Establishing authenticated network connections

US 7,069,438 B2
Filed: 08/19/2002
Issued: 06/27/2006
Est. Priority Date: 08/19/2002
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

authenticating a prospective peer on the network prior to establishing a network connection and prior to an authenticating peer and the prospective peer accepting any application level authentication data from each other that are part of a post-connection establishment exchanged between peers, including sending authentication data in a TCP/IP layer in one or more packets selected from a group consisting of a SYN packet, SYN-ACK packet and an ACK packet; and

wherein authenticating the prospective peer occurs during and before completion of a connection establishment phase of a TCP/IP protocol used for communication on the network, with an initial packet sent between the peers or with multiple exchanges between the peers that are part of connection establishment phase.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for establishing authenticated network (e.g., TCP/IP) connections augments the network (e.g., TCP/IP) protocol and enables concealment of the presence of network (e.g., TCP/IP) servers on the network. One methodology uses one or more cryptographic techniques, and/or combinations of such techniques, to achieve the goal. A network (e.g., TCP/IP) connection establishment could be authenticated using both shared secret cryptographic and public key cryptographic methods. The trust between peers could be established either directly or via a trusted third party. One methodology allows network (e.g., TCP/IP) server concealment against Internet based eavesdroppers and eavesdroppers staging man-in-the-middle attacks on the local network or in the close proximity to the server. The techniques described herein may be used to protect a network (e.g., TCP/IP) server from establishing unsanctioned connections from both local and remote networks.

186 Citations

86 Claims

1. A method comprising:
- authenticating a prospective peer on the network prior to establishing a network connection and prior to an authenticating peer and the prospective peer accepting any application level authentication data from each other that are part of a post-connection establishment exchanged between peers, including sending authentication data in a TCP/IP layer in one or more packets selected from a group consisting of a SYN packet, SYN-ACK packet and an ACK packet; and
  
  wherein authenticating the prospective peer occurs during and before completion of a connection establishment phase of a TCP/IP protocol used for communication on the network, with an initial packet sent between the peers or with multiple exchanges between the peers that are part of connection establishment phase.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 2. The method in claim 1, wherein authenticating the prospective peer occurs in the first packet sent by one peer to another peer.
  - 3. The method in claim 1, wherein authenticating the prospective peer occurs in multiple exchanges that are part of connection establishment.
  - 4. The method in claim 1, wherein authenticating the prospective peer comprises sending authentication data that resides in a TCP header.
  - 5. The method in claim 1, wherein authenticating the prospective peer comprises sending authentication data that resides in a TCP header and/or data.
  - 6. The method in claim 1, wherein authenticating the prospective peer occurs during an initial connection establishment phase of the TCP/IP protocol.
  - 7. The method in claim 6, wherein authenticating the prospective peer includes sending authentication information within a carrier protocol that is encapsulated in one or more other protocols.
  - 8. The method in claim 7, wherein the one or more other protocols includes at least one selected from a group that includes IPSec and PPTP.
  - 9. The method in claim 6, further comprising sending authentication data in any combination of two or more SYN, SYN-ACK or ACK packets.
  - 10. The method in claim 9, wherein authenticating the prospective peer is performed using secret key cryptography.
  - 11. The method in claim 9, wherein authenticating the prospective peer is performed using public key cryptography.
  - 12. The method in claim 1, wherein authenticating the prospective peer is performed using secret key cryptography.
  - 13. The method in claim 1, wherein authenticating the prospective peer is performed using a Hashed Message Authentication Code (HMAC).
  - 14. The method in claim 1, wherein authenticating the prospective peer is performed using a HMAC with a timestamp.
  - 15. The method in claim 1, wherein authenticating the prospective peer is performed using a “
    - one time password”
      
      .
  - 16. The method in claim 1, wherein authenticating the prospective peer is performed using public key cryptography.
  - 17. The method in claim 1, wherein authenticating the prospective peer is performed using a trusted third party.
  - 18. The method in claim 1, wherein authenticating the prospective peer is performed using a plain text password.
  - 19. The method in claim 1, wherein authenticating the prospective peer is performed via a set of intermediaries on each hop.
  - 20. The method in claim 1, wherein authenticating the prospective peer occurs via data sent and received in individual packets.
  - 21. The method in claim 20 wherein each individual packet is relayed by one or more hardware or software devices.
  - 22. The method is claim 21, further comprising each of the one or more hardware or software devices authenticating at least one of the individual packets being relayed.
  - 23. The method in claim 21, further comprising the one or more hardware or software devices changing authentication information in at least one of the individual packets.
  - 24. The method in claim 1, wherein authenticating the prospective peer occurs via the data sent and received in a plurality of packets.
  - 25. The method in claim 24 wherein the plurality of packets are relayed by one or more hardware or software devices.
  - 26. The method is claim 25, further comprising each of the one or more hardware or software devices authenticating packets in the plurality of packets being relayed.
  - 27. The method in claim 25, further comprising the one or more hardware or software devices changing authentication information in at least one of the plurality of packets.
  - 28. The method in claim 1, wherein authenticating the prospective peer on the network comprises communicating over a local network with the prospective peer.
  - 29. The method in claim 1, wherein authenticating the prospective peer on the network comprises communicating over a plurality of interconnected networks.
  - 30. The method in claim 1, wherein authenticating the prospective peer on the network comprises communicating over virtual networks.
  - 31. The method in claim 1, wherein authenticating the prospective peer on the network comprises communicating over wide area networks.
  - 32. The method in claim 1, wherein communication occurs between computers, wireless devices, PDAs, laptop computers, phones or other communication devices or combinations thereof.
  - 33. The method in claim 1, wherein authenticating the prospective peer on the network comprises:
    - accessing a memory storing a list of one or more valid peers;
      
      comparing the prospective peer with the list of one or more potentially valid peers; and
      
      if determined to be on the list of potentially valid peers, authenticating the prospective peer based on an authentication method being employed.

34. An apparatus comprising:
- means for receiving one or more packets; and
  
  means for authenticating a prospective peer on the network during a connecton establishment phase prior to establishing a network connection and prior to an authenticating peer and the prospective peer accepting any application level authentication data from each other that are part of a post-connection establishment exchange between peers, the means for authenticating including means for sending authentication data in a TCP/IP layer in one or more packets selected from a group consisting of a SYN packet, SYN-ACK packet and an ACK packet, andwherein authenticating the prospective peer occurs during and before completion of a connection establishment phase of TCP/IP protocol used for communication on the network, with an initial packet sent between the peers or with multiple exchanges between the peers, that are part of connection establishment phase.

35. An article of manufacture having one or more recordable media with executable instructions stored thereon which, when executed by a system, cause the system to authenticate a prospective peer on the network during a connection establishment phase prior to establishing a network connection and prior to an authenticating peer and the prospective peer accepting any application level authentication data from each other that are part of a post-connection establishment exchange between peers, including sending authentication data in a TCP/IP layer in one or more packets selected from a group consisting of a SYN packet, SYN-ACK packet and an ACK packet, andwherein authenticating the prospective peer occurs during and before completion of a connection establishment phase of a TCP/IP protocol used for communication on the network, with an initial packet sent between the peers or with multiple exchanges between the peers that are part of connection establishment phase.

36. A method comprising:
- a first peer receiving a SYN packet from a second peer over a network during a connection establishment phase prior to a network connection being established between the first and second peers and prior to the first and second peers accepting any data packets from each other that are part of a post-connection establishment exchange between peers; and
  
  using information in the SYN packet during and before completion of a connection establishment phase of a TCP/IP protocol used for communication on the network to attempt to authenticate the second peer prior to the network connection being established.
- View Dependent Claims (37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49)
- - 37. The method defined in claim 36 wherein the information is in an option field in the SYN packet.
  - 38. The method defined in claim 36 wherein the information is in an option field and/or in a data portion of the SYN packet.
  - 39. The method defined in claim 36 further comprising the first peer preventing the network connection from being established in response to determining the second peer is not authorized to access the first peer.
  - 40. The method defined in claim 36 further comprising the first peer preventing access to one or more network services in response to determining the second peer is not authorized for such access.
  - 41. The method defined in claim 36 wherein using information in the SYN packet comprises verifying at least a portion of the information.
  - 42. The method defined in claim 36 wherein the first peer uses an authentication method to authenticate the second peer.
  - 43. The method defined in claim 42 wherein the authentication method comprises a cryptographic hashed message authentication code (HMAC).
  - 44. The method defined in claim 42 wherein the authentication method comprises a cryptographic hash with timestamp.
  - 45. The method defined in claim 42 wherein the authentication method comprises a one time password.
  - 46. The method defined in claim 42 wherein the authentication method comprises a public key cryptography-based authentication method.
  - 47. The method defined in claim 42 wherein the authentication method is based on a security assertion provided by a trusted third party.
  - 48. The method in claim 36, wherein the information in the SYN packet to authenticate the second peer comprises a plain text password.
  - 49. The method in claim 36, wherein using information in the SYN packet comprises:
    - accessing a memory storing a list of one or more valid peers;
      
      comparing the prospective peer with the list of one or more potentially valid peers; and
      
      if determined to be on the list of potentially valid peers, authenticating the prospective peer based on an authentication method being employed.

50. An article of manufacture having one or more recordable media with executable instructions stored thereon which, when executed by a system, cause the system to:
- receive a SYN packet from a second peer over a network during a connection establishment phase prior to a network connection being established between a first peer and a second peer and a second peer and prior to the first and second peers accepting any application level authentication data from each other that are part of a post-connection establishment exchange between peers; and
  
  use information in the SYN packet during and before completion of a connection establishment phase of a TCP/IP protocol used for communication on the network to attempt to authenticate the second peer prior to the network connection being established.
- View Dependent Claims (51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63)
- - 51. The article of manufacture defined in claim 50 wherein the information is in an option field in the SYN packet.
  - 52. The article of manufacture defined in claim 50 wherein the information is in an option field and/or in a data portion of the SYN packet.
  - 53. The article of manufacture defined in claim 50 further comprising instructions which when executed by the system cause the system to prevent the network connection from being established in response to determining the second peer is not authorized to access the first peer.
  - 54. The article of manufacture defined in claim 50 further comprising instructions which when executed by the system cause the system to prevent access to one or more network services in response to determining the second peer is not authorized for such access.
  - 55. The article of manufacture defined in claim 50 wherein instructions to cause the system to use information in the SYN packet comprises instructions which when executed by the system cause the system to verify at least a portion of the information.
  - 56. The article of manufacture defined in claim 50 wherein the instructions when executed cause the system to employ an authentication method to authenticate the second peer.
  - 57. The article of manufacture defined in claim 56 wherein the authentication method comprises a cryptographic hashed message authentication code (HMAC).
  - 58. The article of manufacture defined in claim 56 wherein the authentication method comprises a cryptographic hash with timestamp.
  - 59. The article of manufacture defined in claim 56 wherein the authentication method comprises a one time password.
  - 60. The article of manufacture defined in claim 56 wherein the authentication method comprises a public key cryptography-based authentication method or a secret key cryptography-based authentication method.
  - 61. The article of manufacture defined in claim 56 wherein the authentication method is based on a security assertion provided by a trusted third party.
  - 62. The article of manufacture in claim 50, wherein the information in the SYN packet to authenticate the second peer comprises a plain text password.
  - 63. The article of manufacture in claim 50, wherein instructions that cause the system to use information in the SYN packet comprises instructions which when executed by the system cause the system to:
    - access a memory storing a list of one or more valid peers;
      
      comparing the prospective peer with the list of one or more potentially valid peers; and
      
      if determined to be on the list of potentially valid peers, authenticate the prospective peer based on an authentication method being employed.

64. An apparatus comprising:
- means in a first peer for receiving a SYN packet from a second peer over a network during a connection establishment phase prior to a network connection being established between the first and second peers and prior to the first and second peers accepting any application level authentication data form each other that are part of a post-connection establishment exchange between peers; and
  
  means for using information in the SYN packet during and before completion of a connection establishment phase of a TCP/IP protocol used for communication on the network to attempt to authenticate the second peer prior to the network connection being established.
- View Dependent Claims (65, 66, 67, 68)
- - 65. The apparatus defined in claim 64 wherein the information is in an option field in the SYN packet.
  - 66. The apparatus defined in claim 64 wherein the information is in an option field and/or in a data portion of the SYN packet.
  - 67. The apparatus defined in claim 64 further comprising means in the first peer for preventing the network connection from being established in response to determining the second peer is not authorized to access the first peer.
  - 68. The apparatus defined in claim 64 further comprising means in the first peer for preventing access to one or more network services in response to determining the second peer is not authorized for such access.

69. A method comprising:
- a first peer creating a SYN packet that includes information to be used by a second peer to attempt to authenticate the first peer during a connection establishment phase prior to the network connection being established between the first and second peers and prior to the first and second peers accepting any application level authentication data form each other that are part of a post-connection establishment exchange between peers; and
  
  the first peer sending the SYN packet during and before completion of a connection establishment phase of a TCP/IP protocol used for communication on the network to the second peer over a network for authentication prior to a network connection being established between the first and second peers.
- View Dependent Claims (70, 71, 72, 73, 74, 75, 76, 77, 78)
- - 70. The method in claim 69 wherein the information is in an option field in the SYN packet.
  - 71. The method in claim 69 wherein the information is in an option field and/or in a data portion of the SYN packet.
  - 72. The method in claim 69 wherein the information is encrypted.
  - 73. The method in claim 72 wherein the information is encrypted so that a cryptographic hashed message authentication code (HMAC) authentication method may be used between the first and second peers to authenticate the first peer.
  - 74. The method in claim 72 wherein the information is encrypted so that a cryptographic hash with timestamp authentication method may be used between the first and second peers to authenticate the first peer.
  - 75. The method defined in claim 72 wherein the information is encrypted so that a one time password authentication method may be used between the first and second peers to authenticate the first peer.
  - 76. The method defined in claim 72 wherein the information is encrypted so that a public key cryptography-based authentication method may be used between the first and second peers to authenticate the first peer.
  - 77. The method defined in claim 72 wherein the information is encrypted so that an authentication method based on a security assertion provided by a trusted third party may be used between the first and second peers to authenticate the first peer.
  - 78. The method defined in claim 72 wherein the information is encrypted so that an authentication method based on a plain text password may be used between the first and second peers to authenticate the first peer.

79. An article of manufacture having one or more recordable media with executable instructions stored thereon which, when executed by a system, cause the system to:
- create a SYN packet that includes information to be used by a second peer to attempt to authenticate the first peer during a connection establishment phase prior to the network connection being established between a first peer and a second peer and prior to the first and second peers accepting any application level authentication data from each other that are part of a post-connection establishment exchange between peers; and
  
  send the SYN packet during and before completion of a connection establishment phase of a TCP/IP protocol used for communication on the network to the second peer over a network for authentication prior to a network connection being established between the first and second peers.
- View Dependent Claims (80, 81, 82)
- - 80. The article of manufacture in claim 79 wherein the information is in an option field in the SYN packet.
  - 81. The article of manufacture in claim 79 wherein the information is in an option field and/or in a data portion of the SYN packet.
  - 82. The article of manufacture in claim 79 wherein the information is encrypted.

83. An apparatus comprising:
- means in a first peer for creating a SYN packet that includes information to be used by a second peer to attempt to authenticate the first peer during a connection establishment phase prior to the network connection being established between the first and second peers and prior to the first and second peers accepting any application level authentication data from each other that are part of a post-connection establishment exchange between peers; and
  
  means for sending the SYN packet during and before completion of a connection establishment phase of a TCP/IP protocol used for communication on the network to the second peer over a network for authentication prior to a network connection being established between the first and second peers.
- View Dependent Claims (84, 85, 86)
- - 84. The apparatus in claim 83 wherein the information is in an option field in the SYN packet.
  - 85. The apparatus in claim 83 wherein the information is in an option field and/or in a data portion of the SYN packet.
  - 86. The apparatus in claim 83 wherein the information is encrypted.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sowl Associates, Inc.
Original Assignee
Sowl Associates, Inc.
Inventors
Balabine, Igor V., Friedman, William G., Minkin, Ilya G.
Primary Examiner(s)
JUNG, DAVID YIUK

Application Number

US10/224,098
Publication Number

US 20040034773A1
Time in Patent Office

1,408 Days
Field of Search

713/168, 713/150, 713/153, 713/151, 370/229, 379/111, 726/14
US Class Current

713/168
CPC Class Codes

A63F 13/12   involving interaction betwe...

A63F 13/30   Interconnection arrangement...

A63F 2300/401   Secure communication, e.g. ...

A63F 2300/402   Communication between platf...

A63F 2300/50   characterized by details of...

A63F 2300/532   using secure communication,...

A63F 2300/5546   using player registration d...

H04L 63/0442   wherein the sending and rec...

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/0869   for achieving mutual authen...

H04L 63/1466   Active attacks involving in...

H04L 67/01   Protocols

H04L 67/131   Protocols for games, networ...

H04W 16/225   for indoor or short range n...

H04W 4/06   Selective distribution of b...

H04W 88/12   Access point controller dev...

H04W 88/14   Backbone network devices

Establishing authenticated network connections

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

186 Citations

86 Claims

Specification

Solutions

Use Cases

Quick Links

Establishing authenticated network connections

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

186 Citations

86 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links