Method and apparatus for using digital signatures to filter packets in a network
First Claim
1. A method of filtering packets destined for a multicast group, the method comprising:
- receiving a packet destined for a multicast group, the packet including a digital signature;
retrieving a key associated with an authorized sender of packets destined for a multicast group;
using the key to decrypt the digital signature;
determining the validity of the digital signature; and
forwarding the packet to the multicast group if the digital signature is valid; and
wherein the multicast group is a subset of a broadcast group, which broadcast group includes all network nodes;
wherein, the filtering is performed by a data processor at a filer point in a network; and
wherein, a set of filter points where the filtering is performed forms a subset of the set of all network nodes.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for filtering packets uses digital signatures to filter packets in a network. A filter point, such as a router or firewall to an intranet, receives a packet including a header, detects the existence of a signature in the header, tests the validity of the signature using a public key, and forwards the packet in accordance with the validity of the signature. A sender uses a private key obtained from an owner to generate the signature, which is created by encrypting a fingerprint which corresponds to the data in the packet. Public keys are created by an owner which installs them in a domain name system or a certification server. Private keys are also created by the owner but are disseminated only to authorized senders. A method and apparatus for sending packets stores a private key in a memory of the data processor, generates a signature using the private key, installs the signature into a header of a packet; and sends the packet.
260 Citations
41 Claims
-
1. A method of filtering packets destined for a multicast group, the method comprising:
-
receiving a packet destined for a multicast group, the packet including a digital signature;
retrieving a key associated with an authorized sender of packets destined for a multicast group;
using the key to decrypt the digital signature;
determining the validity of the digital signature; and
forwarding the packet to the multicast group if the digital signature is valid; and
wherein the multicast group is a subset of a broadcast group, which broadcast group includes all network nodes;
wherein, the filtering is performed by a data processor at a filer point in a network; and
wherein, a set of filter points where the filtering is performed forms a subset of the set of all network nodes.- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
determining a number of packets received from the authorized sender of packets;
determining whether the number of packets exceeds a router limit; and
wherein;
forwarding the packet comprises forwarding the packet to the multicast group if the digital signature is valid and if the number of packets received from the authorized sender has not exceeded the router limit.
-
-
6. The method of claim 5 wherein the router limit is associated with a number of packets per minute.
-
7. The method of claim 5 wherein the router limit is associated with a predetermined set of authorized senders.
-
8. The method of claim 1:
-
wherein receiving a packet comprises receiving a packet including a key index and a digital signature; and
further comprising retrieving a key associated with the key index.
-
-
9. The method of claim 8, wherein the key is stored in an indexed table.
-
10. The method of claim 1, wherein the filter point includes a firewall.
-
11. An apparatus that filters packets destined for a multicast group, the apparatus comprising:
-
circuitry configured to receive a packet destined for a multicast group, the packet including a digital signature;
circuitry configured to retrieve a key associated with an authorized sender of packets destined for the multicast group;
circuitry configured to use the key to decrypt the digital signature;
circuitry configured to determine the validity of the digital signature; and
circuitry configured to forward the packet to the multicast group if the digital signature is valid; and
wherein the multicast group is a subset of a broadcast group, which broadcast group includes all network nodes;
wherein, the filtering is performed by a data processor at a filer point in a network; and
wherein, a set of filter points where the filtering is performed forms a subset of the set of all network nodes.- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
circuitry configured to determine a number of packets received from the authorized sender of packets;
circuitry configured to determine whether the number of packets exceeds a router limit; and
whereinthe circuitry configured to forward the packet comprises circuitry configured to forward the packet to the multicast group if the digital signature is valid and if the number of packets from the authorized sender does not exceed the router limit.
-
-
17. The apparatus of claim 16 wherein the router limit is associated with a number of packets per minute.
-
18. The apparatus of claim 16 wherein the router limit is associated with a predetermined set of authorized senders.
-
19. The apparatus of claim 11:
-
wherein the circuitry configured to receive a packet comprises circuitry configured to receive a packet including a key index and a digital signature; and
further comprising circuitry configured to retrieve a key associated with the key index.
-
-
20. The apparatus of claim 19, wherein the key is stored in an indexed table.
-
21. An apparatus for filtering packets destined for a multicast group, the method comprising:
-
means for receiving a packet destined for a multicast group, the packet including a digital signature;
means for retrieving a key associated with an authorized sender of packets destined for the multicast group;
means for using the key to decrypt the digital signature;
means for determining the validity of the digital signature; and
means for forwarding the packet to the multicast group if the digital signature is valid; and
wherein the multicast group is a subset of a broadcast group, which broadcast group includes all network nodes;
wherein, the filtering is performed by a data processor at a filer point in a network; and
wherein, a set of filter points where the filtering is performed forms a subset of the set of all network nodes.
-
-
22. A computer program product, comprising:
- a computer usable medium having computer readable code embodied therein for filtering packets destined for a multicast group, the computer program product including;
computer readable program code devices configured to cause a computer to receive a packet destined for a multicast group, the packet including a digital signature;
computer readable program code devices configured to cause a computer to retrieve a key associated with an authorized sender of packets destined for the multicast group;
computer readable program code devices configured to cause a computer to use the key to decrypt the digital signature;
computer readable program code devices configured to cause a computer to determine the validity of the digital signature; and
computer readable program code devices configured to cause a computer to forward the packet to the multicast group if the digital signature is valid; and
wherein the multicast group is a subset of a broadcast group, which broadcast group includes all network nodes;
wherein, the filtering is performed by a data processor at a filer point in a network; and
wherein, a set of filter points where the filtering is performed forms a subset of the set of all network nodes.- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31)
computer readable program code devices configured to determine a number of packets received from the authorized sender of packets;
computer readable program code devices configured to determine whether the number of packets exceeds a router limit;
and wherein;
the computer readable program code devices configured to forward the packet comprise computer readable program code devices configured to forward the packet to the multicast group if the digital signature is valid and if the number of packets received from the authorized sender has not exceeded the router limit.
- a computer usable medium having computer readable code embodied therein for filtering packets destined for a multicast group, the computer program product including;
-
28. The computer program product of claim 27 wherein the router limit is associated with a number of packets per minute.
-
29. The computer program product of claim 27 wherein the router limit is associated with a predetermined set of authorized senders.
-
30. The computer program product of claim 22:
-
wherein the computer readable program code devices configured to cause a computer to receive a packet comprise computer readable program code devices configured to cause a computer to receive a packet including a key index and a digital signature; and
further comprising computer readable program code devices configured to retrieve a key associated with the key index.
-
-
31. The computer program product of claim 30, wherein the key is stored in an indexed table.
-
32. A computer data signal embodied in a carrier wave and representing sequences of instructions which, when executed by a processor cause said processor to filter packets destined for a multicast group by:
-
executing a computer program to receive a packet destined for a multicast group, the packet including a digital signature;
executing the computer program to retrieve a key associated with an authorized sender of packets destined for the multicast group;
executing the computer program to use a key to decrypt the digital signature;
executing the computer program to determine the validity of the digital signature; and
executing the computer program to forward the packet to the multicast group if the digital signature is valid; and
wherein the multicast group is a subset of a broadcast group, which broadcast group includes all network nodes;
wherein, the filtering is performed by a data processor at a filer point in a network; and
wherein, a set of filter points where the filtering is performed forms a subset of the set of all network nodes.- View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40, 41)
executing the computer program to determine a number of packets received from the sender of packets; and
executing the computer program to determine whether the number of packets exceeds a router limit;
and wherein;
executing the computer program to forward the packet comprises executing the computer program to forward the packet to the multicast group if the digital signature is valid and if the number of packets received from the authorized sender has not exceeded the router limit.
-
-
38. The method of claim 37 wherein the router limit is associated with a number of packets per minute.
-
39. The method of claim 37 wherein the router limit is associated with a predetermined set of authorized senders.
-
40. The method of claim 32:
-
wherein executing the computer program to receive a packet comprises executing the computer program to receive a packet including a key index and a digital signature; and
further comprising executing the computer program to retrieve a key associated with the key index.
-
-
41. The method of claim 40, wherein the key is stored in an indexed table.
Specification