may depend on whether the network is public or private, includes a firewall, includes a secure
communication protocol, etc. Based on the security level of the network, the access manager selects an appropriate encryption technology for the data session to provide an efficient secure data session between the client and server.
[0009] Encryption provides secure data between two devices, such as a client and a server (e.g., a backup server). Advanced encryption technologies or encryption technologies that provide a high level of encryption increase security over data transmitted in a data session. However, the advanced encryption (e.g., cascading encryption, multiple encryption, etc.) may limit the speed of the data session due to the time constraints imposed by such encryption technologies. Accordingly, in some instances, it may be beneficial to use low level encryption technologies for a data session when a secure communication link may be established for the data session. Examples disclosed herein provide an access manager that analyzes a network through which a client is seeking to access a server and determines an appropriate encryption technology for a data session between the client and the server based on the characteristics (e.g., level of security, geographic location, etc.) of the network (or a portion thereof).
[0010] Examples disclosed herein involve determining a level of security of the network in response to receiving a request, via the network, to establish a data session between a client and a server, and selecting an encryption technology for use by the client and the server in the data session based on the level of security of the network. An example method includes receiving a request to initiate a data session between a client and a server via a network, analyzing characteristics of the network, and selecting an encryption technology for the data session based on the characteristics of the network. An example apparatus includes a session manager to receive a request from a client to initiate a data session between the client and a server via a network, a network analyzer to determine a level of security of the network, and an encryption selector to select an encryption technology for the data session based on the level of security of the network.
[0011] FIG. 1 is a schematic diagram of an example client/server system 100 including an access manager 1 10 that may be implemented in accordance with an aspect of this disclosure. The example client server system 100 includes the access manager 1 10, a client 120, a server 130, and a network 140. In the illustrated example of FIG. 1 , the client communicates with the access manager 1 10 and the server 130 via the network 140. In examples disclosed herein, the access manager 1 10 allows the client 120 to access the server 130 using an encryption technology based on the characteristics of the network 140.
[0012]The example client 120 of FIG. 1 may access the server 130 using any suitable communication techniques via the network 140. The client 120 may be a personal computer (e.g., a laptop computer, a desktop computer, etc.), a mobile device (e.g., a tablet, a smartphone, a cellular phone, etc.), or any other type of device. In examples disclosed herein, the client 120 may access the server to backup data from the client 120 to the server 130 or to retrieve backup data from the server 130. Accordingly, in examples disclosed herein, when the client 120 requests to initiate or establish a data session with the server 130, the client 120 may be seeking to backup data to the server 130 or retrieve backed up data from the server 130.
[0013]The example server 130 of FIG. 1 may be any suitable type of server. In examples disclosed herein, the server 130 may be a backup server for storing backup data of the client 120. For example, the server 130 may periodically (or aperiodically) receive data (e.g., images, documents, videos, texts, messages, emails, etc.) locally stored on the client 120 to safely secure the data. In some examples, the server 130 may be a different type of server that provides a service (e.g., gaming, security, identity, etc.) to the client 120. [0014]The example network 140 may be any type of network (e.g., the Internet, a local area network (LAN), a wide area network (WAN), a cellular network). Additionally, the network 140 may include a plurality of networks (e.g., a cellular network, the Internet, and a LAN). The example network 140 may include a public network, a private network, a virtual private network, a firewall, etc. In examples disclosed herein, the network 140 may employ any suitable communication protocol. For example, the network 140 may utilize secure communication protocols (e.g., Secure Socket Layer (SSL)
communication, Transport Layer Security (TSL) communication, etc.) or insecure communication protocols.
[0015] In examples disclosed herein, the access manager 1 10 analyzes the characteristics of the communication link between the client 120 and the server 130. For example, the access manager 1 10 may analyze characteristics of the network 140 to determine a type of encryption technology that is to be used for a data session between the client 120 and the server 130. Such characteristics may include whether the network 140 is a public network or a private network (e.g., a managed private network). Additionally or alternatively, the access manager 1 10 may identify whether the client 120 is attempting to access the server 130 via secure communication link. For example, the access manager 1 10 may determine whether the client 120 is behind a firewall or if the client 120 is communicating via the network 140 using SSL communication or TSL communication.
[0016] FIG. 2 is a block diagram of an example access manager 1 10 that may be used to implement the access manager 1 10 of FIG. 1 . The example access manager 1 10 of FIG. 2 includes a session manager 210, a network analyzer 220, and an encryption selector 230. In the illustrated example of FIG. 2, a communication bus 240 facilitates communication between the session manager 210, the network analyzer 220, and the encryption selector 230. In examples disclosed herein, the session manager 210 facilitates establishing a connection between the client 120 and the server 130 via the network 140 and the network analyzer 220 and encryption selector 230 determine encryption settings for the data session. [0017] The example session manager 210 of the access manager 1 10 of FIG. 2 facilitates communication with the client 120 and the server 130. In examples disclosed herein, the session manager 210 may receive/identify requests from the client 120 to initiate a data session (e.g., to send data or backup data from the client 120, to retrieve data from the server 130, etc.). The session manager 210 may communicate encryption settings to the client 120 and/or the server 130 for a data session to facilitate establishing the data session.
[0018]The network analyzer 220 of FIG. 2 analyzes characteristics of the network 140 to determine a level of security of the network. In examples disclosed herein, the network analyzer 220 may analyze network or
communication information received in communications (e.g., requests, messages, etc.) from the client 120 and/or the server 130. For example, network information (e.g., address information, security information,
communication protocol, network type (e.g., public or private), etc.) may be included in a request to access the server 130 (e.g., to initiate a data session). In some examples, the network analyzer 220 may analyze whether the network is a public or a managed private network, whether the network includes a firewall, whether the communication protocol used by the client is a secure communication protocol (e.g., SSL communication, TSL communication, etc.). The network analyzer 220 forwards network characteristics to the encryption selector 230 to select an encryption technology for a data session between the client 120 and the server 130 based on the characteristics of the network (or the communication link between the client 120 and the server 130).
[0019]The encryption selector 130 of FIG. 2 selects an encryption technology for a data session between the client 120 and the server 130 of FIG. 1 . Based on the characteristics of the network determined by the network analyzer 220, the encryption selector 230 selects an appropriate encryption technology for the data session. For example, if the network analyzer 220 determines that the characteristics of the network 140 indicate that the network 140 is secure (e.g., the network 140 is a managed private network, the network 140 includes a firewall, the network 140 utilizes a secure communication protocol, etc.), the encryption selector 230 may select a low level of encryption (e.g., bit level encryption, such as 40-bit encryption, 128-bit encryption, etc.) for the data session because the data session may be secured via the network 140. In such an example, the low level of encryption may allow for a quicker, more efficient data session because encrypting the data transmitted between the client 120 and the server 130 takes less time than using a high level of encryption for the data session. On the other hand, if the network analyzer 220 determines that the characteristics of the network indicate that the network 140 is insecure (e.g., the network 140 is a public network, the network 140 does not use a secure communication protocol, the network 140 (or a portion thereof) or the server 130 is physically located in geographical location that is considered to be insecure, etc.), the encryption selector 230 may select a high level of encryption (e.g., cascading encryption, multiple encryption, etc.) for the data session to provide a secure data session via the network 140.
[0020] Accordingly, the access manager 1 10 provides dynamic encryption settings for data sessions between the client 120 and the server 130 based on characteristics of the network 140 (or characteristics of the
communication link between the client 120 and the server 130). For example, a first data session between the client 120 and the server 130 may use a first encryption technology (e.g., a low level encryption technology) when the client 120 is accessing the server via a secure network (e.g., a managed private network), and a second data session between the client 120 and the server 130 may use a second encryption technology (e.g., a high level encryption technology) when the client 120 is accessing the server 130 via an insecure network (e.g., a public network).
[0021]While an example manner of implementing the access manager 1 10 of FIG. 1 is illustrated in FIG. 2, at least one of the elements, processes and/or devices illustrated in FIG. 2 may be combined, divided, re-arranged, omitted, eliminated and/or implemented in any other way. Further, the session manager 210, the network analyzer 220, the encryption selector 230 and/or, more generally, the example access manager 1 10 of FIG. 2 may be
implemented by hardware and/or any combination of hardware and executable instructions (e.g., software and/or firmware). Thus, for example, any of the session manager 210, the network analyzer 220, the encryption selector 230 and/or, more generally, the example access manager 1 10 may be implemented by at least one of an analog or digital circuit, a logic circuit, a programmable processor, an application specific integrated circuit (ASIC), a programmable logic device (PLD) and/or a field programmable logic device (FPLD). When reading any of the apparatus or system claims of this patent to cover a purely software and/or firmware implementation, at least one of the session manager 210, the network analyzer 220, and/or the encryption selector 230 is/are hereby expressly defined to include a tangible computer readable storage device or storage disk such as a memory, a digital versatile disk (DVD), a compact disk (CD), a Blu-ray disk, etc. storing the executable instructions. Further still, the example access manager 1 10 of FIG. 2 may include at least one element, process, and/or device in addition to, or instead of, those illustrated in FIG. 2, and/or may include more than one of any or all of the illustrated elements, processes and devices.
[0022] FIG. 3 is a communication diagram representative of an example sequence of communications that may be sent within the example client/server system 100 of FIG. 1 . The sequence of communications of FIG. 3 are representative of communications that may establish a data session between the client 120 and the server 130 of FIG. 1 in accordance with the teachings of this disclosure. Communications illustrated in the example communication diagram 300 of FIG. 3 are sent between the client 120, the access manager 1 10, and the server 130, which are representative of the respective components of the communication system 100 of FIG. 1 . The example communications (302-310) of FIG. 3 are sent/received between Ts and Tf, denoted by the dotted lines. Each communication 302-310 may include or represent a single communication interaction (e.g., a message, a request, a response, an acknowledgement, a beacon, a ping, etc.), a plurality of communications, or a communication session.
[0023] In FIG. 3, at time Ts, the client 120 sends a request 302 to initiate a data session with the server 130. The request 302 is received by the access manager 1 10. In response to receiving the request, the access manager 1 10 determines an appropriate encryption level for the data session in accordance with the teachings of this disclosure. The access manager 1 10 then
communicates the encryption technology to the client 120 via the response message 304 and to the server 130 via the communication 306. In response to receiving the response message 304, as illustrated in the example of FIG. 3, the client 120 initiates the data session with the server 130 via communication 308 using the selected encryption technology. In some examples, the server 130 may initiate the data session via communication 308. At time Tf, the data session 310 is established between the client and the server 130 and may send or receive data (e.g., backup data) via the data session 310.
[0024] A flowchart representative of example machine readable instructions for implementing the access manager 1 10 of FIG. 2 is shown in FIG. 4. In this example, the machine readable instructions comprise a program/process for execution by a processor such as the processor 512 shown in the example processor platform 500 discussed below in connection with FIG. 4. The program/process may be embodied in executable instructions (e.g., software) stored on a tangible computer readable storage medium such as a CD-ROM, a floppy disk, a hard drive, a digital versatile disk (DVD), a Blu-ray disk, or a memory associated with the processor 512, but the entire
program/process and/or parts thereof could alternatively be executed by a device other than the processor 512 and/or embodied in firmware or dedicated hardware. Further, although the example program is described with reference to the flowchart illustrated in FIG. 4, many other methods of implementing the example access manager 1 10 may alternatively be used. For example, the order of execution of the blocks may be changed, and/or some of the blocks described may be changed, eliminated, or combined.
[0025]The example process 400 of FIG. 4 begins with an initiation of the access manager 1 10 (e.g., upon startup, upon instructions from a user, upon startup of a device implementing the code access manager 1 10 (e.g., the server 130, a server controller associated with the server 130, etc.), etc.). The example process 400 may be executed to select an encryption technology for a data session between the client 120 and the server 130. At block 410, the session manager 210 receives a request to initiate a data session between the client 120 and the server 130. In examples disclosed herein, the request may be received from the client 120 and/or the server 130. At block 420, the network analyzer 220 analyzes characteristics of the network (e.g., the network from which the request was received). For example, at block 420, the network analyzer 220 determines a type of network (e.g., public or private) that the network 140 is, determines geographic locations of all or portions of the network 140, whether the network 140 includes a firewall, whether the network 140 uses a secure communication protocol, etc. In other words, at block 420, the network analyzer 220 may determine a security level of the network 140.
[0026]At block 430, the encryption selector 230 selects an encryption technology for the data session based on the characteristics of the network. For example, the more secure the network 140 is determined to be by the network analyzer, the lesser a level of encryption selected for the data session by the encryption selector 230. On the other hand, the less secure the network 140 is determined to be by the network analyzer 220, the higher the level of encryption selected for the data session by the encryption selector 230. After block 430, the example process 400 ends. In some examples after block 430, the session manager 210 may communicate the selected encryption level to the client 120 and the server 130 to establish the data session.
[0027]As mentioned above, the example process(es) of FIG. 4 may be implemented using coded instructions (e.g., computer and/or machine readable instructions) stored on a tangible computer readable storage medium such as a hard disk drive, a flash memory, a read-only memory (ROM), a compact disk (CD), a digital versatile disk (DVD), a cache, a random-access memory (RAM) and/or any other storage device or storage disk in which information is stored for any duration (e.g., for extended time periods, permanently, for brief instances, for temporarily buffering, and/or for caching of the information). As used herein, the term tangible computer readable storage medium is expressly defined to include any type of computer readable storage device and/or storage disk and to exclude propagating signals and to exclude transmission media. As used herein, "tangible computer readable storage medium" and "tangible machine readable storage medium" are used interchangeably. Additionally or alternatively, the example processes of FIG. 4 may be implemented using coded instructions (e.g., computer and/or machine readable instructions) stored on a non-transitory computer and/or machine readable medium such as a hard disk drive, a flash memory, a read-only memory, a compact disk, a digital versatile disk, a cache, a random-access memory and/or any other storage device or storage disk in which information is stored for any duration (e.g., for extended time periods, permanently, for brief instances, for temporarily buffering, and/or for caching of the information). As used herein, the term non- transitory computer readable medium is expressly defined to include any type of computer readable storage device and/or storage disk and to exclude propagating signals and to exclude transmission media. As used herein, when the phrase "at least" is used as the transition term in a preamble of a claim, it is open-ended in the same manner as the term "comprising" is open ended. As used herein the term "a" or "an" may mean "at least one," and therefore, "a" or "an" do not necessarily limit a particular element to a single element when used to describe the element. As used herein, when the term "or" is used in a series, it is not, unless otherwise indicated, considered an "exclusive or."
[0028] FIG. 5 is a block diagram of an example processor platform 500 capable of executing the instructions of FIG. 4 to implement the access manager 1 10 of FIG. 2. The example processor platform 500 may be any apparatus or may be included in any type of apparatus, such as a server, a personal computer, a mobile device (e.g., a cell phone, a smart phone, a tablet, etc.), or any other type of computing device.
[0029]The processor platform 500 of the illustrated example of FIG. 5 includes a processor 512. The processor 512 of the illustrated example is hardware. For example, the processor 512 can be implemented by at least one integrated circuit, logic circuit, microprocessor or controller from any desired family or manufacturer.
[0030] The processor 512 of the illustrated example includes a local memory 513 (e.g., a cache). The processor 512 of the illustrated example is in communication with a main memory including a volatile memory 514 and a nonvolatile memory 516 via a bus 518. The volatile memory 514 may be
implemented by Synchronous Dynamic Random Access Memory (SDRAM), Dynamic Random Access Memory (DRAM), RAMBUS Dynamic Random Access Memory (RDRAM) and/or any other type of random access memory device. The non-volatile memory 516 may be implemented by flash memory and/or any other desired type of memory device. Access to the main memory 514, 516 is controlled by a memory controller.
[0031]The processor platform 500 of the illustrated example also includes an interface circuit 520. The interface circuit 520 may be implemented by any type of interface standard, such as an Ethernet interface, a universal serial bus (USB), and/or a peripheral component interconnect (PCI) express interface.
[0032] In the illustrated example, at least one input device 522 is connected to the interface circuit 520. The input device(s) 522 permit(s) a user to enter data and commands into the processor 512. The input device(s) can be implemented by, for example, an audio sensor, a microphone, a keyboard, a button, a mouse, a touchscreen, a track-pad, a trackball, and/or a voice recognition system.
[0033] At least one output device 524 is also connected to the interface circuit 520 of the illustrated example. The output device(s) 524 can be implemented, for example, by display devices (e.g., a light emitting diode (LED), an organic light emitting diode (OLED), a liquid crystal display, a cathode ray tube display (CRT), a touchscreen, a tactile output device, a light emitting diode (LED), a printer and/or speakers). The interface circuit 520 of the illustrated example, thus, may include a graphics driver card, a graphics driver chip or a graphics driver processor.
[0034]The interface circuit 520 of the illustrated example also includes a communication device such as a transmitter, a receiver, a transceiver, a modem and/or network interface card to facilitate exchange of data with external machines (e.g., computing devices of any kind) via a network 526 (e.g., an Ethernet connection, a digital subscriber line (DSL), a telephone line, coaxial cable, a cellular telephone system, etc.)- The network 526 may implement the network 140 of FIG. 1 or be in communication with the network 140.
[0035] The processor platform 500 of the illustrated example also includes at least one mass storage device 528 for storing executable
instructions (e.g., software) and/or data. Examples of such mass storage device(s) 528 include floppy disk drives, hard drive disks, compact disk drives, Blu-ray disk drives, RAID systems, and digital versatile disk (DVD) drives.
[0036] The coded instructions 532 of FIGS. 4 may be stored in the mass storage device 528, in the local memory 513 in the volatile memory 514, in the non-volatile memory 516, and/or on a removable tangible computer readable storage medium such as a CD or DVD.
[0037] From the foregoing, it will be appreciated that the above disclosed methods, apparatus and articles of manufacture provide for dynamically adjusting an encryption technology for communication with a server based on characteristics or a security level of network handling the data session.
Examples disclosed herein provide for fast, efficient data sessions when a secure network is identified for the data session by using a low level encryption technology, and secure, robust data sessions when an insecure network is identified for the data session.
[0038]Although certain example methods, apparatus and articles of manufacture have been disclosed herein, the scope of coverage of this patent is not limited thereto. On the contrary, this patent covers all methods, apparatus and articles of manufacture fairly falling within the scope of the claims of this patent.

Claims

CLAIMS What is claimed is:
1 . A method comprising:
receiving, via a network, a request to initiate a data session between a client and a server;
analyzing characteristics of the network; and
selecting an encryption technology for the data session based on the characteristics of the network.
2. The method of claim 1 , further comprising: communicating the encryption technology to the client and the server.
3. The method of claim 1 , further comprising: initiating the data session between the client and the server.
4. The method of claim 1 , further comprising:
determining that the network is a secure network based on the characteristics of the network; and
selecting a first encryption technology that uses a low level of encryption as the encryption technology for the data session.
5. The method of claim 4, further comprising:
determining that the network is at least one of a managed private network, a network behind a firewall, a network utilizing Secure Socket Layer (SSL) communication, or a network utilizing Transport Security Layer (TSL) communication.
6. The method of claim 1 , further comprising:
determining that the network is an insecure network based on the characteristics; and
selecting a second encryption technology that uses a high level of encryption as the encryption technology.
7. The method of claim 6, further comprising;
determining that the network is a public network.
8. An apparatus comprising:
a session manager to receive, via a network, a request from a client to initiate a data session between the client and a server;
a network analyzer to determine a level of security of the network;
an encryption selector to select an encryption technology for the data session based on the level of security of the network.
9. The apparatus of claim 8, wherein the network analyzer is to determine the level of security of the network based on whether the network is a secure network or an unsecured network.
10. The apparatus of claim 8, wherein the session manager is further to: communicate the encryption technology to the client and the server; and initiate the data session.
1 1 . A non-transitory machine readable medium comprising instructions that, when executed, cause a machine to at least:
determine a level of security of the network in response to receiving a request, via the network, to establish a data session between a client and a server; and
select an encryption technology for use by the client and the server in the data session based on the level of security of the network.
12. The non-transitory machine readable medium of claim 1 1 , wherein the instructions, when executed, further cause the machine to:
establish the data session between the client and the server.
13. The non-transitory machine readable medium of claim 1 1 , wherein the instructions, when executed, further cause the machine to:
communicate the encryption technology to the client and the server.
14. The non-transitory machine readable medium of claim 1 1 , wherein the instructions, when executed, further cause the machine to:
select the encryption technology that comprises a high level of encryption when the level of security of the network indicates that the network is insecure.
15. The non-transitory machine readable medium of claim 1 1 , wherein the instructions, when executed, further cause the machine to:
select the encryption technology that comprises a low level of encryption when the level of security of the network indicates that the network is secure.
PCT/EP2016/054869 2015-04-30 2016-03-08 Network based encryption WO2016173750A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IN2233CH2015 2015-04-30
IN2233/CHE/2015 2015-04-30

Publications (1)

Publication Number Publication Date
WO2016173750A1 true WO2016173750A1 (en) 2016-11-03

Family

ID=55521694

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2016/054869 WO2016173750A1 (en) 2015-04-30 2016-03-08 Network based encryption

Country Status (1)

Country Link
WO (1) WO2016173750A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7444506B1 (en) * 2001-12-28 2008-10-28 Ragula Systems Selective encryption with parallel networks
US7591020B2 (en) * 2002-01-18 2009-09-15 Palm, Inc. Location based security modification system and method
US20130339724A1 (en) * 2012-06-17 2013-12-19 Skycure Ltd Selective encryption in mobile devices

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7444506B1 (en) * 2001-12-28 2008-10-28 Ragula Systems Selective encryption with parallel networks
US7591020B2 (en) * 2002-01-18 2009-09-15 Palm, Inc. Location based security modification system and method
US20130339724A1 (en) * 2012-06-17 2013-12-19 Skycure Ltd Selective encryption in mobile devices

Similar Documents

Publication Publication Date Title
JP6423059B2 (en) Dynamic selection of security protocols
US10212213B1 (en) Techniques for managing a remote web client from an application on a mobile device
US10795666B1 (en) Techniques for web application updates
US9554276B2 (en) System and method for on the fly protocol conversion in obtaining policy enforcement information
US20180077237A1 (en) Method, apparatus, and system for providing remote terminal assistance to electronic devices using an intermediary server
US10216464B2 (en) Wireless communication of print content and a mobile device identifier
US10623450B2 (en) Access to data on a remote device
EP2901660A1 (en) Termininal interaction methods and related devices and systems
US11323529B2 (en) TCP fast open hardware support in proxy devices
EP3011717A1 (en) Managing data communications based on phone calls between mobile computing devices
EP3115899A1 (en) Attribute analyzer for data backup
CN110875897B (en) Data transmission method, device, server and storage medium
US9948580B2 (en) Techniques to replicate data using uploads from messaging clients
US9201840B2 (en) Generating proxy automatic configuration scripts
US10412778B2 (en) Data transmission method and apparatus for data service
EP2991281B1 (en) Webpage pushing method, device and terminal
US11178079B1 (en) Methods and systems for transmitting an image with thumbnail data
US10735384B2 (en) Techniques for key ratcheting with multiple step sizes
WO2016173750A1 (en) Network based encryption
US10050961B2 (en) Network device authentication based on hashing content of sequential messages
CN109302446B (en) Cross-platform access method and device, electronic equipment and storage medium
US20140089432A1 (en) Terminal interaction methods and related devices and systems
US11425205B1 (en) Methods and systems for transmitting an image in chunks
US11646983B1 (en) Methods and systems for transmitting an image with thumbnail data
US20170214732A1 (en) Techniques to detect and react to proxy interference

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16709020

Country of ref document: EP

Kind code of ref document: A1

WA Withdrawal of international application
NENP Non-entry into the national phase

Ref country code: DE