Systems and methods for secured domain name system use based on pre-existing trust

US 20060059337A1
Filed: 09/16/2004
Published: 03/16/2006
Est. Priority Date: 09/16/2004
Status: Active Grant

First Claim

Patent Images

1. A method for distributing private information through a public distributed database system, the method comprising the steps of:

communicating at least a portion of encrypted data to a domain name system (DNS);

storing the encrypted data in a memory unit associated with the DNS;

communicating encrypted data-related keying material and encryption identifying data from a first user associated with the encrypted data to a second user that has a pre-existing trust established with the first user;

querying the DNS for at least a portion of the encrypted data based upon the encryption identifying data;

responding the at least a portion of the encrypted data to a digital device associated with the second user based on the query; and

decrypting the at least a portion of the encrypted data based upon the keying material.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, devices and methods are presented for providing controlled use of information stored publicly within the domain name system (DNS). Controlled use is established by storing encrypted data at the DNS servers and establishing trust, in the form of transfer of keying material, with requisite parties. The invention provides backward compatibility with existing DNS servers, in that, it provides for storage of encrypted data in existing resource records. The invention benefits from allowing storage in the DNS to be divided into both public and private classification, such that a user can identify and store certain public information that is available to all parties that have access to the DNS, while other information that has been classified as private is only available to parties which have established a trust.

119 Citations

66 Claims

1. A method for distributing private information through a public distributed database system, the method comprising the steps of:
- communicating at least a portion of encrypted data to a domain name system (DNS);
  
  storing the encrypted data in a memory unit associated with the DNS;
  
  communicating encrypted data-related keying material and encryption identifying data from a first user associated with the encrypted data to a second user that has a pre-existing trust established with the first user;
  
  querying the DNS for at least a portion of the encrypted data based upon the encryption identifying data;
  
  responding the at least a portion of the encrypted data to a digital device associated with the second user based on the query; and
  
  decrypting the at least a portion of the encrypted data based upon the keying material.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 2. The method of claim 1, wherein the step of communicating at least a portion of encrypted data to a DNS further comprises communicating at least a portion of encrypted data including an encrypted Internet Protocol (IP) address to the DNS.
  - 3. The method of claim 1, wherein the step of communicating at least a portion of encrypted data to a DNS further comprises communicating at least a portion of encrypted data including an encrypted service dependent address to the DNS.
  - 4. The method of claim 3, wherein the service dependent address is chosen from the group consisting of a Unified Resource Name (URN) and a Unified Resource Identifier (URI).
  - 5. The method of claim 3, wherein the service dependent address is chosen from the group consisting of an electronic mail (email) address, a Session Initiation Protocol (SIP) address, a HyperText Transfer Protocol (http) address, a File Transfer Protocol (ftp) address, and an Lightweight Directory Access Protocol (ldap).
  - 6. The method of claim 1, wherein the step of communicating at least a portion of encrypted data to a DNS further comprises communicating, based on hypertext transfer protocol (http), at least a portion of encrypted data to a DNS.
  - 7. The method of claim 1, wherein the step of communicating at least a portion of encrypted data to a DNS further comprises communicating, via Short Message Service (SMS), at least a portion of encrypted data to a DNS.
  - 8. The method of claim 1, wherein the step of communicating at least a portion of encrypted data to a DNS further comprises communicating, via Multimedia Message Service (MMS), at least a portion of encrypted data to a DNS.
  - 9. The method of claim 1, wherein the step of communicating encryption data-related keying material and encryption identifying data from a first user associated with the encrypted data to a second user that has a pre-existing trust with the first user further comprises communicating encryption data-related keying material and a domain name from the first user associated with the encrypted data to the second user that has a pre-existing trust with the first user.
  - 10. The method of claim 1, wherein the step of communicating encryption data-related keying material and encryption identifying data from a first user associated with the encrypted data to a second user that has a pre-existing trust with the first user further comprises communicating keying material and a first user telephone number from the first user associated with the encrypted data to a second user that has a pre-existing trust with the first use.
  - 11. The method of claim 1, wherein the step of communicating encryption data-related keying material from a first user associated with the encrypted data to a second user that has a pre-existing trust with the first user further comprises communicating via a communication medium chosen from the group consisting of Short Message Service (SMS), Multimedia Message Service (MMS), electronic mail (email) and instant messaging (IM).
  - 12. The method of claim 9, wherein the step of querying the DNS for at least a portion of the encrypted data based upon the encryption identifying data further comprises querying the DNS to determine at least a portion of the encrypted data based upon the domain name.
  - 13. The method of claim 10, wherein the step of querying the DNS for at least a portion of the encrypted data based upon the encryption identifying data further comprises querying the DNS to determine at least a portion of the encrypted data based upon the first user telephone number.
  - 14. The method of claim 2, wherein the step of decrypting the at a least a portion of the encrypted data based upon the keying material further comprises decrypting the encrypted IP address.
  - 15. The method of claim 2, wherein the step of decrypting the at least a portion of the encrypted data based upon the keying material further comprises decrypting the encrypted service dependent address.
  - 16. The method of claim 1, further comprising the step of initiating communication between a digital device associated with the second user and a digital device associated with the first user based upon the decrypted data.
  - 17. The method of claim 16, wherein the step of initiating communication between a digital device associated with the second user and a digital device associated with the first user based upon the decrypted data further comprises initiating communication between a digital device associated with the second user and a digital device associated with the first user based upon the decrypted IP address.
  - 18. The method of claim 16, wherein the step of initiating communication between a digital device associated with the second user and a digital device associated with the first user based upon the decrypted data further comprises initiating communication between a digital device associated with the second user and a digital device associated with the first user based upon the decrypted service dependent address.
  - 19. The method of claim 1, further comprising the step of communicating, from the first user to the second user, reference to a service that the keying material is intended to be used with.
  - 20. The method of claim 1, further comprising the step of storing the communicated keying material and encryption identifying data at the digital device associated with the second user.
  - 21. The method of claim 20, wherein the step of storing the communicated keying material and encryption identifying data at the digital device associated with the second user further comprising storing under a contact card associated with the first user in a contact card application.
  - 22. The method of claim 1, further comprising the step of communicating, from the first user to the second user, a name resolution bootstrapping identifier.
  - 23. The method of claim 1, further comprising the step of communicating, from the first user to a second user, control information related to the use of the encrypted data.

24. A method for distributing Internet Protocol (IP) addresses intended for private use through a public distributed database system, the method comprising the steps of:
- communicating an encrypted IP address to a domain name system (DNS);
  
  storing the encrypted IP address in a memory unit associated with the DNS;
  
  communicating encryption data-related keying material and a domain name from a first user associated with the encrypted data to a second user that has a pre-existing trust established with the first user;
  
  querying the DNS for the encrypted IP address based upon the domain name;
  
  responding the encrypted IP address to a digital device associated with the second user based on the query; and
  
  decrypting the encrypted IP address based upon the keying material.
- View Dependent Claims (25)
- - 25. The method of claim 24, further comprising the step of initiating communication between a digital device associated with the second user and a digital device associated with the first user based upon the decrypted IP address.

26. A method for distributing user service dependent addresses intended for private use through a public distributed database system, the method comprising the steps of:
- communicating an encrypted service dependent address to a domain name system (DNS);
  
  storing the encrypted service dependent address in a memory unit associated with the DNS;
  
  communicating encryption data-related keying material and a first user telephone number from the first user associated with the encrypted data to a second user that has a pre-existing trust established with the first use;
  
  querying the DNS for the encrypted service dependent address based upon the first user telephone number responding the encrypted IP address to a digital device associated with the second user based on the query; and
  
  decrypting the encrypted first user service dependent address based upon the keying material.
- View Dependent Claims (27, 28, 29)
- - 27. The method of claim 26, further comprising the step of initiating communication between a digital device associated with the second user and a digital device associated with the first user based upon the decrypted service dependent address.
  - 28. The method of claim 26, wherein the service dependent address is chosen from the group consisting of a Unified Resource Name (URN) and a Unified Resource Identifier (URI).
  - 29. The method of claim 26, wherein the service dependent address is chosen from the group consisting of an electronic mail (email) address, a Session Initiation Protocol (SIP) address, a HyperText Transfer Protocol (http) address, a File Transfer Protocol (ftp) address, and a Lightweight Delivery Access Protocol (ldap) address.

30. A system for distributing information intended for private use through a public distributed database, the system comprising:
- a first digital device that includes a processing unit capable of network communication of encrypted data;
  
  a domain name system (DNS) device that receives at least a portion of encrypted data communicated from the first digital device and stores the at least a portion of encrypted data in associated memory; and
  
  a second digital device that includes a processing unit capable of network querying the DNS for at least a portion of the encrypted data based on encryption identifying data and capable of decrypting the at least a portion of the encrypted data based on keying material.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47)
- - 31. The system of claim 30, wherein the first digital device further includes an encryption application executed by the processing unit that is capable of encrypting data.
  - 32. The system of claim 30, wherein the DNS device stores the at least a portion of encrypted data in one or more resource records.
  - 33. The system of claim 32, wherein the one or more resource records that store at least a portion of encrypted data have an enabled flag indicator.
  - 34. The system of claim 30, wherein the second digital device further includes a resolver library that determines an address for the DNS device prior to querying.
  - 35. The system of claim 30, wherein the second digital device that includes a processing unit capable of decrypting the at least a portion of the encrypted data performs decryption at an application level.
  - 36. The system of claim 30, wherein the second digital device that includes a processing unit capable of decrypting the at least a portion of the encrypted data performs decryption at the resolver library level.
  - 37. The system of claim 30, wherein the second digital device that includes a processing unit capable of decrypting the at least a portion of the encrypted data performs decryption at a Transmission Control Protocol/Internet Protocol (TCP/IP) stack level.
  - 38. The system of claim 30, wherein the first digital device is further defined as including a processing unit capable of communicating encrypted data via a network communication medium chosen from the group consisting of Short Message Service (SMS), Multimedia Message Service (MMS), Wireless Application Protocol (WAP), electronic mail, HyperText Transfer Protocol (HTTP) and HyperText Transfer Protocol Secure (HTTPS).
  - 39. The system of claim 30, wherein the first digital device is further defined as including a processing unit that is capable of wireless communication of encrypted data.
  - 40. The system of claim 30, wherein the first digital device is further defined as a cellular network telephone.
  - 41. The system of claim 30, wherein the first digital device is further defined as a device chosen from the group consisting of a Global System for Mobile communications (GSM) device, a General Packet Radio Service (GPRS) device, a Universal Mobile Telecommunications Service (UMTS) device, a Third Generation system for mobile communications (3G) device and Enhanced Data for GSM Evolution (EDGE).
  - 42. The system of claim 30, wherein the first digital device is further defined as an Internet Protocol (IP) enabled network device.
  - 43. The system of claim 30, wherein the first digital device that includes a processing unit capable of network communication of encrypted data further defines the encrypted data as an email address.
  - 44. The system of claim 30, wherein the first digital device that includes a processing unit capable of network communication of encrypted data further defines the encrypted data as an identifier associated with a telephone number.
  - 45. The system of claim 30, wherein the processing unit of the second digital device executes an application that is capable of storing the keying material and the encryption identifying data in a contact card.
  - 46. The system of claim 30, wherein the second digital device further includes a memory unit that stores a catalog capable of storing the keying material and the encryption identifying data.
  - 47. The system of claim 46, wherein the catalog is specific to a service that the encrypted data is intended to be used with.

48. A network device in a public distributed database system, the device comprising:
- an input that receives at least part of encrypted data and receives queries requesting at least part of the encrypted data;
  
  a processor in communication with the input that determines a storage location for the received encrypted data and processes the queries requesting at least part of the encrypted data;
  
  a storage unit in communication with the processor that includes one or more resource records that store the encrypted data based on the determination of the processor; and
  
  an output in communication with the processor that communicates at least part of the encrypted data based on the queries requesting at least part of the encrypted data.
- View Dependent Claims (49, 50, 51, 52, 53, 54, 55, 56)
- - 49. The network device of claim 48, wherein the one or more resource records include resource records capable of storing an encrypted network address.
  - 50. The network device of claim 49, wherein the one or more resource records are chosen from the group consisting of A, AAAA and A6 resource records.
  - 51. The network device of claim 48, wherein the one or more resource records include resource records capable of storing an encrypted service dependent address.
  - 52. The network device of claim 51, wherein the one or more resource records are chosen from the group consisting of MX and NAPTR resource records.
  - 53. The network device of claim 48, wherein the one or more resource records include the TXT resource record.
  - 54. The network device of claim 48, wherein the one or more resource records include a flag indicator for indicating if the resource record includes encrypted data.
  - 55. The network device of claim 54, wherein the one or more resource records include a flag indicator for indicating if the resource record includes semantically compatible encrypted data.
  - 56. The network device of claim 54, wherein the one or more resource records include a flag indicator for indicating if the resource record includes syntax compatible encrypted data.

57. A mobile terminal device in network communication with a public distributed database system, the device comprising:
- one or more processors capable of encrypting data by a chosen encryption key, communicating the encrypted data to the public distributed database system, communicating the encryption key to a chosen recipient;
  
  querying the public distributed database system for at least a portion of the encrypted data and decrypting the at a least a portion of the encrypted data by use of the chosen encryption key.
- View Dependent Claims (58)
- - 58. The mobile terminal device of claim 57, wherein the one or more processors are capable of receiving secondary keying material and encryption identifying data from a secondary mobile terminal device, querying the public distributed database for secondary encryption data based on the encryption identifying data and decrypting the secondary encryption data based on the secondary keying material.

59. A mobile terminal device in network communication with a public distributed database system, the device comprising:
- a memory unit that stores contact information; and
  
  a processing unit in communication with the memory unit that receives at least a portion of encryption keying material from a contact and automatically determines if the contact has stored contact information and, if the stored contact information exists, automatically stores the at least a portion of the encryption keying material with the stored contact information in the memory unit.
- View Dependent Claims (60, 61, 62)
- - 60. The mobile terminal of claim 59, further comprising a decryption application executed by the processing unit that, upon receipt of encryption data from the public distributed database, automatically retrieves the keying material from the memory unit and automatically uses the keying material to decrypt the encryption data.
  - 61. The mobile terminal device of claim 59, wherein the processing unit further receives encryption identifying data and automatically queries a domain name system to retrieve the at least a portion of the encrypted data related to the encryption identifying data.
  - 62. The mobile terminal of claim 59, wherein the processing unit automatically stores the encryption identifying data with the stored contact information in the memory unit.

63. A method for resolving a service independent identifier at a digital device, the method comprising the steps of:
- receiving a service independent identifier at a digital device;
  
  resolving the service independent identifier by querying a domain name system;
  
  receiving an encrypted service independent identifier at the digital device; and
  
  decrypting the encrypted service independent identifier at the digital device.
- View Dependent Claims (64, 65, 66)
- - 64. The method of claim 63, wherein the decrypted service independent identifier includes a service dependent identifier and the method includes the step of resolving the service dependent identifier by querying a domain name system.
  - 65. The method of claim 64, further comprising the steps of receiving a clear text service dependent identifier at the digital device and initiating the service based on the identifier.
  - 66. The method of claim 64, further comprising the steps of receiving an encrypted service dependent identifier at the digital device, decrypting the encrypted service dependent identifier and initiating the service based on the decrypted identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Technologies Oy (Nokia Corporation)
Original Assignee
Nokia Corporation
Inventors
Poyhonen, Petteri, Flinck, Hannu

Granted Patent

US 7,502,923 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/165
CPC Class Codes

H04L 61/4511   using domain name system [DNS]

H04L 61/4557   Directories for hybrid netw...

H04L 63/0428   wherein the data content is...

H04L 67/1097   for distributed storage of ...

Systems and methods for secured domain name system use based on pre-existing trust

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

119 Citations

66 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for secured domain name system use based on pre-existing trust

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

119 Citations

66 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links