Process and system for establishing a moving target connection for secure communications in client/server systems

US 10,243,733 B2
Filed: 03/16/2017
Issued: 03/26/2019
Est. Priority Date: 03/17/2016
Status: Active Grant

First Claim

Patent Images

1. A secure communication network, comprising:

at least one server connected to the network and accessing a Distributed Hash Table (DHT), the server having a private and public cryptographic key pair (S_pri, S_pub);

a plurality of clients connected to the network and in communication with the server, each client having a unique private and public cryptographic key pair (C_pri, C_pub);

the server and a communicating client implementing a randomly generated key that changes at some predetermined interval, the server publishing a descriptor d_Tcalculated using the server'"'"'s private key S_priand the client'"'"'s public key C_puband storing the descriptor d_Tin the DHT, and the client querying for the descriptor d_Tstored in the DHT to obtain configuration information;

wherein when the server publishes to the DHT, the server generates a descriptor for time period T, d_T, and a message m, where d_Tis calculated by the server using the following equation;

d_T=H(S_pri·

C_pubⁱ)∥

T)_0→

159where H is a strong hashing algorithm, S_priis the server'"'"'s private key, C_pubⁱis the public key for client Cⁱ, and T defines the time period, and the message, m, is calculated by using the following equation;

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method performs a moving target blind rendezvous by exchanging data through a distributed hash table. The system allows users to securely send small pieces of information over a network while only requiring an exchange of public keys ahead of time. The system relies on the size and resilience of the BitTorrent Distributed Hash Table and the security properties of cryptographic constructions such as Elliptic Curve Diffie-Hellman key exchange and secure one-way hash functions.

Citations

12 Claims

1. A secure communication network, comprising:
- at least one server connected to the network and accessing a Distributed Hash Table (DHT), the server having a private and public cryptographic key pair (S_pri, S_pub);
  
  a plurality of clients connected to the network and in communication with the server, each client having a unique private and public cryptographic key pair (C_pri, C_pub);
  
  the server and a communicating client implementing a randomly generated key that changes at some predetermined interval, the server publishing a descriptor d_Tcalculated using the server'"'"'s private key S_priand the client'"'"'s public key C_puband storing the descriptor d_Tin the DHT, and the client querying for the descriptor d_Tstored in the DHT to obtain configuration information;
  
  wherein when the server publishes to the DHT, the server generates a descriptor for time period T, d_T, and a message m, where d_Tis calculated by the server using the following equation;
  
  d_T=H(S_pri·
  
  C_pubⁱ)∥
  
  T)_0→
  
  159where H is a strong hashing algorithm, S_priis the server'"'"'s private key, C_pubⁱis the public key for client Cⁱ, and T defines the time period, and the message, m, is calculated by using the following equation;
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The secure communication network of claim 1, wherein the server stores arbitrary piece of data in the DHT that is retrieved by a client, the server generates a DHT key or descriptor d_Tand calculates a shared secret using a function over the private key S_priof the server and the public key C_pubof the client, and when a client requests data from the DHT, the client generates d_Tby concatenating the shared secret between the client and the server generated using a function over the client'"'"'s private key C_priand the server'"'"'s public key S_pub.
  - 3. The secure communications network of claim 1, wherein a client'"'"'s seed Interface Identifier (IID) is generated as shown in the following equation:
    - C_IID=H((S_pri·
      
      C_pub)∥
      
      K)_0→
      
      63=H((S_pub·
      
      C_pri)∥
      
      K)_0→
      
      63where H is a strong hashing function and K is a key that has been pseudo-randomly generated by the server and was retrieved by the client from the DHT, the retrieved message containing all of the configuration information required to calculate the client'"'"'s own addresses, namely the key (K), the rotation period (Rot), and a server'"'"'s seed IID, and the client calculates its own seed IID with the server'"'"'s public key and its own private key.
  - 4. The secure communication network of claim 1, wherein the server generates a different message for each client, even if each client should receive the same unencrypted message, due to the fact that the server uses the client'"'"'s public key in order to encrypt an original message.
  - 5. The secure communication network of claim 1, wherein the DHT is the BitTorrent Distributed Hash Table.
  - 6. The secure communication network of claim 1, wherein the encryption algorithm used is the Elliptic Curve Diffie-Hellman (ECDH) algorithm.

7. A method of providing secure communication over a network, comprising the steps of:
- connecting at least one server to the network, the server accessing a Distributed Hash Table (DHT) and having a private and public cryptographic key pair (S_pri, S_pub);
  
  connecting a plurality of clients to the network so as to be in communication with the server, each client having a unique private and public cryptographic key pair (C_pri, C_pub);
  
  implementing by the server and a communicating client a randomly generated key that changes at some predetermined interval;
  
  publishing by the server a descriptor d_Tcalculated using the server'"'"'s private key S_priand the client'"'"'s public key C_pub;
  
  storing by the server the descriptor d_Tin the DHT, andquerying by the client for the descriptor d_Tstored in the DHT to obtain configuration information;
  
  the step of publishing by the server to the DHT, the step of publishing including the steps of;
  
  generating by the server a descriptor for time period T, d_T, and a message m, where d_Tis calculated by the server using the following equation;
  
  d_T=H(S_pri·
  
  C_pubⁱ)∥
  
  T)_0→
  
  159where H is a strong hashing algorithm, S_priis the server'"'"'s private key, C_pubⁱis the public key for client Cⁱ, and T defines the time period, andgenerating by the server the message, m, is calculated by calculating equation;
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of providing secure communication over a network of claim 7 further comprising the steps of:
    - storing by the server stores arbitrary piece of data in the DHT that is then retrieved by a client;
      
      generating by the server a DHT key or descriptor d_T;
      
      calculating by the server a shared secret using a function over the private key S_priof the server and the public key C_pubof the client; and
      
      when a client requests data from the DHT, generating by the client d_Tby concatenating the shared secret between the client and the server generated using a function over the client'"'"'s private key C_priand the server'"'"'s public key S_pub.
  - 9. The method of providing secure communications over a network of claim 7, further comprising the step of generating a client'"'"'s seed Interface Identifier (IID) by calculating the following equation:
    - C_IID=H((S_pri·
      
      C_pub)∥
      
      K)_0→
      
      63=H((S_pub·
      
      C_pri)∥
      
      K)_0→
      
      63where H is a strong hashing function and K is a key that has been pseudo-randomly generated by the server and was retrieved by the client from the DHT, the retrieved message containing all of the configuration information required to calculate the client'"'"'s own addresses, namely the key (K), the rotation period (Rot), and a server'"'"'s seed IID, and the client calculates its own seed IID with the server'"'"'s public key and its own private key.
  - 10. The method of providing secure communications over a network of claim 7, further comprising the step of generating by the server a different message for each client, even if each client should receive the same unencrypted message, due to the fact that the server uses the client'"'"'s public key in order to encrypt an original message.
  - 11. The method of providing secure communications over a network of claim 7, wherein the DHT is the BitTorrent Distributed Hash Table.
  - 12. The method of providing secure communications over a network of claim 7, wherein the encryption algorithm used is the Elliptic Curve Diffie-Hellman (ECDH) algorithm.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Virginia Tech Intellectual Properties, Inc. (Virginia Polytechnic Institute and State University)
Original Assignee
Virginia Tech Intellectual Properties, Inc. (Virginia Polytechnic Institute and State University)
Inventors
Morrell, Christopher F., Moore, Reese A., Tront, Joseph G., Marchany, Randolph C.
Primary Examiner(s)
Ho, Dao Q
Assistant Examiner(s)
Noaman, Bassam A

Application Number

US15/460,935
Publication Number

US 20170272242A1
Time in Patent Office

740 Days
Field of Search
US Class Current
CPC Class Codes

H04L 9/0841   involving Diffie-Hellman or...

H04L 9/0869   involving random numbers or...

H04L 9/14   using a plurality of keys o...

H04L 9/16   the keys or algorithms bein...

H04L 9/3066   involving algebraic varieti...

H04L 9/3242   involving keyed hash functi...

Process and system for establishing a moving target connection for secure communications in client/server systems

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Process and system for establishing a moving target connection for secure communications in client/server systems

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links