Securing IP Traffic

US 20100153706A1
Filed: 03/16/2007
Published: 06/17/2010
Est. Priority Date: 03/16/2007
Status: Active Grant

First Claim

Patent Images

1. A method of hiding data within packets of an IP session between first and second hosts which may otherwise be used to link packets of the session, the first and second hosts being attached respectively to first and second access points, the method comprising:

using as interface identifier within the source and/or destination address an interface identifier generated using a group key and a host identity, both the group key and the host identity being known to said first host and said second access point;

maintaining a mapping at said second access point between a network prefix of said first access point, said host identity and a local access network address of said second host;

upon receipt of a packet at said second access point from said first host, identifying said group key using the network prefix of the packet source address, and using the group key and the host address to map the interface identifier part of the source and/or destination address to a local access network address; and

using said local access network address to forward the packet to said second host.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of securing IP traffic sent from a first host to a second host attached respectively to first and second access points. The method comprises establishing a shared secret between said first and second hosts, and for each packet to be sent, using the next value in a pseudo-random number sequence as an interface identifier part of the source IP address.

Citations

20 Claims

1. A method of hiding data within packets of an IP session between first and second hosts which may otherwise be used to link packets of the session, the first and second hosts being attached respectively to first and second access points, the method comprising:
- using as interface identifier within the source and/or destination address an interface identifier generated using a group key and a host identity, both the group key and the host identity being known to said first host and said second access point;
  
  maintaining a mapping at said second access point between a network prefix of said first access point, said host identity and a local access network address of said second host;
  
  upon receipt of a packet at said second access point from said first host, identifying said group key using the network prefix of the packet source address, and using the group key and the host address to map the interface identifier part of the source and/or destination address to a local access network address; and
  
  using said local access network address to forward the packet to said second host.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method according to claim 1, wherein said second access point uses the group key to map the interface identifier part of the source and/or destination address to a host identity, and if the recovered host identity matches the host identity known to the second access point, the second access point identifies the local access network address and forwards the packet.
  - 3. The method according to claim 1, said step of generating an interface identifier comprising:
    - generating a pseudo-random number;
      
      combining the pseudo random number with said group key using a cryptographic function to generate a pseudo-random interface identifier; and
      
      combining said pseudo-random interface identifier with said host identity using an invertible function.
  - 4. The method according to claim 3, wherein said invertible function is an XOR function.
  - 5. The method according to claim 3, wherein said cryptographic function is a stream cipher or a block cipher.
  - 6. The method according to claim 3, wherein said pseudo-random number is included in the packet header.
  - 7. The method according to claim 3, the steps carried out at said second access point upon receipt of a packet including:
    - combining the pseudo-random number and the group key using said cryptographic function to generate a pseudo-random interface identifier;
      
      combining this pseudo-random interface identifier with the interface identifier part of the packet source address using said invertible function; and
      
      verifying that the result matches a host identity cached at the second access point.
  - 8. The method according to claim 1, wherein said recited steps are carried out in respect of only the destination address.
  - 9. The method according to claim 8 and comprising generating a pseudo-random number sequence using a key shared between the first and second hosts, and concatenating the next pseudo-random number in the sequence with the network prefix of the first access router to generate a source address for the next packet to be sent.

10. A method of hiding data within packets of an IP session between first and second hosts and which may be used to link packets of the session, the first and second hosts being attached respectively to first and second access points, the method comprising:
- at said first host, receiving a group key from said second host and generating a host identity;
  
  providing said group key and said host identity to said second access point, and mapping the host identity to an access network address of said second host;
  
  for each packet to be sent from the first host to the second host, at the first host, generating a pseudo-random number, using said pseudo-random number and said group key to generate a pseudo-random identifier, combining said pseudo-random identifier with said host identity using an invertible function to generate a new interface identifier, including the new interface identifier in the packet source or destination address, and including said pseudo-random number in the packet header;
  
  at said second access router, receiving a packet sent by said first host, identifying said group key using the network prefix of the source address, using said pseudo-random number and said group key to generate a pseudo-random identifier, combining said pseudo-random number with said new interface identifier using said invertible function, validating the result as matching a cached host identity and identifying the corresponding local network address, and forwarding the packet to the second host using said local network address.

11. A network node arranged to act as an access point for a second host, the node comprising:
- an input for receiving a packet from a first host; and
  
  means for identifying a destination group key using the network prefix of the packet source address, and for using the destination group key and the destination host address to map the interface identifier part of the destination address to a local access network address.

12. A method of securing IP traffic sent from a first host to a second host attached respectively to first and second access points, the method comprising:
- establishing a shared secret between said first and second hosts; and
  
  for each packet to be sent, using the next value in a pseudo-random number sequence as an interface identifier part of the source IP address.

13. A terminal comprising:
- means for establishing a shared secret between the terminal and a peer terminal; and
  
  for each packet to be sent, means for using the next value in a pseudo-random number sequence as an interface identifier part of the source IP address.

14. A method of securing IP packets to be transmitted over an IP network, the method comprising:
- for each packet to be sent, using the next number of a pseudo-random number sequence together with a secret key to generate a pad and combining the pad with the packet using an invertible function, and including in the packet header the used pseudo-random number.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The method according to claim 14 and comprising maintaining a counter and incrementing the counter following the generation of a pad, and combining the counter value with a further secret key to generate the next value in said pseudo-random number sequence.
  - 16. The method according to claim 14, said pad being constructed such that its combination with the packet leaves certain pre-defined portions of the packet unchanged.
  - 17. The method according to claim 16, wherein said pad is constructed such that the source and destination address fields remain unchanged.
  - 18. The method according to claim 14, wherein said invertible function is an XOR or NOT XOR function, and, in the case of an XOR function, bits of the pad corresponding to bits of the packet which are not to be altered are set to “
    - 0” and
      
      , in the case of a NOT XOR function, these bits are set to “
      
      1”
      
      .

19. A terminal arranged in use to send IP packets to a peer terminal, the terminal comprising:
- a pseudo-random number sequence generator; and
  
  a processor arranged, for each packet to be sent, to use the next number of said sequence together with a secret key to generate a pad, to combine the pad with the packet using an invertible function, and to include in the packet header the used pseudo-random number.
- View Dependent Claims (20)
- - 20. The terminal according to claim 19 and being arranged in use to receive IP packets from a peer terminal, the terminal comprising:
    - means for extracting a pseudo-random number from .a packet header;
      
      a processor arranged to use a secret key and said pseudo-random number to generate a pad, and to combine the pad with the packet using said invertible function.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
Haddad, Wassim

Granted Patent

US 8,438,381 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/153
CPC Class Codes

H04L 63/0407   wherein the identity of one...

H04L 63/164   at the network layer

H04L 9/0662   with particular pseudorando...

H04L 9/0833   involving conference or gro...

H04L 9/0838   Key agreement, i.e. key est...

H04W 12/02   Protecting privacy or anony...

Securing IP Traffic

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Securing IP Traffic

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links