Method for packet authentication in the presence of network address translations and protocol conversions

US 6,795,917 B1
Filed: 10/21/1999
Issued: 09/21/2004
Est. Priority Date: 12/31/1997
Status: Expired due to Term

First Claim

Patent Images

1. A method for achieving packet authentication according to an applicable security policy between a sending node (903) and a receiving node (902) in a network which includes entities which carry out transformations on packets, characterised in that it comprises the steps ofdynamically discovering (1003, 1004) said transformations occurring to a packet en route between said sending node and said receiving node, checking (1004) that transformations which have occurred on packets (hereafter dynamically discovered, acceptable transformations) are acceptable based on the applicable security policy, and compensating (1004, 1006) for said dynamically discovered, acceptable transformations before authenticating packets transmitted from said sending node to said receiving node.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

For achieving packet authentication according to an applicable security policy between a sending node (903) and a receiving node (902) in a network, the following steps are taken:

the transformations occurring to a packet en route between the sending node and the receiving node are discovered dynamically (1003, 1004),

the discovered transformations are checked (1004) to be acceptable based on the applicable security policy, and

the dynamically discovered, acceptable transformations are compensated for (1004, 1006) before authenticating packets transmitted from the sending node to the receiving node.

238 Citations

22 Claims

1. A method for achieving packet authentication according to an applicable security policy between a sending node (903) and a receiving node (902) in a network which includes entities which carry out transformations on packets, characterised in that it comprises the steps ofdynamically discovering (1003, 1004) said transformations occurring to a packet en route between said sending node and said receiving node, checking (1004) that transformations which have occurred on packets (hereafter dynamically discovered, acceptable transformations) are acceptable based on the applicable security policy, and compensating (1004, 1006) for said dynamically discovered, acceptable transformations before authenticating packets transmitted from said sending node to said receiving node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. A method according to claim 1, wherein each packet transmitted from said sending node, before any said transformations, will be referred to as an original packet and has contents including a header, characterised in that each packet transmitted from said sending node (903) to said receiving node (902) includes a cryptographic authentication code (1101) derived from a secret key and the contents of the original packet.
  - 3. A method according to claim 2, characterised in that to compensate for said dynamically discovered, acceptable transformations said contents of said original packet are manipulated at said sending node (903) before computing said cryptographic authentication code (1101).
  - 4. A method according to claim 2, characterised in that to compensate for said dynamically discovered, acceptable transformations said contents of a received packet are manipulated at said receiving node (902) before verifying said cryptographic authentication code (1101).
  - 5. A method according to claim 4, characterised in that at least one data packet (602, 901) transferred from said sending node (903) to said receiving node (902) contains a saved copy of at least a part of said original packet header (1104), and said receiving node uses said saved copy of said at least part of said original packet header when verifying said cryptocraphic authentication code of a received packet.
  - 6. A method according to claim 5, characterised in that said saved copy of said at least part of said original packet header is stored in a special option of a packet header of said received packet.
  - 7. A method according to claim 6, characterised in that said special option is an IP option.
  - 8. A method according to claim 5, characterised in that said saved copy of said at least part of said original packet header is cryptographically authenticated.
  - 9. A method according to claim 1, characterised in that the underlying protocol applied in transferring packets from the sending node to the receiving node is the IPv4 protocol, and packet authentication is done using the IPSEC protocol.
  - 10. A method according to claim 1, characterised in that the underlying protocol applied in transferring packets from the sending node to the receiving node is the IPv6 protocol.
  - 11. A method according to claim 1, characterised in that said transformations include IP address translations (100).
  - 12. A method according to claim 1, characterised in that said transformations include TCP/UDP port translations.
  - 13. A method according to claim 1, characterised in that the step of compensating (1004, 1006) for said dynamically discovered, acceptable transformations comprises the substep of updating a TCP or UDP checksum.
  - 14. A method according to claim 1, characterised in that said dynamically discovered, acceptable transformations include conversion between the IPv4 and IPv6 protocols.
  - 15. A method according to claim 1, characterised in that said step of dynamically discovering said acceptable transformations is made using a probing method taken from the following group of probing methods:
    - non-disruptive in-line probing, disruptive in-line probing, separate probing.
  - 16. A method according to claim 15, where said probing method comprises the step of sending a probe (1003) from said sending node to said receiving node, characterised in that said probe is a packet sent to a network address which is a network address to which normal data packets directed to said receiving node are addressed.
  - 17. A method according to claim 16, characterised in that as a response to receiving said probe said receiving node sends a probe reply (1005) to said sending node.
  - 18. A method according to claim 1, characterised in that said communicating nodes, comprised of said sending node and said receiving node, negotiate whether both communicating nodes support authentication in the presence of transformations on said packets as they traverse a data path between said communicating nodes.
  - 19. A method according to claim 1, characterised in that it comprises the step of ensuring that the characteristics of said dynamically discovered, acceptable transformations are determined at a level of detail sufficient to account for all transformations on the path between said communicating nodes that need to be compensated for when authenticating a packet.

20. A method for achieving packet authentication for packets comprising a header structured according to an applicable security policy and transmitted between a sending node (903) and a receiving node (902) in a network wherein transformation on contents of said packets occurs as said packets propagate across a data path couplina said sendina node to said receiving node, characterised in that said packet authentication method comprisesinclusion in each said packet of a message authentication code (MAC) computed using an authentication code mechanism that does not include said packet header in the data used to calculate said message authentication code discovering transformations that occur on said content of said packets as they propagate across a data path coupling said sending node to said receiving node, and determining whether said discovered transformations are acceptable based on said applicable security policy, and compensating for any acceptable transformations in said packets before authenticating packets transmitted from said sending node to said receiving node by decrypting said message authentication code using a secret shared by both said sending node and said receiving node.

21. A network device (1300) for transmitting digital information in packet authenticated form according to an applicable security policy to another network device in a network wherein transformations on content of packets occurs as said packets propagate from said network device to said another network device, characterised in that it comprises means (1305, 1306, 1307) fordynamically discovering said transformations occurring to a packet en route between said network device and said another network device, checking that said discovered transformations are acceptable based on said applicable security policy, said transformations being hereafter referred to as dynamically discovered, acceptable transformations, and compensating for said dynamically discovered, acceptable transformations before transmitting packets to be authenticated to said another network device.

22. A network device (1300) for receiving digital information in packet authenticated form according to an applicable security policy from a sending network device in a network wherein transformation on content of packets occurs as they propagate to said network device from said sending network device, characterised in that it comprises means (1305, 1306, 1307) fordynamically discovering said transformations occurring to a packet en route between said network device and said sending network device, checking that said discovered transformations are acceptable based on the applicable security policy, said discovered transformations that are deemed acceptable being hereafter referred to as dynamically discovered, acceptable transformations, and compensating for said dynamically discovered, acceptable transformations before authenticating packets received from said sending network device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tectia Oyj
Original Assignee
SSH Communications Security Ltd. (SSH Communications Security Oyj)
Inventors
Ylonen, Tatu
Primary Examiner(s)
Peeso, Thomas R.
Assistant Examiner(s)
Zand, Kambiz

Application Number

US09/319,575
Time in Patent Office

1,797 Days
Field of Search

713/160, 713/201
US Class Current

713/160
CPC Class Codes

H04L 61/00   Network arrangements, proto...

H04L 61/2564   for a higher-layer protocol...

H04L 61/2575   using address mapping retri...

H04L 61/2578   without involvement of the ...

H04L 61/2585   through application level g...

H04L 63/08   for authentication of entit...

H04L 63/12   Applying verification of th...

H04L 63/164   at the network layer

H04L 63/20   for managing network securi...

H04L 9/40   Network security protocols

Method for packet authentication in the presence of network address translations and protocol conversions

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

238 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Method for packet authentication in the presence of network address translations and protocol conversions

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

238 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links