Digitally signed network address
First Claim
1. A system to provide digitally signed network addresses, the system comprising:
- a domain name system (DNS) computing device configured with computer-executable instructions to;
obtain a request to resolve a domain name into a network address;
determine a portion of the network address based at least in part on the domain name;
hash the portion of the network address according to a cryptographic hash function to result in a hash value;
encrypt the hash value with a cryptographic private key to result in a digital signature;
combine at least the portion and the digital signature to result in the network address, wherein the network address is represented by at least a set of bits, and wherein a first subset of bits within the network address represents the portion of the network address and wherein a second subset of bits within the network address represents the digital signature; and
return the network address in response to the request; and
a router computing device configured with computer-executable instructions to;
obtain a data packet addressed to the network address including the first subset of bits representing the portion and the second subset of bits representing digital signature;
hash the portion of the network address according to the cryptographic hash function to result in a second hash value;
decrypt the digital signature, as represented by the second subset of bits within the network address to which the data packet was addressed, with a cryptographic public key corresponding to the cryptographic private key to result in a decryption output;
compare the decryption output and the second hash value to determine a validity of the digital signature represented by the second subset of bits within the network address to which the data packet was addressed; and
route the data packet based at least in part on the validity of the digital signature represented by the second subset of bits within the network address to which the data packet was addressed.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods are described to enable a DNS service to encode information into a network address to be advertised by the DNS service. Information encoded by a DNS service may include, for example, an identifier of a content set to which the network address corresponds (e.g., a domain name) and validity information, such as a digital signature, that verifies the validity of the network address. On receiving a request to communicate with the network address, a destination device associated with the network address may decode the encoded information within the network address to assist in processing the request. In some instances, the encoded information may be used to identify malicious network transmissions, such as transmissions forming part of a network attack, potentially without reliance on other data, such as separate mappings or contents of the data transmission.
-
Citations
21 Claims
-
1. A system to provide digitally signed network addresses, the system comprising:
-
a domain name system (DNS) computing device configured with computer-executable instructions to; obtain a request to resolve a domain name into a network address; determine a portion of the network address based at least in part on the domain name; hash the portion of the network address according to a cryptographic hash function to result in a hash value; encrypt the hash value with a cryptographic private key to result in a digital signature; combine at least the portion and the digital signature to result in the network address, wherein the network address is represented by at least a set of bits, and wherein a first subset of bits within the network address represents the portion of the network address and wherein a second subset of bits within the network address represents the digital signature; and return the network address in response to the request; and a router computing device configured with computer-executable instructions to; obtain a data packet addressed to the network address including the first subset of bits representing the portion and the second subset of bits representing digital signature; hash the portion of the network address according to the cryptographic hash function to result in a second hash value; decrypt the digital signature, as represented by the second subset of bits within the network address to which the data packet was addressed, with a cryptographic public key corresponding to the cryptographic private key to result in a decryption output; compare the decryption output and the second hash value to determine a validity of the digital signature represented by the second subset of bits within the network address to which the data packet was addressed; and route the data packet based at least in part on the validity of the digital signature represented by the second subset of bits within the network address to which the data packet was addressed. - View Dependent Claims (2, 3)
-
-
4. A computer-implemented method comprising:
-
obtaining a DNS request to resolve a domain name into a network address; determining a portion of the network address based at least in part on the DNS request; hashing the portion of the network address according to a cryptographic hash function to result in a hash value; encrypting the hash value with a cryptographic private key to result in an encrypted value representing the portion of the network address in a hashed and encrypted form; combining at least the portion and the encrypted value to result in the network address, wherein the network address is represented by at least a set of bits, and wherein a first subset of bits within the network address represents the portion of the network address and wherein a second subset of bits within the network address represents the encrypted value representing the portion of the network address in the hashed and encrypted form; and returning the network address, including the first subset of bits that represents the portion and the second subset of bits that represents the encrypted value representing the portion in the hashed and encrypted form, in response to the request. - View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. Non-transitory computer-readable media comprising computer-executable instructions that, when executed, cause a computing system to:
-
obtain a request for a network address, wherein the request includes DNS-level information associated with a DNS request to resolve a domain name into the network address; determine a portion of the network address based at least in part on the DNS request; hash the portion of the network address according to a cryptographic hash function to result in a hash value; encrypt the hash value with a private key to result in an encrypted value representing the portion of the network address in a hashed and encrypted form; combine at least the portion and the encrypted value to result in the network address, wherein the network address is represented by at least a set of bits, and wherein a first subset of bits within the network address represents the portion of the network address and wherein a second subset of bits within the network address represents the encrypted value representing the portion of the network address in the hashed and encrypted form; and return the network address, including the first subset of bits that represents the portion and the second subset of bits that represents the encrypted value representing the portion in the hashed and encrypted form, in response to the request. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
-
Specification