Communications protocol with improved security
First Claim
1. A method of processing at a second device a message from a first device requesting a connection with the second device, said method comprising the steps of:
- receiving a first message at a second device from a first device, said first message requesting a connection with the second device and including the address of the first device and one or more options requested by the first device;
determining if the first message indicates that the first device supports a predetermined protocol; and
performing the following steps a)-c) only if the first device supports the predetermined protocol;
a) sending a second message to the first device indicating that the second device supports the predetermined protocol;
b) receiving a third message at the second device from the first device in response to the second message, said third message repeating said one or more options which were requested by the first device in the first message; and
c) allocating memory resources at the second device to establish the connection between the first and second devices.
1 Assignment
0 Petitions
Accused Products
Abstract
The protocol of the present invention includes two new first level protocols and several embodiments of a second level protocol. The two new first level protocols of the present invention include the TCP2B protocol and the TCP2E protocol. In the TCP2B protocol, both client and server indicate their support for this protocol using one or more bits in TCP header. According to the TCP2B protocol, the client retransmits its requested options in the ACK message so the server need not store the options after the connection request. In the TCP2E protocol, the server maintains a Friends Table listing addresses of device recently observed to be complying with TCP. If a client'"'"'s address is on the Friends Table, the connection request is processed according to TCP. Otherwise, the server sends an ACK message to the client to prompt the client to send a reset message. The client'"'"'s address can then be added to the Friends Table.
-
Citations
30 Claims
-
1. A method of processing at a second device a message from a first device requesting a connection with the second device, said method comprising the steps of:
-
receiving a first message at a second device from a first device, said first message requesting a connection with the second device and including the address of the first device and one or more options requested by the first device; determining if the first message indicates that the first device supports a predetermined protocol; and performing the following steps a)-c) only if the first device supports the predetermined protocol; a) sending a second message to the first device indicating that the second device supports the predetermined protocol; b) receiving a third message at the second device from the first device in response to the second message, said third message repeating said one or more options which were requested by the first device in the first message; and c) allocating memory resources at the second device to establish the connection between the first and second devices.
-
-
2. A method of establishing a connection between a first device and a second device, said first and second devices being coupled together via a communication network, said method comprising the steps of:
-
receiving at the second device a first message from the first device requesting a connection with the second device, said first message requesting one or more options and indicating the address of the first device, said first message also indicating that said first device supports a predetermined protocol; detecting at the second device that the received first message indicates that said first device supports the predetermined protocol; calculating a first encoded value, said first encoded value being calculated as a first predetermined mathematical function based on at least the address of the first device and a secret known only to the second device; storing the secret on the second device; sending a second message from the second device to the first device, said second message acknowledging receipt of the first message and including the calculated first encoded value, said second message also indicating that said second device also supports said predetermined protocol; receiving a third message at the second device from the first device, said third message indicating the address of the first device and requesting said one or more options which were requested in said first message, said third message including a return value calculated according to a second predetermined mathematical function depending on at least the first encoded value; calculating a second encoded value, said second encoded value being calculated based on the first and second predetermined mathematical functions and using at least the address of the first device in the third message and the stored secret as arguments; comparing the second encoded value to the return value; allocating memory resources at the second device to fully establish a connection between the first and second devices only if there is a match between the second encoded value and the return value based on said step of comparing. - View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method of establishing a connection between a first device and a second device, said first and second devices being coupled together via a communication network, said method comprising the steps of:
-
sending a first message from the first device to the second device requesting a connection with the second device, said first message requesting one or more options, said first message including the address of the first device and information indicating that said first device supports a predetermined protocol; receiving at the second device the first message and detecting said information indicating that said first device supports the predetermined protocol; calculating a first encoded value as a mathematical function of at least the address of the first device included in the first message; sending a second message from the second device to the first device, said second message including the calculated first encoded value and information indicating that said second device supports said predetermined protocol; receiving at the first device said second message; sending a third message from the first device to said second device in response to said second message, said third message including the address of the first device and repeating the options included in the first message; receiving at the second device the third message; and establishing a connection between the first and second devices if said third message passes a mathematical test.
-
-
12. A method of processing at a second device a message from a first device requesting a connection with the second device using a predetermined protocol, said second device storing a list of one or more compliant devices, said method comprising the steps of:
-
receiving a first message at a second device from a first device, said first message requesting a connection with the second device and including the address of the first device; comparing the address of the first device to the list of compliant devices; allocating memory resources at the second device to allow the requested connection to be established if the address of the first device is on the list; sending a second message from the second device to the first device if the address of the first device is not on the list, said second message containing information which will prompt the first device to send a reset message to the second device if the first device is complying with the predetermined protocol; and adding the address of the first device to the list if the second device receives the reset message from the first device. - View Dependent Claims (13)
-
-
14. A method of processing at a second device a message from a first device requesting a connection with the second device, said second device storing a list of compliant devices, said method comprising the steps of:
-
receiving a first message at a second device from a first device, said first message requesting a connection with the second device and including the address of the first device; comparing the address of the first device to the list; allocating memory resources at the second device to allow the requested connection to be established if the address of the first device is on the list; performing the following steps a)-c) if the address of the first device is not on the list; a) calculating an encoded value as a mathematical function based on at least the address of the first device and a secret known only to the second device; b) sending a second message from the second device to the first device, said second message including the calculated encoded value as the acknowledgment number in the second message; and c) adding the address of the first device to the list if the second device receives a reset message from the first device which includes the encoded value as a sequence number. - View Dependent Claims (15, 16)
-
-
17. A method of processing at a second device a message from a first device requesting a connection with the second device, said second device storing a list of compliant devices, the list also comprising of a counter associated with each device on the list, each said counter providing an indication of the number of connection attempts as compared to the number of successful connections established from the associated device, said method comprising the steps of:
-
receiving a first message at a second device from a first device, said first message requesting a connection with the second device and including the address of the first device; determining whether the address of the first device is initially on the list; performing the following steps a) and b) if the address of the first device is not initially on the list; a) sending a second message from the second device to the first device; and b) adding information identifying the first device to the list if the second device receives a reset message from the first device in response to the second message; otherwise, performing the following steps c)-e) if the address of the first device is initially on the list; c) updating the counter on the list associated with the first device to reflect the received first message requesting a connection with the second device; and d) deleting information identifying the first device from the list only if the counter associated with the first device indicates an excessive number of connection attempts from the first device as compared to the number of successful connections established between the first and second devices; and e) performing the following steps if the address of the first device was not deleted from the list at said step d); 1) allocating memory resources at the second device to allow the requested connection to be established; and 2) updating the counter associated with the first device to reflect the establishment of a successful connection if a connection between the first and second devices is successfully established.
-
-
18. A method of establishing a connection between a first device and a second device, said second device storing a list of compliant devices, said first and second devices being coupled together via a communication network, said method comprising the steps of:
-
receiving a first message at the second device from the first device, said first message requesting a connection between the first device and the second device, said first message including the address of the first device; comparing the address of the first device to the list; using TCP to process the first message if the address of the first device is on the list; and performing the following steps a)-e) if the address of the first device is not on the list; a) calculating a first encoded value based on at least the address of the first device included in the first message; b) sending a second message to the first device including the first encoded value; c) receiving a third message at the second device from the first device which includes a return value, said third message requesting a reset of the connection between the first and second devices; d) determining whether or not the third message passes a mathematical test; and e) adding information identifying the first device to the list only if the third message passes the mathematical test.
-
-
19. A method of processing at a second device a message from a first device requesting a connection with the second device, said second device storing a list of compliant devices, said method comprising the steps of:
-
receiving a first message at a second device from a first device, said first message requesting a connection with the second device and including the address of the first device; determining whether the second device may be under attack; using TCP to process the first message and permitting a connection between the first and second devices to be established if it is determined that the second device is not under attack; otherwise, performing the following steps a)-c) if it is determined that the second device may be under attack; a) comparing the address of the first device to the list; b) allocating memory resources at the second device to allow the requested connection to be established if the address of the first device is on the list; c) performing the following steps
1)-2) if the address of the first device is not on the list;1) sending a second message from the second device to the first device; and 2) adding information identifying the first device to the list if the second device receives a reset message from the first device in response to the second message. - View Dependent Claims (20)
-
-
21. A method of processing at a second device a message from a first device requesting a connection with the second device, said second device storing a list of compliant devices, said method comprising the steps of:
-
receiving a first message at a second device from a first device, said first message requesting a connection with the second device and including the address of the first device and one or more options requested by the first device; determining whether the second device may be under attack; using TCP to process the first message and permit a connection between the first and second devices to be established if it is determined that the second device is not under attack; otherwise, performing the following steps a)-c) if it is determined that the second device is not under attack; a) determining whether the first message indicates that the first device supports a predetermined protocol; b) performing the following steps
1)-3) if the first device supports the predetermined protocol;1) sending a second message to the first device indicating that the second device supports the predetermined protocol; 2) receiving a third message at the second device from the first device in response to the second message, said third message repeating said one or more options requested by the first device in the first message; and 3) allocating memory resources at the second device to establish the connection between the first and second devices; c) otherwise, if the first device does not support the predetermined protocol, then performing the following steps
4)-7);4) comparing the address of the first device to the list; 5) using TCP to process the first message and permit a connection between the first and second devices to be established only if the first device is on the list; 6) sending a second message to the first device if the first device is not on the list; and 7) adding the address of the first device to the list only if the second device receives a reset message from the first device in response to the second message sent at step
6).
-
-
22. A method of establishing a connection between a first device and a second device, said first and second devices being coupled together via a communication network, said method comprising the steps of:
-
exchanging at least three messages between the first and second devices, said first device requesting a connection with the second device and requesting one or more options in at least one of said messages; establishing a traceable communication path from the second device to the first device; allocating a full transmission control block for the connection at the second device only after said traceable communication path has been established; and wherein all of said one or more options requested by said first device are received by said second device for implementation. - View Dependent Claims (23, 24, 25, 26, 27, 28)
-
-
29. A method of establishing a connection between a first device and a second device, said first and second devices being coupled together via a communication network, said method comprising the steps of:
-
exchanging at least three messages between the first and second devices, said first device requesting a connection with the second device and requesting one or more options in at least one of said messages; establishing a traceable communication path from the second device to the first device; allocating a full transmission control block for the connection at the second device only after said traceable communication path has been established; and wherein more than 22 bits are available for said first device to request said one or more options.
-
-
30. A method of establishing a connection between a first device and a second device, said first and second devices being coupled together via a communication network, said method comprising the steps of:
-
exchanging at least three messages between the first and second devices, said first device requesting a connection with the second device and requesting one or more options in at least one of said messages; confirming that the first device is complying with at least a portion of TCP; allocating a full transmission control block for the connection at the second device only after it has been confirmed that the first device is complying with at least a portion of TCP; and wherein all of said one or more options requested by said first device are received by said second device for implementation.
-
Specification