Identification and authentication of end user systems for packet communications network services

US 4,896,319 A
Filed: 03/31/1988
Issued: 01/23/1990
Est. Priority Date: 03/31/1988
Status: Expired due to Term

First Claim

Patent Images

1. In a data network, a method of obtaining security in packet transmission from an input port to an output port, comprising the steps of:

including in each data packet an identity of said input port and an identity of a user of said input port transmitting said each data packet; and

in said network, prior to transmitting to said output port, for said each data packet, checking whether said user, identified by said user identity, has been previously authorized to transmit from said input port identified by said port identity if network transmission capacity is available.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A high capacity metropolitan area network (MAN) is described. Data traffic from users is connected to data concentrators at the edge of the network, and is transmitted over fiber optic data links to a hub where the data is switched. The hub includes a plurality of data switching modules, each having a control means, and each connected to a distributed control space division switch. Advantageously, the data switching modules, whose inputs are connected to the concentrators, perform all checking and routing functions, while the 1024×1024 maximum size space division switch, whose outputs are connected to the concentrators, provides a large fan-out distribution network for reaching many concentrators from each data switching module. Distributed control of the space division switch permits several million connection and disconnection actions to be performed each second, while the pipelined and parallel operation within the control means permits each of the 256 switching modules to process at least 50,000 transactions per second. The data switching modules chain groups of incoming packets destined for a common outlet of the space division switch so that only one connection in that switch is required for transmitting each group of chained packets from a data switching module to a concentrator. MAN provides security features including a port identification supplied by the data concentrators, and a check that each packet is from an authorized source user, transmitting on a port associated with that user, to an authorized destination user that is in the same group (virtual network) as the source user.

250 Citations

12 Claims

1. In a data network, a method of obtaining security in packet transmission from an input port to an output port, comprising the steps of:
- including in each data packet an identity of said input port and an identity of a user of said input port transmitting said each data packet; and
  
  in said network, prior to transmitting to said output port, for said each data packet, checking whether said user, identified by said user identity, has been previously authorized to transmit from said input port identified by said port identity if network transmission capacity is available.

2. In a data network, a method of obtaining security in packet transmission from an input port to an output port, comprising the steps of:
- including in each data packet an identify of said input port and an identity of a user of said input port transmitting said each data packet; and
  
  in said network, prior to transmitting to said output port, for said each data packet, checking whether said user, identified by said user identity, has been previously authorized to transmit from said input port identified by said port identity if network transmission capacity is available;
  
  wherein said identify of said port is supplied by said data network and is out of control of a user at said port.
- View Dependent Claims (10)
- - 10. The method of claim 2 further comprising the steps of:
    - checking whether a virtual network number comprised in said each data packet is authorized for said user identity and said port identity;
      
      checking whether a destination identification comprised in said each data packet is included in a virtual network specified by said virtual network number; and
      
      responsive to positive results from said checking steps, transmitting said each packet to a port identified by said destination identification.

3. A data network for transmitting data packets, comprising:
- means for inserting in a packet am identity of a port transmitting said packet, said means being comprised in said network and out of control of a user at said port; and
  
  means for authenticating from said port identity of said port and from addressing data in said packet whether said port is authorized to transmit said packet to said network prior to transmitting said packet to a destination.
- View Dependent Claims (4, 11, 12)
- - 4. The data network of claim 3 wherein said means for authenticating further comprises means for authenticating whether said port is authorized to transmit said packet to a destination user identified in said addressing data.
  - 11. The data network of claim 4, wherein said means for authenticating comprises means for authenticating whether a user identified in said packet is authorized to transmit from said port to a virtual network identified in said packet.
  - 12. The data network of claim 11 wherein said means for authenticating further comprises means for authenticating whether a destination identified in said data network is authorized to receive packets for said virtual network.

5. In a data network, a method of achieving secure transmission from a source user to a destination user comprising the steps of:
- said destination user logging into said system with a login data packet comprising a destination user password, destination user identification, a destination group identification, and a destination port identification supplied by said network;
  
  said data network authenticating said destination user password, destination user identification, destination user group number, and destination user port number as being authorized to receive packets for said destination group and user;
  
  said source user logging into said system with a login packet comprising an identification of said source user, a source user password, a source group identification, and a source port identification supplied by said network;
  
  authenticating said source user password and source user, source user group, and source user port identifications;
  
  recording, in source tables, authorization for said identifications of said source user, source group, and source port;
  
  recording, in routing tables, authorization for said destination user and said destination group, and an identity of said destination port;
  
  for each transmitted packet, checking a source user identification and source group identification, and a source port identification supplied by said network, in said source tables, and finding a destination port using a destination user identification and a destination group identification in said routing tables;
  
  if results of said source checking and destination port finding steps indicate that said source and said destination have been recorded in said source tables and said destination tables, transmitting said packet to a destination port identified in said finding step.
- View Dependent Claims (6, 7, 8, 9)
- - 6. The method of claim 5 wherein said source group and said destination group for a transmitted packet are the same, whereby only users with a common group identification may communicate.
  - 7. The method of claim 6 further comprising the steps of:
    - if results of said source checking and said destination finding do not indicate that said source and said destination have been recorded in said source tables and said destination tables, discarding said packet.
  - 8. The method of claim 7 further comprising the step of recording source and destination data for a packet to be discarded.
  - 9. The method of claim 6 wherein said destination finding step further comprises the step of inserting an identification of said destination port found in said destination finding step into said each transmitted packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
American Telephone & Telegraph Company (AT&T, Inc.), Bell Telephone Laboratories, Inc. (Nokia Corporation)
Original Assignee
American Telephone & Telegraph Company (AT&T, Inc.)
Inventors
Zelle, Bruce R., Roediger, Gary A., Lidinsky, William P., Weddige, Ronald C., Steele, Scott B.
Primary Examiner(s)
Goldstein, Herbert
Assistant Examiner(s)
Scutch, III, Frank M.

Application Number

US07/175,544
Time in Patent Office

663 Days
Field of Search

370/60, 370/94, 370/99, 370/110.1, 371/24, 371/67, 340/825.34, 340/825.33, 340/825.52
US Class Current

370/427
CPC Class Codes

H04L 12/56   Packet switching systems

H04L 63/0272   Virtual private networks

H04L 63/083   using passwords cryptograph...

H04L 63/10   for controlling access to d...

H04L 63/123   received data contents, e.g...

H04L 63/162   at the data link layer

H04L 9/40   Network security protocols

Identification and authentication of end user systems for packet communications network services

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

250 Citations

12 Claims

Specification

Use Cases

Quick Links

Others

Identification and authentication of end user systems for packet communications network services

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

250 Citations

12 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others