Modern organizations generate store, and communicate large quantities of data. In many instances, organizations include individuals having different rights to data, or different rights to communicate with other individuals or access particular computing resources. It is frequently important that such organizations be able to quickly and securely access the data stored at the data storage system. In addition, it is frequently important that data stored at a data storage system, or communicated between computing systems, be recoverable if the data is communicated or written incorrectly or are otherwise intercepted or corrupted.
To address the above issues, Unisys Corporation of Blue Bell, Pa. developed a Stealth solution that uses a kernel-level driver to implement end-to-end cryptographic connections for communication of data across public and private networks. This solution allows users to communicate with other users having common user rights, while segregating user groups by way of assignment of different cryptographic keys used for each user group, or “community of interest”. However, the Stealth solution has some drawbacks.
Internet Protocol Security (IPsec) is one such standards-based protocol suite used for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec is an end-to-end security scheme of the Internet Protocol Suite. As compared to other security systems such as SSL, SSH, or TLS, IPsec operates in the Internet Layer rather than operating in the upper layers of the TCP/IP model. Hence, IPsec protects any application traffic across an Internet Protocol (IP) network. Applications do not need to be specifically designed to use IPsec, whereas TLS/SSL is required to be designed into an application to protect the application protocols. In addition, IPsec operates in both IPv4 and IPv6-enabled networks.
However, IPsec is not without drawbacks. Existing IPsec-enabled systems typically negotiate to create IPsec tunnels, or secure tunnels, on a point-to-point basis, rather than allowing for data access by multiple entities within the same “community of interest”. Furthermore, IPsec is only available on some modern computing systems, and may be limited in availability in different types of systems, such as mobile devices. Furthermore, different implementations of IPsec on different types of computing systems are handled differently, leading to inconsistencies in connection parameters. Additionally, IPsec is built based on a premise that two computing systems can negotiate security parameters; when two such systems intend to form a secure tunnel, that tunnel is established through use of an IKE key exchange, which requires a response to an initial transmission. However, to accomplish perfect forward secrecy, such trading of security parameters may not be possible.
Still further issues arise in the context of mobile devices, which may be located external to the secure network to which such mobile devices wish to connect. Such devices may use operating systems that lack support for Stealth, and may lack support for IPsec entirely. Furthermore, because such devices are mobile, there is no reliable instance in which the device may have a dedicated secured connection either to or within a network. Accordingly, improvements in the various existing secured communications systems are desired.