Secure ISN generation

US 20050198509A1
Filed: 02/13/2004
Published: 09/08/2005
Est. Priority Date: 02/13/2004
Status: Active Grant

First Claim

Patent Images

1. In a local server that receives data from one or more remote clients over a data transport protocol, a method of generating an initial sequence number for use by a remote client when assigning sequence numbers to one or more data packets to be sent to the local server, the initial sequence number generated in a manner that prevents the local server from being attacked while maintaining reliable data transfer, the method comprising the acts of:

generating a random input key using arbitrary information maintained secret by the local server;

receiving a connection identifier key that includes connection information for at least the remote client;

securely initializing a hash function with at least a portion of the random input key and at least a portion of the connection identifier key for determining an intermediate value of an initial sequence number;

creating a monotonically increasing counter for ensuring that a same connection identifier does not have data collisions from competing sequence numbers within a predetermined period of time, and for ensuring randomness of the initial sequence number on a per connection basis for preventing attacks on the local server;

incrementing the counter a fixed value based on a passage of a predetermined time period;

incrementing the counter a variable amount depending upon a rate of connections with the local server, wherein if the rate of connections is beyond a threshold value the variable increment is based on an elapsed time, otherwise the variable increment is based on each connection established with the local server; and

combining the intermediate value, the fixed value and the variable amount for generating the initial sequence number.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An initial sequence number generator is provided that prevents the local server from being attacked while maintaining reliable data transfer. A random intermediate value is created that is unique to each connection identifier and is combined with a random value created from a global counter to generate the initial sequence number. The counter capable of monotonically increasing by both a fixed and variable amount for ensuring that the same connection identifier does not have data collisions from competing sequence numbers within a predetermined period of time, and also to ensures randomness of the initial sequence number on a per connection basis for preventing attacks on the local server.

15 Citations

View as Search Results

40 Claims

1. In a local server that receives data from one or more remote clients over a data transport protocol, a method of generating an initial sequence number for use by a remote client when assigning sequence numbers to one or more data packets to be sent to the local server, the initial sequence number generated in a manner that prevents the local server from being attacked while maintaining reliable data transfer, the method comprising the acts of:
- generating a random input key using arbitrary information maintained secret by the local server;
  
  receiving a connection identifier key that includes connection information for at least the remote client;
  
  securely initializing a hash function with at least a portion of the random input key and at least a portion of the connection identifier key for determining an intermediate value of an initial sequence number;
  
  creating a monotonically increasing counter for ensuring that a same connection identifier does not have data collisions from competing sequence numbers within a predetermined period of time, and for ensuring randomness of the initial sequence number on a per connection basis for preventing attacks on the local server;
  
  incrementing the counter a fixed value based on a passage of a predetermined time period;
  
  incrementing the counter a variable amount depending upon a rate of connections with the local server, wherein if the rate of connections is beyond a threshold value the variable increment is based on an elapsed time, otherwise the variable increment is based on each connection established with the local server; and
  
  combining the intermediate value, the fixed value and the variable amount for generating the initial sequence number.
- View Dependent Claims (2, 3, 4, 5, 6, 8, 9, 10)
- - 2. The method of claim 1, wherein if the rate of connections is below the threshold value, the fixed value is further incremented based on each connection established with the local server.
  - 3. The method of claim 2, wherein based on the fixed value, if a remote client'"'"'s data transfer rate while connected to the local server is less than a specified byte rate then the connection identifier used by the remote client the is allowed immediate re-connection to the local server after the remote client disconnects.
  - 4. The method of claim 1, wherein the connection identifier key further includes connection information for one or more of the local server port, local server routing address, remote port and remote routing address.
  - 5. The method of claim 4, wherein the data transport protocol is Transmission Control Protocol, and wherein the local and remote routing addresses are Internet Protocol addresses.
  - 6. The method of claim 1, wherein at least a second connection is made between the local server and a second remote client, and wherein the method further including the acts of:
    - receiving a second connection identifier key that includes connection information for at least the second remote client;
      
      securely initializing the hash function with at least a portion of the random input key and at least a portion of the second connection identifier key for determining a second intermediate value of a second initial sequence number;
      
      based on at least a portion of the second connection identifier key, creating a second monotonically increasing counter for ensuring that a same connection identifier does not have data collisions from competing sequence numbers within a predetermined period of time, and for ensuring randomness of the second initial sequence number on a per connection basis for preventing attacks on the local server;
      
      incrementing the second counter the fixed value based on the passage of the predetermined time period;
      
      incrementing the second counter a second variable amount depending upon a rate of connections with the local server and for those connections associated with the second counter, wherein if the rate of connections with the local server and for those connections associated with the second counter is beyond a threshold value the variable increment is based on an elapsed time, otherwise the variable increment is based on each connection established with the local server and associated with the second counter; and
      
      combining the second intermediate value, the fixed value and the second variable amount for generating the second initial sequence number.
  - 8. The method of claim 1, wherein the combining of the intermediate value, the fixed value and the variable amount is a mathematical operation or function.
  - 9. The method of claim 1, wherein if the rate of connections is beyond the threshold value the variable increments up to an amount of 0x000022FB every millisecond, otherwise the variable increment is an amount between 16 K and 32 K.
  - 10. The method of claim 1, wherein the monotonically increasing counter is shared by at least two connections at the same time.

7. The method of claim wherein 1, wherein the arbitrary information maintained as a secret by the local server is based on timing, state conditions for the local server, or both, at boot up time of the local server, which include one or more of a time of day, a day of month, a month, a year, a local server hard drive head position, and whether input was detected by hardware of the local server.

11. In a local server that receives data from one or more remote clients over a data transport protocol, a method of generating an initial sequence number for use by a remote client when assigning sequence numbers to one or more data packets to be sent to the local server, the initial sequence number generated in a manner that prevents the local server from being attacked while maintaining reliable data transfer, the method comprising the steps for:
- determining an intermediate value of an initial sequence number by hashing a random input key and a connection identifier key, which includes connection information for at least the remote client, the random input key being generated using arbitrary information maintained secret by the local server;
  
  ensuring that a same connection identifier does not have data collisions from competing sequence numbers within a predetermined period of time, and ensuring randomness of the initial sequence number on a per connection basis for preventing attacks on the local server by monotonically incrementing a counter both a fixed value based on a passage of a predetermined time period and a variable amount depending upon a rate of connections with the local server, wherein if the rate of connections is beyond a threshold value the variable increment is based on an elapsed time, otherwise the variable increment is based on each connection established with the local server; and
  
  generating the initial sequence number by combining the intermediate value, the fixed value and the variable amount.
- View Dependent Claims (12, 13, 14, 15, 16, 18, 19, 20)
- - 12. The method of claim 11, wherein if the rate of connections is below the threshold value, the fixed value is further incremented based on each connection established with the local server.
  - 13. The method of claim 12, wherein the fixed value is 25.6 K, and wherein if a remote client'"'"'s data transfer rate while connected to the local server is less than 256 K then the connection identifier used by the remote client the is allowed immediate re-connection to the local server after the remote client disconnects.
  - 14. The method of claim 11, wherein the connection identifier key further includes connection information for one or more of the local server port, local server routing address, remote port and remote routing address.
  - 15. The method of claim 14, wherein the data transport protocol is Transmission Control Protocol, and wherein the local and remote routing addresses are Internet Protocol addresses.
  - 16. The method of claim 11, wherein at least a second connection is made between the local server and a second remote client, and wherein the method further including the acts of:
    - receiving a second connection identifier key that includes connection information for at least the second remote client;
      
      securely initializing the hash function with at least a portion of the random input key and at least a portion of the second connection identifier key for determining a second intermediate value of a second initial sequence number;
      
      based on at least a portion of the second connection identifier key, creating a second monotonically increasing counter for ensuring that a same connection identifier does not have data collisions from competing sequence numbers within a predetermined period of time, and for ensuring randomness of the second initial sequence number on a per connection basis for preventing attacks on the local server;
      
      incrementing the second counter the fixed value based on the passage of the predetermined time period;
      
      incrementing the second counter a second variable amount depending upon a rate of connections with the local server and for those connections associated with the second counter, wherein if the rate of connections with the local server and for those connections associated with the second counter is beyond a threshold value the variable increment is based on an elapsed time, otherwise the variable increment is based on each connection established with the local server and associated with the second counter; and
      
      combining the second intermediate value, the fixed value and the second variable amount for generating the second initial sequence number.
  - 18. The method of claim 11, wherein the combining of the intermediate value, the fixed value and the variable amount is a mathematical operation or function.
  - 19. The method of claim 11, wherein if the rate of connections is beyond the threshold value the variable increments up to an amount of 0x000022FB every millisecond, otherwise the variable increment is an amount between 16 K and 32 K.
  - 20. The method of claim 11, wherein the monotonically increasing counter is shared by at least two connections at the same time.

17. The method of claim wherein 11, wherein the arbitrary information maintained as a secret by the local server is based on timing, state conditions for the local server, or both, at boot up time of the local server, which include one or more of a time of day, a day of month, a month, a year, a local server hard drive head position, and whether input was detected by hardware of the local server.

21. For a local server that receives data from one or more remote clients over a data transport protocol, a computer program product comprising computer readable media carrying computer executable instructions that implement a method of generating an initial sequence number for use by a remote client when assigning sequence numbers to one or more data packets to be sent to the local server, the initial sequence number generated in a manner that prevents the local server from being attacked while maintaining reliable data transfer, the method comprising the acts of:
- generating a random input key using arbitrary information maintained secret by the local server;
  
  receiving a connection identifier key that includes connection information for at least the remote client;
  
  securely initializing a hash function with at least a portion of the random input key and at least a portion of the connection identifier key for determining an intermediate value of an initial sequence number;
  
  creating a monotonically increasing counter for ensuring that a same connection identifier does not have data collisions from competing sequence numbers within a predetermined period of time, and for ensuring randomness of the initial sequence number on a per connection basis for preventing attacks on the local server;
  
  incrementing the counter a fixed value based on a passage of a predetermined time period;
  
  incrementing the counter a variable amount depending upon a rate of connections with the local server, wherein if the rate of connections is beyond a threshold value the variable increment is based on an elapsed time, otherwise the variable increment is based on each connection established with the local server; and
  
  combining the intermediate value, the fixed value and the variable amount for generating the initial sequence number.
- View Dependent Claims (22, 23, 24, 25, 26, 28, 29, 30)
- - 22. The computer program product of claim 21, wherein if the rate of connections is below the threshold value, the fixed value is further incremented based on each connection established with the local server.
  - 23. The computer program product of claim 22, wherein the fixed value is 25.6 K, and wherein if a remote client'"'"'s data transfer rate while connected to the local server is less than 256 K then the connection identifier used by the remote client the is allowed immediate re-connection to the local server after the remote client disconnects.
  - 24. The computer program product of claim 21, wherein the connection identifier key further includes connection information for one or more of the local server port, local server routing address, remote port and remote routing address.
  - 25. The computer program product of claim 24, wherein the data transport protocol is Transmission Control Protocol, and wherein the local and remote routing addresses are Internet Protocol.
  - 26. The computer program product of claim 21, wherein at least a second connection is made between the local server and a second remote client, and wherein the computer executable instructions further implement the method including the acts of:
    - receiving a second connection identifier key that includes connection information for at least the second remote client;
      
      securely initializing the hash function with at least a portion of the random input key and at least a portion of the second connection identifier key for determining a second intermediate value of a second initial sequence number;
      
      based on at least a portion of the second connection identifier key, creating a second monotonically increasing counter for ensuring that a same connection identifier does not have data collisions from competing sequence numbers within a predetermined period of time, and for ensuring randomness of the second initial sequence number on a per connection basis for preventing attacks on the local server;
      
      incrementing the second counter the fixed value based on the passage of the predetermined time period;
      
      incrementing the second counter a second variable amount depending upon a rate of connections with the local server and for those connections associated with the second counter, wherein if the rate of connections with the local server and for those connections associated with the second counter is beyond a threshold value the variable increment is based on an elapsed time, otherwise the variable increment is based on each connection established with the local server and associated with the second counter; and
      
      combining the second intermediate value, the fixed value and the second variable amount for generating the second initial sequence number.
  - 28. The computer program product of claim 21, wherein the combining of the intermediate value, the fixed value and the variable amount is a mathematical operand or function.
  - 29. The computer program product of claim 21, wherein if the rate of connections is beyond the threshold value the variable increments up to an amount of 0x000022FB every millisecond, otherwise the variable increment is an amount between 16 K and 32 K.
  - 30. The computer program product of claim 21, wherein the monotonically increasing counter is shared by at least two connections at the same time.

27. The computer program product of claim wherein 21, wherein the arbitrary information maintained as a secret by the local server is based on timing, state conditions for the local server, or both, at boot up time of the local server, which include one or more of a time of day, a day of month, a month, a year, the local server hard drive position, and whether input was detected by hardware of the local server.

31. For a local server that receives data from one or more remote clients over a data transport protocol, a computer program product comprising computer readable media carrying computer executable instructions that implement a method of generating an initial sequence number for use by a remote client when assigning sequence numbers to one or more data packets to be sent to the local server, the initial sequence number generated in a manner that prevents the local server from being attacked while maintaining reliable data transfer, the method comprising the steps for:
- determining an intermediate value of an initial sequence number by hashing a random input key and a connection identifier key, which includes connection information for at least the remote client, the random input key being generated using arbitrary information maintained secret by the local server;
  
  ensuring that a same connection identifier does not have data collisions from competing sequence numbers within a predetermined period of time, and ensuring randomness of the initial sequence number on a per connection basis for preventing attacks on the local server by monotonically incrementing a counter both a fixed value based on a passage of a predetermined time period and a variable amount depending upon a rate of connections with the local server, wherein if the rate of connections is beyond a threshold value the variable increment is based on an elapsed time, otherwise the variable increment is based on each connection established with the local server; and
  
  generating the initial sequence number by combining the intermediate value, the fixed value and the variable amount.
- View Dependent Claims (32, 33, 34, 35, 36, 38, 39, 40)
- - 32. The computer program product of claim 31, wherein if the rate of connections is below the threshold value, the fixed value is further incremented based on each connection established with the local server.
  - 33. The computer program product of claim 32, wherein based on the fixed value, if a remote client'"'"'s data transfer rate while connected to the local server is less than a specified byte rate then the connection identifier used by the remote client the is allowed immediate re-connection to the local server after the remote client disconnects.
  - 34. The computer program product of claim 31, wherein the connection identifier key further includes connection information for one or more of the local server port, local server routing address, remote port and remote routing address.
  - 35. The computer program product of claim 34, wherein the data transport protocol is Transmission Control Protocol, and wherein the local and remote routing addresses are Internet Protocol.
  - 36. The computer program product of claim 31, wherein at least a second connection is made between the local server and a second remote client, and wherein the computer executable instructions further implement the method including the acts of:
    - receiving a second connection identifier key that includes connection information for at least the second remote client;
      
      securely initializing the hash function with at least a portion of the random input key and at least a portion of the second connection identifier key for determining a second intermediate value of a second initial sequence number;
      
      based on at least a portion of the second connection identifier key, creating a second monotonically increasing counter for ensuring that a same connection identifier does not have data collisions from competing sequence numbers within a predetermined period of time, and for ensuring randomness of the second initial sequence number on a per connection basis for preventing attacks on the local server;
      
      incrementing the second counter the fixed value based on the passage of the predetermined time period;
      
      incrementing the second counter a second variable amount depending upon a rate of connections with the local server and for those connections associated with the second counter, wherein if the rate of connections with the local server and for those connections associated with the second counter is beyond a threshold value the variable increment is based on an elapsed time, otherwise the variable increment is based on each connection established with the local server and associated with the second counter; and
      
      combining the second intermediate value, the fixed value and the second variable amount for generating the second initial sequence number.
  - 38. The computer program product of claim 31, wherein the combining of the intermediate value, the fixed value and the variable amount is a mathematical operand or function.
  - 39. The computer program product of claim 31, wherein if the rate of connections is beyond the threshold value the variable increments up to an amount of 0x000022FB every millisecond, otherwise the variable increment is an amount between 16 K and 32 K.
  - 40. The computer program product of claim 31, wherein the monotonically increasing counter is shared by at least two connections at the same time.

37. The computer program product of claim wherein 31, wherein the arbitrary information maintained as a secret by the local server is based on timing, state conditions for the local server, or both, at boot up time of the local server, which include one or more of a time of day, a day of month, a month, a year, the local server hard drive position, and whether input was detected by hardware of the local server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Shelest, Art, Kaniyar, Sanjay, Holden, Scott K., Srinivas, Nk

Granted Patent

US 7,503,068 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/174
CPC Class Codes

H04L 47/34 ensuring sequence integrity...

H04L 63/1458 Denial of Service

Secure ISN generation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

15 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Secure ISN generation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links