Communications protocol with improved security

US 5,958,053 A
Filed: 08/22/1997
Issued: 09/28/1999
Est. Priority Date: 01/30/1997
Status: Expired due to Term

First Claim

Patent Images

1. A method of processing at a second device a message from a first device requesting a connection with the second device, said method comprising the steps of:

receiving a first message at a second device from a first device, said first message requesting a connection with the second device and including the address of the first device and one or more options requested by the first device;

determining if the first message indicates that the first device supports a predetermined protocol; and

performing the following steps a)-c) only if the first device supports the predetermined protocol;

a) sending a second message to the first device indicating that the second device supports the predetermined protocol;

b) receiving a third message at the second device from the first device in response to the second message, said third message repeating said one or more options which were requested by the first device in the first message; and

c) allocating memory resources at the second device to establish the connection between the first and second devices.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The protocol of the present invention includes two new first level protocols and several embodiments of a second level protocol. The two new first level protocols of the present invention include the TCP2B protocol and the TCP2E protocol. In the TCP2B protocol, both client and server indicate their support for this protocol using one or more bits in TCP header. According to the TCP2B protocol, the client retransmits its requested options in the ACK message so the server need not store the options after the connection request. In the TCP2E protocol, the server maintains a Friends Table listing addresses of device recently observed to be complying with TCP. If a client'"'"'s address is on the Friends Table, the connection request is processed according to TCP. Otherwise, the server sends an ACK message to the client to prompt the client to send a reset message. The client'"'"'s address can then be added to the Friends Table.

Citations

30 Claims

1. A method of processing at a second device a message from a first device requesting a connection with the second device, said method comprising the steps of:
- receiving a first message at a second device from a first device, said first message requesting a connection with the second device and including the address of the first device and one or more options requested by the first device;
  
  determining if the first message indicates that the first device supports a predetermined protocol; and
  
  performing the following steps a)-c) only if the first device supports the predetermined protocol;
  
  a) sending a second message to the first device indicating that the second device supports the predetermined protocol;
  
  b) receiving a third message at the second device from the first device in response to the second message, said third message repeating said one or more options which were requested by the first device in the first message; and
  
  c) allocating memory resources at the second device to establish the connection between the first and second devices.

2. A method of establishing a connection between a first device and a second device, said first and second devices being coupled together via a communication network, said method comprising the steps of:
- receiving at the second device a first message from the first device requesting a connection with the second device, said first message requesting one or more options and indicating the address of the first device, said first message also indicating that said first device supports a predetermined protocol;
  
  detecting at the second device that the received first message indicates that said first device supports the predetermined protocol;
  
  calculating a first encoded value, said first encoded value being calculated as a first predetermined mathematical function based on at least the address of the first device and a secret known only to the second device;
  
  storing the secret on the second device;
  
  sending a second message from the second device to the first device, said second message acknowledging receipt of the first message and including the calculated first encoded value, said second message also indicating that said second device also supports said predetermined protocol;
  
  receiving a third message at the second device from the first device, said third message indicating the address of the first device and requesting said one or more options which were requested in said first message, said third message including a return value calculated according to a second predetermined mathematical function depending on at least the first encoded value;
  
  calculating a second encoded value, said second encoded value being calculated based on the first and second predetermined mathematical functions and using at least the address of the first device in the third message and the stored secret as arguments;
  
  comparing the second encoded value to the return value;
  
  allocating memory resources at the second device to fully establish a connection between the first and second devices only if there is a match between the second encoded value and the return value based on said step of comparing.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10)
- - 3. The method of claim 2 wherein said first predetermined mathematical function comprises a cryptologic function.
  - 4. The method of claim 3 wherein said cryptologic function comprises the MD5 hash function.
  - 5. The method of claim 2 wherein said step of calculating the first encoded value comprises the step of calculating the first encoded value using a cryptologic function based on at least the address and port of the first device, the address and port of the second device, and a secret known only to the second device.
  - 6. The method of claim 5 wherein said step of calculating the second encoded value comprises the step of calculating the second encoded value using said cryptologic function based on at least the address and port of the first device included in the third message, the address and port of the second device, and the secret known only to the second device.
  - 7. The message of claim 2 wherein said first message is a TCP compliant SYN message requesting a TCP connection with the second device, said second message is a TCP compliant SYNACK message, and said third message is a TCP compliant ACK message.
  - 8. The method of claim 2 wherein said step of sending the second message comprises the step of sending the second message from the second device to the first device, said second message acknowledging receipt of the first message and including the calculated first encoded value as an option in the second message, said second message also indicating that said second device also supports said extended protocol.
  - 9. The method of claim 8 wherein said step of receiving the third message comprises the step of receiving the third message at the second device from the first device, said third message indicating the address of the first device and including as options in the third message said one or more options which were requested in said first message, said third message including said first encoded value passed as an option from the first device back to the second device.
  - 10. The method of claim 2 wherein the first message includes information as an option that indicates that the first device supports the predetermined protocol, and said second message includes information as an option that indicates that the second device supports the predetermined protocol.

11. A method of establishing a connection between a first device and a second device, said first and second devices being coupled together via a communication network, said method comprising the steps of:
- sending a first message from the first device to the second device requesting a connection with the second device, said first message requesting one or more options, said first message including the address of the first device and information indicating that said first device supports a predetermined protocol;
  
  receiving at the second device the first message and detecting said information indicating that said first device supports the predetermined protocol;
  
  calculating a first encoded value as a mathematical function of at least the address of the first device included in the first message;
  
  sending a second message from the second device to the first device, said second message including the calculated first encoded value and information indicating that said second device supports said predetermined protocol;
  
  receiving at the first device said second message;
  
  sending a third message from the first device to said second device in response to said second message, said third message including the address of the first device and repeating the options included in the first message;
  
  receiving at the second device the third message; and
  
  establishing a connection between the first and second devices if said third message passes a mathematical test.

12. A method of processing at a second device a message from a first device requesting a connection with the second device using a predetermined protocol, said second device storing a list of one or more compliant devices, said method comprising the steps of:
- receiving a first message at a second device from a first device, said first message requesting a connection with the second device and including the address of the first device;
  
  comparing the address of the first device to the list of compliant devices;
  
  allocating memory resources at the second device to allow the requested connection to be established if the address of the first device is on the list;
  
  sending a second message from the second device to the first device if the address of the first device is not on the list, said second message containing information which will prompt the first device to send a reset message to the second device if the first device is complying with the predetermined protocol; and
  
  adding the address of the first device to the list if the second device receives the reset message from the first device.
- View Dependent Claims (13)
- - 13. The method of claim 12, wherein said predetermined protocol comprises TCP, said first message comprises a SYN message, and said second message comprises an ACK message.

14. A method of processing at a second device a message from a first device requesting a connection with the second device, said second device storing a list of compliant devices, said method comprising the steps of:
- receiving a first message at a second device from a first device, said first message requesting a connection with the second device and including the address of the first device;
  
  comparing the address of the first device to the list;
  
  allocating memory resources at the second device to allow the requested connection to be established if the address of the first device is on the list;
  
  performing the following steps a)-c) if the address of the first device is not on the list;
  
  a) calculating an encoded value as a mathematical function based on at least the address of the first device and a secret known only to the second device;
  
  b) sending a second message from the second device to the first device, said second message including the calculated encoded value as the acknowledgment number in the second message; and
  
  c) adding the address of the first device to the list if the second device receives a reset message from the first device which includes the encoded value as a sequence number.
- View Dependent Claims (15, 16)
- - 15. The method of claim 14 and further comprising the steps of:
    - recalculating, in response to receiving the reset message, the encoded value using the mathematical function based on at least the address of the first device included in the reset message and the secret known only to the second device; and
      
      said step of adding comprises the steps of;
      
      a) comparing the recalculated encoded value to the encoded value included in the reset message as the sequence number; and
      
      b) adding the address of the first device to the list only if there is a match between the recalculated encoded value and the encoded value included as the sequence number of the reset message.
  - 16. The method of claim 14 wherein said mathematical function comprises a cryptologic function.

17. A method of processing at a second device a message from a first device requesting a connection with the second device, said second device storing a list of compliant devices, the list also comprising of a counter associated with each device on the list, each said counter providing an indication of the number of connection attempts as compared to the number of successful connections established from the associated device, said method comprising the steps of:
- receiving a first message at a second device from a first device, said first message requesting a connection with the second device and including the address of the first device;
  
  determining whether the address of the first device is initially on the list;
  
  performing the following steps a) and b) if the address of the first device is not initially on the list;
  
  a) sending a second message from the second device to the first device; and
  
  b) adding information identifying the first device to the list if the second device receives a reset message from the first device in response to the second message;
  
  otherwise, performing the following steps c)-e) if the address of the first device is initially on the list;
  
  c) updating the counter on the list associated with the first device to reflect the received first message requesting a connection with the second device; and
  
  d) deleting information identifying the first device from the list only if the counter associated with the first device indicates an excessive number of connection attempts from the first device as compared to the number of successful connections established between the first and second devices; and
  
  e) performing the following steps if the address of the first device was not deleted from the list at said step d);
  
  1) allocating memory resources at the second device to allow the requested connection to be established; and
  
  2) updating the counter associated with the first device to reflect the establishment of a successful connection if a connection between the first and second devices is successfully established.

18. A method of establishing a connection between a first device and a second device, said second device storing a list of compliant devices, said first and second devices being coupled together via a communication network, said method comprising the steps of:
- receiving a first message at the second device from the first device, said first message requesting a connection between the first device and the second device, said first message including the address of the first device;
  
  comparing the address of the first device to the list;
  
  using TCP to process the first message if the address of the first device is on the list; and
  
  performing the following steps a)-e) if the address of the first device is not on the list;
  
  a) calculating a first encoded value based on at least the address of the first device included in the first message;
  
  b) sending a second message to the first device including the first encoded value;
  
  c) receiving a third message at the second device from the first device which includes a return value, said third message requesting a reset of the connection between the first and second devices;
  
  d) determining whether or not the third message passes a mathematical test; and
  
  e) adding information identifying the first device to the list only if the third message passes the mathematical test.

19. A method of processing at a second device a message from a first device requesting a connection with the second device, said second device storing a list of compliant devices, said method comprising the steps of:
- receiving a first message at a second device from a first device, said first message requesting a connection with the second device and including the address of the first device;
  
  determining whether the second device may be under attack;
  
  using TCP to process the first message and permitting a connection between the first and second devices to be established if it is determined that the second device is not under attack;
  
  otherwise, performing the following steps a)-c) if it is determined that the second device may be under attack;
  
  a) comparing the address of the first device to the list;
  
  b) allocating memory resources at the second device to allow the requested connection to be established if the address of the first device is on the list;
  
  c) performing the following steps
  
  1)-2) if the address of the first device is not on the list;
  
  1) sending a second message from the second device to the first device; and
  
  2) adding information identifying the first device to the list if the second device receives a reset message from the first device in response to the second message.
- View Dependent Claims (20)
- - 20. The method of claim 19 wherein said step of determining whether the second device may be under attack comprises the steps of:
    - keeping track of the number of connection requests to the second device;
      
      keeping track of the number of connection requests to the second device that resulted in an established connection; and
      
      determining that the second device may be under attack only if the ratio of the number of connection requests that resulted in an established connection to the number of connection requests is less than a threshold value.

21. A method of processing at a second device a message from a first device requesting a connection with the second device, said second device storing a list of compliant devices, said method comprising the steps of:
- receiving a first message at a second device from a first device, said first message requesting a connection with the second device and including the address of the first device and one or more options requested by the first device;
  
  determining whether the second device may be under attack;
  
  using TCP to process the first message and permit a connection between the first and second devices to be established if it is determined that the second device is not under attack;
  
  otherwise, performing the following steps a)-c) if it is determined that the second device is not under attack;
  
  a) determining whether the first message indicates that the first device supports a predetermined protocol;
  
  b) performing the following steps
  
       1)-3) if the first device supports the predetermined protocol;
  
  1) sending a second message to the first device indicating that the second device supports the predetermined protocol;
  
  2) receiving a third message at the second device from the first device in response to the second message, said third message repeating said one or more options requested by the first device in the first message; and
  
  3) allocating memory resources at the second device to establish the connection between the first and second devices;
  
  c) otherwise, if the first device does not support the predetermined protocol, then performing the following steps
  
       4)-7);
  
  4) comparing the address of the first device to the list;
  
  5) using TCP to process the first message and permit a connection between the first and second devices to be established only if the first device is on the list;
  
  6) sending a second message to the first device if the first device is not on the list; and
  
  7) adding the address of the first device to the list only if the second device receives a reset message from the first device in response to the second message sent at step
  
       6).

22. A method of establishing a connection between a first device and a second device, said first and second devices being coupled together via a communication network, said method comprising the steps of:
- exchanging at least three messages between the first and second devices, said first device requesting a connection with the second device and requesting one or more options in at least one of said messages;
  
  establishing a traceable communication path from the second device to the first device;
  
  allocating a full transmission control block for the connection at the second device only after said traceable communication path has been established; and
  
  wherein all of said one or more options requested by said first device are received by said second device for implementation.
- View Dependent Claims (23, 24, 25, 26, 27, 28)
- - 23. The method of claim 22 wherein said step of establishing a communication path comprises the step of identifying the first device.
  - 24. The method of claim 22 wherein said step of establishing a communication path comprises the step of determining that at least one of said three exchanged messages specifies a correct address for said first device.
  - 25. The method of claim 22 wherein said step of establishing a communication path comprises the step of determining that the first device responds to a half-open connection in substantial compliance with TCP by sending a reset message to the second device.
  - 26. The method of claim 22 wherein said step of establishing a communication path comprises the steps of:
    - said first device indicating its support for a predetermined protocol and requesting a connection in a first message, said first device including one or more requested options;
      
      said second device indicating its support for the predetermined protocol by sending a second message to the first device, said second message including an encoded value; and
      
      said first device sending a third message to the second device including a return value and repeating the one or more requested options; and
      
      determining at the second device that the return value passes a mathematical test.
  - 27. The method of claim 22 wherein said step of allocating comprises the step of allocating a full transmission control block for the connection at the second device only after said traceable communication path has been established, said full transmission control block including at least information describing the identity of the first device, and the one or more requested options.
  - 28. The method of claim 27 wherein said step of allocating comprises the step of allocating a full transmission control block for the connection at the second device only after said traceable communication path has been established, said full transmission control block including at least a representation of the IP address and port number of the first device, the one or more options requested by the first device, and a sequence number provided in one of said messages from the first device.

29. A method of establishing a connection between a first device and a second device, said first and second devices being coupled together via a communication network, said method comprising the steps of:
- exchanging at least three messages between the first and second devices, said first device requesting a connection with the second device and requesting one or more options in at least one of said messages;
  
  establishing a traceable communication path from the second device to the first device;
  
  allocating a full transmission control block for the connection at the second device only after said traceable communication path has been established; and
  
  wherein more than 22 bits are available for said first device to request said one or more options.

30. A method of establishing a connection between a first device and a second device, said first and second devices being coupled together via a communication network, said method comprising the steps of:
- exchanging at least three messages between the first and second devices, said first device requesting a connection with the second device and requesting one or more options in at least one of said messages;
  
  confirming that the first device is complying with at least a portion of TCP;
  
  allocating a full transmission control block for the connection at the second device only after it has been confirmed that the first device is complying with at least a portion of TCP; and
  
  wherein all of said one or more options requested by said first device are received by said second device for implementation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Corporation (AT&T, Inc.)
Original Assignee
AT&T Corporation (AT&T, Inc.)
Inventors
Denker, John Stewart
Primary Examiner(s)
Palys, Joseph E.

Application Number

US08/916,439
Time in Patent Office

767 Days
Field of Search

395/187.01, 395/186, 395/188.01, 395/183.15, 395/200.54, 395/200.55, 395/200.57, 395/200.6, 395/200.67, 380/23, 380/25, 380/3, 380/4
US Class Current

726/1
CPC Class Codes

H04L 67/01   Protocols

H04L 69/16   Implementation or adaptatio...

H04L 69/161   Implementation details of T...

H04L 69/163   In-band adaptation of TCP d...

Communications protocol with improved security

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Communications protocol with improved security

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links