Establishing authenticated network connections
First Claim
1. A method comprising:
- authenticating a prospective peer on the network prior to establishing a network connection and prior to an authenticating peer and the prospective peer accepting any application level authentication data from each other that are part of a post-connection establishment exchanged between peers, including sending authentication data in a TCP/IP layer in one or more packets selected from a group consisting of a SYN packet, SYN-ACK packet and an ACK packet; and
wherein authenticating the prospective peer occurs during and before completion of a connection establishment phase of a TCP/IP protocol used for communication on the network, with an initial packet sent between the peers or with multiple exchanges between the peers that are part of connection establishment phase.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and apparatus for establishing authenticated network (e.g., TCP/IP) connections augments the network (e.g., TCP/IP) protocol and enables concealment of the presence of network (e.g., TCP/IP) servers on the network. One methodology uses one or more cryptographic techniques, and/or combinations of such techniques, to achieve the goal. A network (e.g., TCP/IP) connection establishment could be authenticated using both shared secret cryptographic and public key cryptographic methods. The trust between peers could be established either directly or via a trusted third party. One methodology allows network (e.g., TCP/IP) server concealment against Internet based eavesdroppers and eavesdroppers staging man-in-the-middle attacks on the local network or in the close proximity to the server. The techniques described herein may be used to protect a network (e.g., TCP/IP) server from establishing unsanctioned connections from both local and remote networks.
186 Citations
86 Claims
-
1. A method comprising:
-
authenticating a prospective peer on the network prior to establishing a network connection and prior to an authenticating peer and the prospective peer accepting any application level authentication data from each other that are part of a post-connection establishment exchanged between peers, including sending authentication data in a TCP/IP layer in one or more packets selected from a group consisting of a SYN packet, SYN-ACK packet and an ACK packet; and wherein authenticating the prospective peer occurs during and before completion of a connection establishment phase of a TCP/IP protocol used for communication on the network, with an initial packet sent between the peers or with multiple exchanges between the peers that are part of connection establishment phase. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
-
-
34. An apparatus comprising:
-
means for receiving one or more packets; and means for authenticating a prospective peer on the network during a connecton establishment phase prior to establishing a network connection and prior to an authenticating peer and the prospective peer accepting any application level authentication data from each other that are part of a post-connection establishment exchange between peers, the means for authenticating including means for sending authentication data in a TCP/IP layer in one or more packets selected from a group consisting of a SYN packet, SYN-ACK packet and an ACK packet, and wherein authenticating the prospective peer occurs during and before completion of a connection establishment phase of TCP/IP protocol used for communication on the network, with an initial packet sent between the peers or with multiple exchanges between the peers, that are part of connection establishment phase.
-
-
35. An article of manufacture having one or more recordable media with executable instructions stored thereon which, when executed by a system, cause the system to authenticate a prospective peer on the network during a connection establishment phase prior to establishing a network connection and prior to an authenticating peer and the prospective peer accepting any application level authentication data from each other that are part of a post-connection establishment exchange between peers, including sending authentication data in a TCP/IP layer in one or more packets selected from a group consisting of a SYN packet, SYN-ACK packet and an ACK packet, and
wherein authenticating the prospective peer occurs during and before completion of a connection establishment phase of a TCP/IP protocol used for communication on the network, with an initial packet sent between the peers or with multiple exchanges between the peers that are part of connection establishment phase.
-
36. A method comprising:
-
a first peer receiving a SYN packet from a second peer over a network during a connection establishment phase prior to a network connection being established between the first and second peers and prior to the first and second peers accepting any data packets from each other that are part of a post-connection establishment exchange between peers; and using information in the SYN packet during and before completion of a connection establishment phase of a TCP/IP protocol used for communication on the network to attempt to authenticate the second peer prior to the network connection being established. - View Dependent Claims (37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49)
-
-
50. An article of manufacture having one or more recordable media with executable instructions stored thereon which, when executed by a system, cause the system to:
-
receive a SYN packet from a second peer over a network during a connection establishment phase prior to a network connection being established between a first peer and a second peer and a second peer and prior to the first and second peers accepting any application level authentication data from each other that are part of a post-connection establishment exchange between peers; and use information in the SYN packet during and before completion of a connection establishment phase of a TCP/IP protocol used for communication on the network to attempt to authenticate the second peer prior to the network connection being established. - View Dependent Claims (51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63)
-
-
64. An apparatus comprising:
-
means in a first peer for receiving a SYN packet from a second peer over a network during a connection establishment phase prior to a network connection being established between the first and second peers and prior to the first and second peers accepting any application level authentication data form each other that are part of a post-connection establishment exchange between peers; and means for using information in the SYN packet during and before completion of a connection establishment phase of a TCP/IP protocol used for communication on the network to attempt to authenticate the second peer prior to the network connection being established. - View Dependent Claims (65, 66, 67, 68)
-
-
69. A method comprising:
-
a first peer creating a SYN packet that includes information to be used by a second peer to attempt to authenticate the first peer during a connection establishment phase prior to the network connection being established between the first and second peers and prior to the first and second peers accepting any application level authentication data form each other that are part of a post-connection establishment exchange between peers; and the first peer sending the SYN packet during and before completion of a connection establishment phase of a TCP/IP protocol used for communication on the network to the second peer over a network for authentication prior to a network connection being established between the first and second peers. - View Dependent Claims (70, 71, 72, 73, 74, 75, 76, 77, 78)
-
-
79. An article of manufacture having one or more recordable media with executable instructions stored thereon which, when executed by a system, cause the system to:
-
create a SYN packet that includes information to be used by a second peer to attempt to authenticate the first peer during a connection establishment phase prior to the network connection being established between a first peer and a second peer and prior to the first and second peers accepting any application level authentication data from each other that are part of a post-connection establishment exchange between peers; and send the SYN packet during and before completion of a connection establishment phase of a TCP/IP protocol used for communication on the network to the second peer over a network for authentication prior to a network connection being established between the first and second peers. - View Dependent Claims (80, 81, 82)
-
-
83. An apparatus comprising:
-
means in a first peer for creating a SYN packet that includes information to be used by a second peer to attempt to authenticate the first peer during a connection establishment phase prior to the network connection being established between the first and second peers and prior to the first and second peers accepting any application level authentication data from each other that are part of a post-connection establishment exchange between peers; and means for sending the SYN packet during and before completion of a connection establishment phase of a TCP/IP protocol used for communication on the network to the second peer over a network for authentication prior to a network connection being established between the first and second peers. - View Dependent Claims (84, 85, 86)
-
Specification