Peer-to peer name resolution protocol (PNRP) security infrastructure and method
First Claim
1. A method of inhibiting a denial of service attack based on a synchronization process in a peer-to-peer network, comprising:
- receiving a SOLICIT message at a second node, the SOLICIT message requesting cache synchronization from a first node and containing a first node peer address certificate (PAC);
examining the first node PAC to determine its validity at the second node;
dropping the SOLICIT message when the step of examining the first node PAC determines that the first node PAC is not valid;
generating first connection information specifically identifying the SOLICIT message with the first node;
maintaining the first connection information when examining the first node PAC determines that the first node PAC is valid;
generating second connection information specifically identifying a REQUEST message with the first node; and
comparing the first connection information and the second connection information.
1 Assignment
0 Petitions
Accused Products
Abstract
A security infrastructure and methods are presented that inhibit the ability of a malicious node from disrupting the normal operations of a peer-to-peer network. The methods of the invention allow both secure and insecure identities to be used by nodes by making them self-verifying. When necessary or opportunistic, ID ownership is validated by piggybacking the validation on existing messages. The probability of connecting initially to a malicious node is reduced by randomly selecting to which node to connect. Further, information from malicious nodes is identified and can be disregarded by maintaining information about prior communications that will require a future response. Denial of service attacks are inhibited by allowing the node to disregard requests when its resource utilization exceeds a predetermined limit. The ability for a malicious node to remove a valid node is reduced by requiring that revocation certificates be signed by the node to be removed.
-
Citations
20 Claims
-
1. A method of inhibiting a denial of service attack based on a synchronization process in a peer-to-peer network, comprising:
-
receiving a SOLICIT message at a second node, the SOLICIT message requesting cache synchronization from a first node and containing a first node peer address certificate (PAC); examining the first node PAC to determine its validity at the second node; dropping the SOLICIT message when the step of examining the first node PAC determines that the first node PAC is not valid; generating first connection information specifically identifying the SOLICIT message with the first node; maintaining the first connection information when examining the first node PAC determines that the first node PAC is valid; generating second connection information specifically identifying a REQUEST message with the first node; and comparing the first connection information and the second connection information. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer-readable medium comprising computer-executable instructions for inhibiting a denial of service attack based on a synchronization process in a peer-to-peer network, the computer-executable instructions comprising instructions for:
-
receiving a SOLICIT message at a second node, the SOLICIT message requesting cache synchronization from a first node and containing a first node peer address certificate (PAC); examining the first node PAC to determine its validity at the second node; dropping the SOLICIT message when the step of examining the first node PAC determines that the first node PAC is not valid; generating a first connection information specifically identifying the SOLICIT message with the first node; maintaining the first connection information when the step of examining the first node PAC determines that the first node PAC is valid; generating a second connection information specifically identifying a REQUEST message with the first node; and comparing the first connection information and the second connection information. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A method of inhibiting a denial of service attack based on a synchronization process in a peer-to-peer network comprising:
-
receiving a SOLICIT message at a second node, the SOLICIT message requesting cache synchronization from a first node and containing a first node peer address certificate (PAC); examining the first node PAC to determine its validity at the second node; dropping the SOLICIT message when the step of examining the first node PAC determines that the first node PAC is not valid; generating first connection information specifically identifying the SOLICIT message with the first node, the first connection information maintained in a bit vector at the second node; generating a nonce at the second node; extracting a first node identification information from the SOLICIT message; setting a bit at a first bitpos, the first bitpos comprising the index of the bit vector corresponding to a hash of the nonce and the first node identification information; encrypting the nonce using a first node public key; constructing an ADVERTISE message, the ADVERTISE message comprising a second node PAC and the encrypted nonce; sending the ADVERTISE message to the first node; validating the ADVERTISE message; decrypting the encrypted nonce; sending a REQUEST message from the first node to the second node if the ADVERTISE message is valid, the REQUEST message comprising the first node identification information and the decrypted nonce; maintaining the first connection information when examining the first node PAC determines that the first node PAC is valid; generating second connection information specifically identifying a REQUEST message with the first node; extracting the nonce from the REQUEST message; extracting a first node identification information from the REQUEST message; calculating a second bitpos as the hash of the nonce and the first node identification information wherein the second bitpos corresponds to an index of a bit in the bit vector; comparing the first connection information and the second connection information; determining if the bit at the second bitpos is set; and rejecting the REQUEST message when the bit at the second bitpos is not set. - View Dependent Claims (20)
-
Specification