Method and apparatus for using digital signatures to filter packets in a network

US 6,389,532 B1
Filed: 04/20/1998
Issued: 05/14/2002
Est. Priority Date: 04/20/1998
Status: Expired due to Term

First Claim

Patent Images

1. A method of filtering packets destined for a multicast group, the method comprising:

receiving a packet destined for a multicast group, the packet including a digital signature;

retrieving a key associated with an authorized sender of packets destined for a multicast group;

using the key to decrypt the digital signature;

determining the validity of the digital signature; and

forwarding the packet to the multicast group if the digital signature is valid; and

wherein the multicast group is a subset of a broadcast group, which broadcast group includes all network nodes;

wherein, the filtering is performed by a data processor at a filer point in a network; and

wherein, a set of filter points where the filtering is performed forms a subset of the set of all network nodes.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for filtering packets uses digital signatures to filter packets in a network. A filter point, such as a router or firewall to an intranet, receives a packet including a header, detects the existence of a signature in the header, tests the validity of the signature using a public key, and forwards the packet in accordance with the validity of the signature. A sender uses a private key obtained from an owner to generate the signature, which is created by encrypting a fingerprint which corresponds to the data in the packet. Public keys are created by an owner which installs them in a domain name system or a certification server. Private keys are also created by the owner but are disseminated only to authorized senders. A method and apparatus for sending packets stores a private key in a memory of the data processor, generates a signature using the private key, installs the signature into a header of a packet; and sends the packet.

260 Citations

41 Claims

1. A method of filtering packets destined for a multicast group, the method comprising:
- receiving a packet destined for a multicast group, the packet including a digital signature;
  
  retrieving a key associated with an authorized sender of packets destined for a multicast group;
  
  using the key to decrypt the digital signature;
  
  determining the validity of the digital signature; and
  
  forwarding the packet to the multicast group if the digital signature is valid; and
  
  wherein the multicast group is a subset of a broadcast group, which broadcast group includes all network nodes;
  
  wherein, the filtering is performed by a data processor at a filer point in a network; and
  
  wherein, a set of filter points where the filtering is performed forms a subset of the set of all network nodes.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising disseminating the key to the filter point and to the authorized sender.
  - 3. The method of claim 2, wherein the key is stored in an indexed table.
  - 4. The method of claim 1, wherein forwarding the packet includes the step of discarding the packet if the digital signature is invalid.
  - 5. The method of claim 1, further comprising:
6. The method of claim 5 wherein the router limit is associated with a number of packets per minute.
7. The method of claim 5 wherein the router limit is associated with a predetermined set of authorized senders.
8. The method of claim 1:
- wherein receiving a packet comprises receiving a packet including a key index and a digital signature; and
  
  further comprising retrieving a key associated with the key index.
9. The method of claim 8, wherein the key is stored in an indexed table.
10. The method of claim 1, wherein the filter point includes a firewall.

11. An apparatus that filters packets destined for a multicast group, the apparatus comprising:
- circuitry configured to receive a packet destined for a multicast group, the packet including a digital signature;
  
  circuitry configured to retrieve a key associated with an authorized sender of packets destined for the multicast group;
  
  circuitry configured to use the key to decrypt the digital signature;
  
  circuitry configured to determine the validity of the digital signature; and
  
  circuitry configured to forward the packet to the multicast group if the digital signature is valid; and
  
  wherein the multicast group is a subset of a broadcast group, which broadcast group includes all network nodes;
  
  wherein, the filtering is performed by a data processor at a filer point in a network; and
  
  wherein, a set of filter points where the filtering is performed forms a subset of the set of all network nodes.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The apparatus of claim 11, further comprising circuitry configured to disseminate the key to the filter point and to the authorized sender.
  - 13. The apparatus of claim 12, wherein the key is stored in an indexed table.
  - 14. The apparatus of claim 12, wherein the filter point is a firewall.
  - 15. The apparatus of claim 11, wherein the circuitry configured to forward the packet further includes circuitry configured to discard the packet if the digital signature is invalid.
  - 16. The apparatus of claim 11, further including:
17. The apparatus of claim 16 wherein the router limit is associated with a number of packets per minute.
18. The apparatus of claim 16 wherein the router limit is associated with a predetermined set of authorized senders.
19. The apparatus of claim 11:
- wherein the circuitry configured to receive a packet comprises circuitry configured to receive a packet including a key index and a digital signature; and
  
  further comprising circuitry configured to retrieve a key associated with the key index.
20. The apparatus of claim 19, wherein the key is stored in an indexed table.

21. An apparatus for filtering packets destined for a multicast group, the method comprising:
- means for receiving a packet destined for a multicast group, the packet including a digital signature;
  
  means for retrieving a key associated with an authorized sender of packets destined for the multicast group;
  
  means for using the key to decrypt the digital signature;
  
  means for determining the validity of the digital signature; and
  
  means for forwarding the packet to the multicast group if the digital signature is valid; and
  
  wherein the multicast group is a subset of a broadcast group, which broadcast group includes all network nodes;
  
  wherein, the filtering is performed by a data processor at a filer point in a network; and
  
  wherein, a set of filter points where the filtering is performed forms a subset of the set of all network nodes.

22. A computer program product, comprising:
- a computer usable medium having computer readable code embodied therein for filtering packets destined for a multicast group, the computer program product including;
  
  computer readable program code devices configured to cause a computer to receive a packet destined for a multicast group, the packet including a digital signature;
  
  computer readable program code devices configured to cause a computer to retrieve a key associated with an authorized sender of packets destined for the multicast group;
  
  computer readable program code devices configured to cause a computer to use the key to decrypt the digital signature;
  
  computer readable program code devices configured to cause a computer to determine the validity of the digital signature; and
  
  computer readable program code devices configured to cause a computer to forward the packet to the multicast group if the digital signature is valid; and
  
  wherein the multicast group is a subset of a broadcast group, which broadcast group includes all network nodes;
  
  wherein, the filtering is performed by a data processor at a filer point in a network; and
  
  wherein, a set of filter points where the filtering is performed forms a subset of the set of all network nodes.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 23. The computer program product of claim 22, further comprising computer readable program code devices configured to disseminate the key to the filter point and to the authorized sender.
  - 24. The computer program product of claim 23, wherein the key is stored in an indexed table.
  - 25. The computer program product of claim 23, wherein the filter point is a firewall.
  - 26. The computer program product of claim 22, wherein the computer readable program code devices configured to forward the packet further include computer readable program code devices configured to discard the packet if the digital signature is invalid.
  - 27. The computer program product of claim 22, further comprising:
28. The computer program product of claim 27 wherein the router limit is associated with a number of packets per minute.
29. The computer program product of claim 27 wherein the router limit is associated with a predetermined set of authorized senders.
30. The computer program product of claim 22:
- wherein the computer readable program code devices configured to cause a computer to receive a packet comprise computer readable program code devices configured to cause a computer to receive a packet including a key index and a digital signature; and
  
  further comprising computer readable program code devices configured to retrieve a key associated with the key index.
31. The computer program product of claim 30, wherein the key is stored in an indexed table.

32. A computer data signal embodied in a carrier wave and representing sequences of instructions which, when executed by a processor cause said processor to filter packets destined for a multicast group by:
- executing a computer program to receive a packet destined for a multicast group, the packet including a digital signature;
  
  executing the computer program to retrieve a key associated with an authorized sender of packets destined for the multicast group;
  
  executing the computer program to use a key to decrypt the digital signature;
  
  executing the computer program to determine the validity of the digital signature; and
  
  executing the computer program to forward the packet to the multicast group if the digital signature is valid; and
  
  wherein the multicast group is a subset of a broadcast group, which broadcast group includes all network nodes;
  
  wherein, the filtering is performed by a data processor at a filer point in a network; and
  
  wherein, a set of filter points where the filtering is performed forms a subset of the set of all network nodes.
- View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 33. The method of claim 32, further comprising executing the computer program to disseminate the key to the filter point and to the authorized sender.
  - 34. The method of claim 33, wherein the key is stored in an indexed table.
  - 35. The method of claim 33, wherein the filter point is a firewall.
  - 36. The method of claim 32, wherein executing the computer program to forward the packet includes executing the computer program to discard the packet if the digital signature is invalid.
  - 37. A method of claim 32, further comprising:
38. The method of claim 37 wherein the router limit is associated with a number of packets per minute.
39. The method of claim 37 wherein the router limit is associated with a predetermined set of authorized senders.
40. The method of claim 32:
- wherein executing the computer program to receive a packet comprises executing the computer program to receive a packet including a key index and a digital signature; and
  
  further comprising executing the computer program to retrieve a key associated with the key index.
41. The method of claim 40, wherein the key is stored in an indexed table.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Gupta, Amit, Perlman, Radia J.
Primary Examiner(s)
Peeso, Thomas R.

Application Number

US09/063,630
Time in Patent Office

1,485 Days
Field of Search

713/160, 713/153, 713/176
US Class Current

713/163
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/126   the source of the received ...

Method and apparatus for using digital signatures to filter packets in a network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

260 Citations

41 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for using digital signatures to filter packets in a network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

260 Citations

41 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links