Peer-to-peer name resolution protocol (PNRP) security infrastructure and method
First Claim
1. A method of providing a security infrastructure for use in a peer-to-peer network without employing a single network wide certification authority or a network wide hierarchy of certification authorities, the method comprising at a first node:
- receiving a record from a second node;
validating the ID certificate of the second node;
validating the expiration date of the ID certificate of the second node;
verifying ownership of the ID certificate at the second node'"'"'s IP address if the second node is a neighbor of the first node;
managing a trustworthiness metric of a neighbor of the first node wherein for each neighbor of the first node, a separate trustworthiness metric is maintained; and
limiting the number of records pointing to the same peer IP address to a percentage of the size of a cache.
2 Assignments
0 Petitions
Accused Products
Abstract
A method for use in a peer-to-peer communication system to ensure valid connections are made in a secure manner includes the steps of receiving an address record for a peer node which includes an ID certificate. The ID certificate is validated and checked to verify that the ID certificate has not expired. Further, the method determines if the node from whom the address record was received is to be trusted, and the number of instances of the IP address included in the certificate is already stored in cache. When the foregoing are completed successfully, i.e. the certificate is valid, not expired, has been supplied by a trusted neighbor, and does not point to an IP address that already exists for different ID'"'"'s multiple times, the method opportunistically verifies ownership of the ID certificate at the peer node'"'"'s IP address. That is, the verification of ownership only occurs when the advertiser of the ID is the owner of that ID (or when the ID is to be used). If any of the above cannot be completed successfully, the address record is discarded.
42 Citations
24 Claims
-
1. A method of providing a security infrastructure for use in a peer-to-peer network without employing a single network wide certification authority or a network wide hierarchy of certification authorities, the method comprising at a first node:
-
receiving a record from a second node; validating the ID certificate of the second node; validating the expiration date of the ID certificate of the second node; verifying ownership of the ID certificate at the second node'"'"'s IP address if the second node is a neighbor of the first node; managing a trustworthiness metric of a neighbor of the first node wherein for each neighbor of the first node, a separate trustworthiness metric is maintained; and limiting the number of records pointing to the same peer IP address to a percentage of the size of a cache. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 24)
-
-
9. A method of providing a security infrastructure for use in a peer-to-peer network without employing a single network wide certification authority or network wide hierarchy of certification authorities, the method comprising at a first node:
-
A. receiving an address record from a second node, the record including an ID certificate; B. validating the ID certificate; C. verifying that the ID certificate has not expired; D. determining that the second node is to be trusted by checking the level of the trustworthiness metric for the second node; E. determining that the number of records in a cache for the second node is less than a predetermined limit; and F. when steps B. thru E. are completed successfully, a. selectively verifying ownership of the ID certificate at the second node'"'"'s IP address; b. incrementing a trustworthiness metric for the second node if it is a neighbor of the first node; c. adding the second node'"'"'s record to the cache; and G. when any of steps B. thru F. are not completed successfully, discarding the address record and decrementing the trustworthiness metric for the second node. - View Dependent Claims (10, 11, 12)
-
-
13. A method of processing a peer-to-peer query in a security infrastructure for use in a serverless peer to peer network wherein each individual peer node is authorized and able to certify only its own identity,
the peer-to-peer query comprising a request from a neighbor node to a first node to find an owner of an identity contained in the query for purposes of verifying the identity, the method comprising: -
A. receiving the query containing the identity from a neighbor node at a first node; B. checking to see if a valid and verified record of the neighbor node is stored in a cache; C. when a valid and verified record of the neighbor node is not stored in the cache, or when a valid and verified record of the neighbor node is stored in the cache and a predetermined amount of time has passed since the last ownership check for the neighbor node, validating an ID certificate of the neighbor node and verifying ownership of the ID certificate at the neighbor node'"'"'s IP address; D. when the neighbor node is not an originator of the query, validating an ID certificate of the originator; E. comparing the identity contained in the query to the identity of the first node; F. when the identity of the first node matches the identity contained in the query, returning the record of the first node to the neighbor node; and G. when the identity of the first node does not match the identity contained in the query, forwarding the query to a third peer node. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. A method of processing a response to a peer-to-peer query in a security infrastructure for use in a serverless peer to peer network wherein each individual peer node is authorized and able to certify only its own identity,
the peer-to-peer query comprising a request from a first node to a neighbor node to find an owner of an identity contained in the query for purposes of verifying the identity, the method comprising at the first node: -
A. receiving the response from the neighbor node, the response comprising a result and a next hop node; B. checking to see if a valid and verified record of the neighbor node is stored in a cache; C. when a valid and verified record of the neighbor node is not stored in the cache, or when a valid and verified record of the neighbor node is stored in the cache and a predetermined amount of time has passed since the last ownership check for the neighbor node, validating an ID certificate of the neighbor node and verifying ownership of the ID certificate at the neighbor node'"'"'s IP address; D. when the neighbor node is not the result of the query, validating an ID certificate of the result; and E. when the ID certificate of the result is validated, forwarding the result to the next hop node identified in the response. - View Dependent Claims (20, 21, 22, 23)
-
Specification