Establishing Secure TCP/IP Communications Using Embedded IDs

US 20070300290A1
Filed: 03/23/2007
Published: 12/27/2007
Est. Priority Date: 11/18/2002
Status: Active Grant

First Claim

Patent Images

1. A method for establishing secure TCP/IP communications for individual network connections between a source node and a destination node, the method comprising:

intercepting a TCP SYN packet prior to transmission of the packet to the destination node, wherein the packet includes a packet header, and embedding unique identifiers into the packet header, wherein the unique identifiers are associated with a connection attempt between the source node and the destination node, and forwarding the TCP SYN packet with embedded identifiers to the destination node;

intercepting the TCP SYN packet with embedded identifiers prior to arrival of the packet at the destination node, and determining whether secure communications are required;

upon determining that secure communications are required, refusing passage of the TCP SYN packet to the destination node and returning an embed signal RST packet to the source node, the RST packet including an identifier to indicate that secure communications are required;

intercepting the RST packet prior to arrival of the packet at the source node, extracting the secure communications identifier and triggering secure communications for subsequent packets in either direction between the source node and the destination node; and

encrypting outgoing packets between the source node and the destination node, and checking message integrity of the encrypted packet, and further decrypting incoming packets between the source node and the destination node, and checking message integrity of the decrypted packet.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for establishing secure TCP/IP communications for individual network connections include the steps of intercepting a conventional TCP SYN packet prior to transmission from a source node to a destination node, embedding unique identifiers into standard fields of the packet header, wherein the unique identifiers are associated with the specific connection attempt and wherein the unique identifiers identify the user account and/or the computer hardware initiating the communication attempt, then forwarding the modified TCP SYN packet to the destination node and intercepting the modified TCP SYN packet prior to arrival, determining whether secure communications are required based on the unique identifiers extracted from the packet headers, based on other TCP/IP information, and based on predefined rules associated with the same. If secure communications are required, such requirement is communicated within either an RST or a SYN-ACK back to the source node.

97 Citations

View as Search Results

24 Claims

1. A method for establishing secure TCP/IP communications for individual network connections between a source node and a destination node, the method comprising:
- intercepting a TCP SYN packet prior to transmission of the packet to the destination node, wherein the packet includes a packet header, and embedding unique identifiers into the packet header, wherein the unique identifiers are associated with a connection attempt between the source node and the destination node, and forwarding the TCP SYN packet with embedded identifiers to the destination node;
  
  intercepting the TCP SYN packet with embedded identifiers prior to arrival of the packet at the destination node, and determining whether secure communications are required;
  
  upon determining that secure communications are required, refusing passage of the TCP SYN packet to the destination node and returning an embed signal RST packet to the source node, the RST packet including an identifier to indicate that secure communications are required;
  
  intercepting the RST packet prior to arrival of the packet at the source node, extracting the secure communications identifier and triggering secure communications for subsequent packets in either direction between the source node and the destination node; and
  
  encrypting outgoing packets between the source node and the destination node, and checking message integrity of the encrypted packet, and further decrypting incoming packets between the source node and the destination node, and checking message integrity of the decrypted packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein at least one of the unique identifiers corresponds to a user account responsible for initiation of the connection attempt.
  - 3. The method of claim 1, wherein at least one of the unique identifiers corresponds to computer hardware of the source node.
  - 4. The method of claim 1, further comprising intercepting the TCP SYN packet at the source node.
  - 5. The method of claim 1, further comprising intercepting the TCP SYN packet at a network location near the source node.
  - 6. The method of claim 1, further comprising embedding the unique identifiers utilizing IP options in an IP header.
  - 7. The method of claim 1, further comprising embedding the unique identifiers utilizing TCP options in a TCP header.
  - 8. The method of claim 1, further comprising embedding the unique identifiers utilizing existing fields in an IP header.
  - 9. The method of claim 1, further comprising embedding the unique identifiers utilizing existing fields in a TCP header.
  - 10. The method of claim 1, further comprising determining whether secure communications are necessary via extracting the unique identifiers and performing a lookup against a secure communications policy rule base.

11. A method for establishing secure TCP/IP communications for individual network connections between a source node and a destination node, the method comprising:
- intercepting a TCP SYN packet prior to arrival of the packet at the destination node, the TCP SYN packet including standard TCP header elements, and determining from at least one standard TCP header element whether secure communications are required;
  
  upon determining that secure communications are required, refusing passage of the TCP SYN packet to the destination node and returning an embed signal RST packet to the source node, the RST packet including an identifier to indicate that secure communications are required;
  
  intercepting the RST packet prior to arrival of the packet at the source node, extracting the secure communications identifier and triggering secure communications for subsequent packets in either direction between the source node and the destination node; and
  
  encrypting outgoing packets between the source node and the destination node, and checking message integrity of the encrypted packet, and further decrypting incoming packets between the source node and the destination node, and checking message integrity of the decrypted packet.
- View Dependent Claims (12)
- - 12. The method of claim 11, further comprising determining whether secure communications are necessary via accessing at least one standard TCP header element from the TCP SYN packet and performing a query for a corresponding entry in a secure communications policy rule base.

13. A method for establishing secure TCP/IP communications for individual network connections between a source node and a destination node, the method comprising:
- intercepting a TCP SYN packet prior to transmission of the packet to the destination node, wherein the packet includes a packet header, and embedding unique identifiers into the packet header, wherein the unique identifiers are associated with a connection attempt between the source node and the destination node, and forwarding the TCP SYN packet with embedded identifiers to the destination node;
  
  intercepting the TCP SYN packet with embedded identifiers prior to arrival of the packet at the destination node, and determining whether secure communications are required;
  
  upon determining that secure communications are required, allowing passage of the TCP SYN packet to the destination node, intercepting a SYN-ACK packet traveling from the destination node to the source node, embedding an identifier into the SYN-ACK packet header, the identifier indicating that secure communications are required, and sending the SYN-ACK packet with embedded identifier to the source node;
  
  intercepting the SYN-ACK packet prior to arrival of the packet at the source node, extracting the secure communications identifier and triggering secure communications for subsequent packets in either direction between the source node and the destination node; and
  
  encrypting outgoing packets between the source node and the destination node, and checking message integrity of the encrypted packet, and further decrypting incoming packets between the source node and the destination node, and checking message integrity of the decrypted packet.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 14. The method of claim 13, wherein at least one of the unique identifiers corresponds to a user account responsible for initiation of the connection attempt.
  - 15. The method of claim 13, wherein at least one of the unique identifiers corresponds to computer hardware of the source node.
  - 16. The method of claim 13, further comprising intercepting the TCP SYN packet at the source node.
  - 17. The method of claim 13, further comprising intercepting the TCP SYN packet at a network location near the source node.
  - 18. The method of claim 13, further comprising embedding the unique identifiers utilizing IP options in an IP header.
  - 19. The method of claim 13, further comprising embedding the unique identifiers utilizing TCP options in a TCP header.
  - 20. The method of claim 13, further comprising embedding the unique identifiers utilizing existing fields in an IP header.
  - 21. The method of claim 13, further comprising embedding the unique identifiers utilizing existing fields in a TCP header.
  - 22. The method of claim 13, further comprising determining whether secure communications are necessary via extracting the unique identifiers and performing a lookup against a secure communications policy rule base.

23. A method for establishing secure TCP/IP communications for individual network connections between a source node and a destination node, the method comprising:
- intercepting a TCP SYN packet prior to arrival of the packet at the destination node, the TCP SYN packet including standard TCP header elements, and determining from at least one standard TCP header element whether secure communications are required;
  
  upon determining that secure communications are required, allowing passage of the TCP SYN packet to the destination node, intercepting a SYN-ACK packet traveling from the destination node to the source node, embedding an identifier into the SYN-ACK packet header, the identifier indicating that secure communications are required, and sending the SYN-ACK packet with embedded identifier to the source node;
  
  intercepting the SYN-ACK packet prior to arrival of the packet at the source node, extracting the secure communications identifier and triggering secure communications for subsequent packets in either direction between the source node and the destination node; and
  
  encrypting outgoing packets between the source node and the destination node, and checking message integrity of the encrypted packet, and further decrypting incoming packets between the source node and the destination node, and checking message integrity of the decrypted packet.
- View Dependent Claims (24)
- - 24. The method of claim 23, further comprising determining whether secure communications are necessary via accessing at least one standard TCP header element from the TCP SYN packet and performing a query for a corresponding entry in a secure communications policy rule base.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Liquidware Labs, Inc.
Original Assignee
Trusted Network Technologies, Inc. (Liquidware Labs, Inc.)
Inventors
Shay, A. David, Berger, Joubert, Alexander, Jonathan, Xuan, Chaoting, Leima, Patricia

Granted Patent

US 7,660,980 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/3
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/123   received data contents, e.g...

H04L 69/16   Implementation or adaptatio...

H04L 69/163   In-band adaptation of TCP d...

Establishing Secure TCP/IP Communications Using Embedded IDs

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

97 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Establishing Secure TCP/IP Communications Using Embedded IDs

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

97 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links