Method and apparatus for providing adaptive self-synchronized dynamic address translation

US 7,043,633 B1
Filed: 08/10/2001
Issued: 05/09/2006
Est. Priority Date: 08/28/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A network security apparatus for securing packet header information of a data packet, comprising:

a key exchanger adapted to derive a cipher key;

a translator adapted to translate predetermined portions of said packet header information according to a cipher algorithm keyed by the cipher key into translated packet header information, and replace said predetermined portions of said packet header information with the translated packet header information in the data packet; and

a communication device adapted to communicate the data packet between a first enclave and a second enclave through a wide area network;

wherein said predetermined portions of said packet header information include a destination host address portion that identifies a destination host within the second enclave, a destination port number and a sequence parameter that changes on a per-packet basis.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A communication device is provided for a local enclave. The communication device processes packets to be transferred from the local enclave to a wide area network. The communication device intercepts packets originating from a host on the local enclave, the packets being destined for transmission over the wide area network, extracts predetermined portions from each packet header to form one or more blocks for translation, applies a predetermined encryption algorithm to translate the one or more blocks after masking; and reinserts bits from the translated block back into the packet header. The purpose of the invention is to obfuscate network machine identities to TCP/IP packets traversing the public Internet to prevent traffic mapping.

134 Citations

52 Claims

1. A network security apparatus for securing packet header information of a data packet, comprising:
- a key exchanger adapted to derive a cipher key;
  
  a translator adapted to translate predetermined portions of said packet header information according to a cipher algorithm keyed by the cipher key into translated packet header information, and replace said predetermined portions of said packet header information with the translated packet header information in the data packet; and
  
  a communication device adapted to communicate the data packet between a first enclave and a second enclave through a wide area network;
  
  wherein said predetermined portions of said packet header information include a destination host address portion that identifies a destination host within the second enclave, a destination port number and a sequence parameter that changes on a per-packet basis.
- View Dependent Claims (2, 3, 4, 5)
- - 2. A network security apparatus as set forth in claim 1, wherein the predetermined portions of packet header information further comprise:
    - a source host address portion that identifies a sending host within the first enclave.
  - 3. A network security apparatus as set forth in claim 1, wherein said translator is adapted to queue the data packet until said key exchanger has derived the cipher key.
  - 4. A network security apparatus as set forth in claim 1, wherein said key exchanger further comprises:
    - a timer adapted to reset at a predetermined time interval, wherein said key exchanger derives the cipher key when said timer resets and the data packet is present at said translator.
  - 5. A network security apparatus as set forth in claim 1, wherein the wide area network is the Internet.

6. A network security apparatus for securing packet header information of a data packet, comprising:
- a random number generator adapted to generate a random number;
  
  a translator adapted to translate predetermined portions of said packet header information according to a cipher algorithm seeded by the random number into translated packet header information, and replace said predetermined portions of said packet header information with the translated packet header information in the data packet; and
  
  a communication device adapted to communicate the data packet between a first enclave and a second enclave through a wide area network;
  
  wherein said predetermined portions of said packet header information include a destination host address portion that identifies a destination host within the second enclave, a destination port number and a sequence parameter that changes on a per-packet basis.
- View Dependent Claims (7, 8, 9)
- - 7. A network security apparatus as set forth in claim 6, wherein the predetermined portions of packet header information further comprise:
    - a source host address portion hat identifies a sending host.
  - 8. A network security apparatus as set forth in claim 6, further comprising:
    - a timer adapted to reset at a predetermined time interval, wherein said random number generator derives the random number when said timer resets and the data packet is received by said translator.
  - 9. A network security apparatus as set forth in claim 6, wherein the wide area network is the Internet.

10. A network security system for securing packet header information of a data packet communicated between a first enclave and a second enclave through a wide area network, the system comprising:
- a first communication device in communication with the first enclave and the wide area network, said first communication device adapted to receive the data packet, translate predetermined portions of said packet header information into translated packet header information and replace said predetermined portions of said packet header information with the translated packet header information in the data packet, and place the data packet on the wide area network; and
  
  a second communication device in communication with the second enclave and the wide area network, said second communication device adapted to receive and restore the predetermined portions of the data packet from the translated packet header information and place the data packet onto the second enclave;
  
  wherein said predetermined portions of said packet header information include a destination host address portion that identifies a destination host within the second enclave, a destination port number and a sequence parameter that changes on a per-packet basis.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. A network security system as set forth in claim 10, wherein the predetermined portions of packet header information further comprise:
    - a source host address portion that identifies a sending host within the first enclave.
  - 12. A network security system as set forth in claim 10, further comprising:
    - a key exchanger coupled to said first and second communication devices, adapted to derive a cipher key; and
      
      a timer electrically coupled to said key exchanger, adapted to reset at a predetermined time interval.
  - 13. A network security system as set forth in claim 12,wherein said key exchanger derives the cipher key when said timer resets and the first communication device receives the data packet, andwherein said first and second communication devices translate the predetermined portions of packet header information according to a cipher algorithm keyed by the cipher key.
  - 14. A network security system as set forth in claim 12, wherein said first and second communication devices are adapted to queue the data packet until the key exchanger has derived the cipher key.
  - 15. A network security system as set forth in claim 10, wherein the wide area network is the Internet.

16. A method for securing packet header information of a data packet, comprising:
- deriving a cipher key;
  
  translating predetermined portions of said packet header information according to a cipher algorithm keyed by the cipher key into translated packet header information;
  
  replacing said predetermined portions of said packet header information with the translated packet header information in the data packet; and
  
  communicating the data packet between a first enclave and a second enclave through a wide area network;
  
  wherein said predetermined portions of said packet header information include a destination host address portion that identifies a destination host within the second enclave, a destination port number and a sequence parameter that changes on a per-packet basis.
- View Dependent Claims (17, 18, 19, 20)
- - 17. A method for securing packet header information as set forth in claim 16, wherein the predetermined portions of packet header information further comprise:
    - a source host address portion that identifies a sending host within the first enclave.
  - 18. A method for securing packet header information as set forth in claim 16 further comprising:
    - queuing the data packet until the cipher key has been derived.
  - 19. A method for securing packet header information as set forth in claim 16 further comprising:
    - deriving the cipher key at a predetermined time interval if the data packet to be communicated has been presented to said translating step.
  - 20. A method for securing packet header information as set forth in claim 16 wherein the wide area network is the Internet.

21. A method for securing packet header information of a data packet, comprising:
- generating a random number;
  
  translating predetermined portions of said packet header information according to a cipher algorithm seeded by the random number into translated packet header information;
  
  replacing said predetermined portions of said packet header information with the translated packet header information in the data packet; and
  
  communicating the data packet between a first enclave and a second enclave through a wide area network;
  
  wherein said predetermined portions of said packet header information include a destination host address portion that identifies a destination host within the second enclave, a destination port number and a sequence parameter that changes on a per-packet basis.
- View Dependent Claims (22, 23, 24)
- - 22. A method for securing packet header information as set forth in claim 21, wherein the predetermined portions of packet header further comprises:
    - a source host address portion that identifies a sending host.
  - 23. A method for securing packet header information as set forth in claim 21, further comprising:
    - deriving the random number at predetermined time interval if the data packet to be communicated has been presented to said translating step.
  - 24. A method for securing packet header information as set forth in claim 21, wherein the wide area network is the Internet.

25. A method for securing packet header information of a data packet, comprising:
- receiving the data packet at a first communication device;
  
  translating predetermined portions of packet header information into translated packet header information;
  
  replacing said predetermined portions of said packet header information with the translated packet header information in the data packet;
  
  sending the data packet to a second enclave through a wide area network;
  
  receiving the data packet at a second communication device on the second enclave;
  
  restoring translating the predetermined portions of the data packet from the translated packet header information at the second communication device; and
  
  placing the data packet onto the second enclave;
  
  wherein said predetermined portions of said packet header information include a destination host address portion that identifies a destination host within the second enclave, a destination port number and a sequence parameter that changes on a per-packet basis.
- View Dependent Claims (26, 27, 28, 29)
- - 26. A method for securing packet header information as set forth in claim 25, wherein the predetermined portions of packet header information further comprise:
    - a source host address portion that identifies a sending host within the first enclave.
  - 27. A method for securing packet header information as set forth in claim 25, further comprising:
    - deriving a cipher key at a predetermined time interval if the data packet is presented to the first communication device; and
      
      translating the predetermined portions of packet header information for the data packet according to a cipher algorithm seeded by the cipher key.
  - 28. A method for securing packet header information as set forth in claim 27, further comprising:
    - queuing the data packet until the cipher key has been derived.
  - 29. A method for securing packet header information as set forth in claim 25, wherein the wide area network is the Internet.

30. A communication device adapted for processing packet header information of a data packet, the communication device being operable to:
- derive a cipher key;
  
  translate predetermined portions of said packet header information according to a cipher algorithm keyed by the cipher key into translated packet header information;
  
  replace said predetermined portions of said packet header information with the translated packet header information in the data packet; and
  
  communicate the data packet between a first enclave and a second enclave through a wide area network;
  
  wherein said predetermined portions of said packet header information include a destination host address portion that identifies a destination host within the second enclave, a destination port number and a sequence parameter that changes on a per-packet basis.
- View Dependent Claims (31, 32, 33, 34)
- - 31. A communication device as set forth in claim 30, wherein the predetermined portions of packet header information further comprise:
    - a source host address portion that identifies a sending host within the first enclave.
  - 32. A communication device as set forth in claim 30, the communication device being further operable to queue the data packet until the cipher key has been derived.
  - 33. A communication device as set forth in claim 30, the communication device being further operable to derive the cipher key at a predetermined time interval if the data packet to be communicated has been generated.
  - 34. A communication device as set forth in claim 30, wherein the wide area network is the Internet.

35. A communication device adapted for processing packet header information of a data packet, the communication device being operable to:
- generate a random number;
  
  translate predetermined portions of said packet header information according to a cipher algorithm seeded by the random number into translated packet header information;
  
  replace said predetermined portions of said packet header information with the translated packet header information in the data packet; and
  
  communicate the data packet between a first enclave and a second enclave through a wide area network;
  
  wherein said predetermined portions of said packet header information include a destination host address portion that identifies a destination host within the second enclave, a destination port number and a sequence parameter that changes on a per-packet basis.
- View Dependent Claims (36, 37, 38)
- - 36. A communication device as set forth in claim 35, wherein the predetermined portions of packet header further comprises:
    - a source host address portion that identifies a sending host.
  - 37. A communication device as set forth in claim 35, the communication device further operable to derive the random number at predetermined time interval if the data packet to be communicated has been presented to the communication device.
  - 38. A communication device as set forth in claim 35, wherein the wide area network is the Internet.

39. A device for securing packet header information of a data packet, comprising:
- means for deriving a cipher key;
  
  means for translating predetermined portions of said packet header information according to a cipher algorithm keyed by the cipher key into translated packet header information;
  
  means for replacing said predetermined portions of said packet header information with the translated packet header information in the data packet; and
  
  means for communicating the data packet between a first enclave and a second enclave through a wide area network;
  
  wherein said predetermined portions of said packet header information include a destination host address portion that identifies a destination host within the second enclave, a destination port number and a sequence parameter that changes on a per-packet basis.
- View Dependent Claims (40, 41, 42, 43)
- - 40. A device for securing packet header information as set forth in claim 39, wherein the predetermined portions of packet header information further comprise:
    - a source host address portion that identifies a sending host within the first enclave.
  - 41. A device for securing packet header information as set forth in claim 39, further comprising:
    - means for queuing the data packet until the cipher key has been derived.
  - 42. A device for securing packet header information as set forth in claim 39, further comprising:
    - means for deriving the cipher key at a predetermined time interval if the data packet to be communicated has been presented to said means for translating.
  - 43. A device for securing packet header information as set forth in claim 39, wherein the wide area network is the Internet.

44. A device for securing packet header information of a data packet, comprising:
- means for generating a random number;
  
  means for translating predetermined portions of said packet header information according to a cipher algorithm seeded by the random number into translated packet header information;
  
  means for replacing said predetermined portions of said packet header information with the translated packet header information in the data packet; and
  
  means for communicating the data packet between a first enclave and a second enclave through a wide area network;
  
  wherein said predetermined portions of said packet header information include a destination host address portion that identifies a destination host within the second enclave, a destination port number and a sequence parameter that changes on a per-packet basis.
- View Dependent Claims (45, 46, 47)
- - 45. A device for securing packet header information as set forth in claim 44, wherein the predetermined portions of packet header further comprises:
    - a source host address portion that identifies a sending host.
  - 46. A device for securing packet header information as set forth in claim 44, further comprising:
    - means for deriving the random number at predetermined time interval if the data packet to be communicated has been presented to the means for translating.
  - 47. A device for securing packet header information as set forth in claim 44, wherein the wide area network is the Internet.

48. A device for securing packet header information of a data packet, comprising:
- means for receiving the data packet at a first communication device;
  
  means for translating predetermined portions of packet header information into translated packet header information;
  
  means for replacing said predetermined portions of said packet header information with the translated packet header information in the data packet;
  
  means for sending the data packet to a second enclave through a wide area network;
  
  means for receiving the data packet at a second communication device on the second enclave;
  
  means for translating the predetermined portions of the data packet at the second communication device; and
  
  means for placing the data packet onto the second enclave;
  
  wherein said predetermined portions of said packet header information include a destination host address portion that identifies a destination host within the second enclave, a destination port number and a sequence parameter that changes on a per-packet basis.
- View Dependent Claims (49, 50, 51, 52)
- - 49. A device for securing packet header information as set forth in claim 48, wherein the predetermined portions of packet header information further comprise:
    - a source host address portion that identifies a sending host within the first enclave.
  - 50. A device for securing packet header information as set forth in claim 48, further comprising:
    - means for deriving a cipher key at a predetermined time interval if the data packet to be communicated has been presented to the first communication device; and
      
      means for translating the predetermined portions of packet header information for the data packet according to a cipher algorithm seeded by the cipher key.
  - 51. A device for securing packet header information as set forth in claim 50, further comprising:
    - means for queuing the data packet until the cipher key has been derived.
  - 52. A device for securing packet header information as set forth in claim 48, wherein the wide area network is the Internet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Verizon Corporate Services Group Incorporated (Verizon Communications Inc.)
Inventors
Fink, Russell Andrew, Brannigan, Matthew Aloysius, Evans, Shelby Alana, Almeida, Aswin Morgan, Ferguson, Shelley Anne
Primary Examiner(s)
Smithers, Matthew
Assistant Examiner(s)
Teslovich, Tamara

Application Number

US09/927,671
Time in Patent Office

1,733 Days
Field of Search

713/160, 713200-201, 713150-154, 713189-190, 713/163, 709/203, 709/249, 709/245, 709/238, 707/10, 380/49, 380/21
US Class Current

713/162
CPC Class Codes

H04L 61/00   Network arrangements, proto...

H04L 61/2539   Hiding addresses; Keeping a...

H04L 63/0414   during transmission, i.e. p...

H04L 63/0435   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

Method and apparatus for providing adaptive self-synchronized dynamic address translation

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

134 Citations

52 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for providing adaptive self-synchronized dynamic address translation

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

134 Citations

52 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links