Method and apparatus for providing secure streaming data transmission facilities using unreliable protocols

US 7,360,075 B2
Filed: 02/13/2001
Issued: 04/15/2008
Est. Priority Date: 02/12/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A method of transmitting data securely over a computer network, comprising the steps of:

(1) establishing a communication path between a first computer and a second computer;

(2) encrypting and transmitting data records between the first computer and the second computer using an unreliable communication protocol, wherein each data record is encrypted without reference to a previously transmitted data record;

(3) in the second computer, receiving and decrypting the data records transmitted in step (2) without reference to a previously received data record; and

(4) in the second computer, transmitting session information for encrypting and decrypting the data records to a third computer,wherein step (2) comprises the step of embedding an indicator in each of the data records indicating that the data records are encrypted according to an encryption scheme that encrypts records without regard to any previously transmitted data records, andwherein step (3) comprises the step of determining whether the indicator is present in each record and, in response to determining that the indicator is not present, processing each such record differently than if the indicator is set.

View all claims

18 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention provides a method and apparatus for transmitting data securely using an unreliable communication protocol, such as User Datagram Protocol. In one variation, the invention retains compatibility with conventional Secure Sockets Layer (SSL) and SOCKS protocols, such that secure UDP datagrams can be transmitted between a proxy server and a client computer in a manner analogous to conventional SOCKS processing. In contrast to conventional SSL processing, which relies on a guaranteed delivery service such as TCP and encrypts successive data records with reference to a previously-transmitted data record, encryption is performed using a nonce that is embedded in each transmitted data record. This nonce acts both as an initialization vector for encryption/decryption of the record, and as a unique identifier to authenticate the record. Because decryption of any particular record does not rely on receipt of a previously received data record, the scheme will operate over an unreliable communication protocol. The system and method allows secure packet transmission to be provided with a minimum amount of overhead. Further, the invention provides a network arrangement that employs a cache having copies distributed among a plurality of different locations. SSL/TLS session information for a session with each of the proxy servers is stored in the cache so that it is accessible to at least one other proxy server. Using this arrangement, when a client computer switches from a connection with a first proxy server to a connection with a second proxy server, the second proxy server can retrieve SSL/TLS session information from the cache corresponding to the SSL/TLS communication session between the client device and the first proxy server. The second proxy server can then use the retrieved SSL/TLS session information to accept a session with the client device.

Citations

41 Claims

1. A method of transmitting data securely over a computer network, comprising the steps of:
- (1) establishing a communication path between a first computer and a second computer;
  
  (2) encrypting and transmitting data records between the first computer and the second computer using an unreliable communication protocol, wherein each data record is encrypted without reference to a previously transmitted data record;
  
  (3) in the second computer, receiving and decrypting the data records transmitted in step (2) without reference to a previously received data record; and
  
  (4) in the second computer, transmitting session information for encrypting and decrypting the data records to a third computer,wherein step (2) comprises the step of embedding an indicator in each of the data records indicating that the data records are encrypted according to an encryption scheme that encrypts records without regard to any previously transmitted data records, andwherein step (3) comprises the step of determining whether the indicator is present in each record and, in response to determining that the indicator is not present, processing each such record differently than if the indicator is set.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, further comprising the step of, prior to step (1), establishing a reliable communication path between the first computer and the second computer and exchanging security credentials over the reliable communication path.
  - 3. The method of claim 2, wherein the step of exchanging security credentials comprises the step of exchanging an encryption key that is used to encrypt the data records in step (2).
  - 4. The method of claim 2, wherein the session information includes at least a portion of the security credentials.
  - 5. The method of claim 1, wherein step (2) comprises the step of incorporating a nonce in each data record that is used by the second computer in combination with a previously shared encryption key to decrypt each of the data records in step (3).
  - 6. The method of claim 5, wherein the nonce comprises a random number.
  - 7. The method of claim 5, further comprising the step of, in the second computer, verifying that the nonce has not previously been received in a previously transmitted data record.
  - 8. The method of claim 1, wherein step (1) is performed using the Transmission Control Protocol, and wherein step (2) is performed using the User Datagram Protocol.
  - 9. The method of claim 1, wherein step (2) is performed by a proxy server that encrypts data records received from another server.
  - 10. The method of claim 1, wherein the third computerestablishes a communication path with the first computer;
    - andencrypts and transmits data records to the first computer using an unreliable communication protocol, wherein each data record is encrypted without reference to a previously transmitted data record and by employing the session information.
  - 11. The method of claim 1, wherein a fourth computerretrieves the session information from the third computer,establishes a communication path with the first computer;
    - andencrypts and transmits data records to the first computer using an unreliable communication protocol, wherein each data record is encrypted without reference to a previously transmitted data record and by employing the session information.
  - 12. The method of claim 1, wherein the session information is SSL or TLS session information.
  - 13. The method of claim 1, wherein the session information includes a SSL or TLS session identifier.
  - 14. The method of claim 1, wherein the session information includes an encryption key that is used to encrypt data records in step (2).
  - 15. The method of claim 1, wherein the session information is stored by the third computer in a cache memory using a hash function.
  - 16. The method of claim 15, wherein the hash function is the BUZhash function.
  - 17. The method of claim 1, wherein the second computer transmits the session information to the third computer using multicast communication.
  - 18. The method of claim 17, wherein the multicast communication is negative acknowledgement multicast communication.

19. A method of securely transmitting a plurality of data records between a client computer and a proxy server using an unreliable communication protocol, comprising the steps of:
- (1) establishing a reliable connection between the client computer and the proxy server;
  
  (2) exchanging encryption credentials between the client computer and the proxy server over the reliable connection;
  
  (3) generating a nonce for each of a plurality of data records, wherein each nonce comprises an initialization vector necessary to decrypt a corresponding one of the plurality of data records;
  
  (4) using the nonce to encrypt each of the plurality of data records and appending the nonce to each of the plurality of data records;
  
  (5) transmitting the plurality of data records encrypted in step (4) from the client computer to the proxy server using an unreliable communication protocol;
  
  (6) in the proxy server, decrypting each of the plurality of encrypted data records using a corresponding nonce extracted from each data record and a previously shared encryption key; and
  
  (7) in the proxy server, transmitting session information including the previously shared encryption key for use in decrypting the plurality of data records to another server,wherein step (6) comprises the step of checking to determine whether each data record received from the client computer is formatted according to a secure unreliable transmission format and, if a particular record is not formatted according to a secure unreliable transmission format, bypassing decryption of the received data record using the corresponding nonce.
- View Dependent Claims (20, 21, 22, 23, 24, 27, 28, 29, 30, 31, 32, 33)
- - 20. The method of claim 19, wherein step (3) comprises the step of generating a random number as each nonce.
  - 21. The method of claim 19, wherein step (3) comprises the step of generating an unique number as each nonce.
  - 22. The method of claim 19, wherein step (1) is performed using Transmission Control Protocol, and wherein step (5) is performed using User Datagram Protocol.
  - 23. The method of claim 19, wherein step (6) is performed using an encryption key previously shared using a reliable communication protocol.
  - 24. The method of claim 23, wherein the reliable communication protocol is Transmission Control Protocol.
  - 27. The method of claim 19, wherein the session information is SSL or TLS session information.
  - 28. The method of claim 19, wherein the session information includes a SSL or TLS session identifier.
  - 29. The method of claim 19, wherein the session information includes authentication information for a user of the client computer.
  - 30. The method of claim 19, wherein the session information is stored by the another server in a cache memory using a hash function.
  - 31. The method of claim 30, wherein the hash function is the BUZhash function.
  - 32. The method of claim 19, wherein the proxy server transmits the session information to the another server using multicast communication.
  - 33. The method of claim 32, wherein the multicast communication is negative acknowledgement multicast communication.

25. A method of securely transmitting a plurality of data records between a client computer and a proxy server using an unreliable communication protocol, comprising the steps of:
- (1) establishing a reliable connection between the client computer and the proxy server;
  
  (2) exchanging encryption credentials between the client computer and the proxy server over the reliable connection;
  
  (3) generating a nonce for each of a plurality of data records, wherein each nonce comprises an initialization vector necessary to decrypt a corresponding one of the plurality of data records;
  
  (4) using the nonce to encrypt each of the plurality of data records and appending the nonce to each of the plurality of data records;
  
  (5) transmitting the plurality of data records encrypted in step (4) from the client computer to the proxy server using an unreliable communication protocol;
  
  (6) in the proxy server, decrypting each of the plurality of encrypted data records using a corresponding nonce extracted from each data record and a previously shared encryption key; and
  
  (7) in the proxy server, transmitting session information including the previously shared encryption key for use in decrypting the plurality of data records to another server,wherein the another server is a second proxy server, andfurther including, in the second proxy server, decrypting encrypted data records from the client computer using a corresponding nonce extracted from each data record and the session information transmitted from the first proxy server.

26. A method of securely transmitting a plurality of data records between a client computer and a proxy server using an unreliable communication protocol, comprising the steps of:
- (1) establishing a reliable connection between the client computer and the proxy server;
  
  (2) exchanging encryption credentials between the client computer and the proxy server over the reliable connection;
  
  (3) generating a nonce for each of a plurality of data records, wherein each nonce comprises an initialization vector necessary to decrypt a corresponding one of the plurality of data records;
  
  (4) using the nonce to encrypt each of the plurality of data records and appending the nonce to each of the plurality of data records;
  
  (5) transmitting the plurality of data records encrypted in step (4) from the client computer to the proxy server using an unreliable communication protocol;
  
  (6) in the proxy server, decrypting each of the plurality of encrypted data records using a corresponding nonce extracted from each data record and a previously shared encryption key; and
  
  (7) in the proxy server, transmitting session information including the previously shared encryption key for use in decrypting the plurality of data records to another server,wherein the another proxy server is a cache memory server, and further including, in a second proxy server,obtaining the session information from the cache memory server, anddecrypting encrypted data records from the client computer using a corresponding nonce extracted from each data record and the session information.

34. A system for securely transmitting data using an unreliable protocol, comprising:
- a first computer having a communication protocol client function operable in conjunction with an application program to transmit data records securely using an unreliable protocol; and
  
  a second computer coupled to the first computer and having a communication protocol server function operable in conjunction with the communication protocol client function to receive data records securely using the unreliable communication protocol,wherein the communication protocol client function encrypts each data record using a nonce and an encryption key and appends the respective nonce to each of the encrypted data records; and
  
  wherein the communication protocol server function decrypts each of the data records using the respectively appended nonce and the encryption key; and
  
  a third computer coupled to the second computer and having a cache memory for storing at least the encryption key,wherein the second computer comprises a record detector that determines whether an indicator has been set in each data record received from the first computer and, if the indicator has not been set for a data record, bypassing decryption of that data record by the communication protocol server function.
- View Dependent Claims (35, 36, 37, 38, 39, 40)
- - 35. The system of claim 34, wherein the communication protocol client function exchanges encryption credentials with the communication protocol server function using a reliable communication protocol.
  - 36. The system of claim 35, wherein the unreliable communication protocol includes the User Datagram Protocol, and wherein the reliable communication protocol includes the Transmission Control Protocol.
  - 37. The system of claim 34, wherein the communication protocol client function and the communication protocol server function are compatible with the SOCKS communication protocol.
  - 38. The system of claim 34, wherein the communication protocol client function and the communication protocol server function are compatible with the SSL/TLS communication protocol.
  - 39. The system of claim 34, wherein the second computer comprises a proxy server that forwards decrypted records received from the first computer to a server computer.
  - 40. The system of claim 34, wherein the third computer is a proxy server thatcan receive encrypted records from the first computer;
    - can decrypt records the received records using at least the encryption key stored in the cache memory; and
      
      can forward the decrypted records received from the first computer to a server computer.

41. A system for securely transmitting data using an unreliable protocol, comprising:
- a first computer having a communication protocol client function operable in conjunction with an application program to transmit data records securely using an unreliable protocol; and
  
  a second computer coupled to the first computer and having a communication protocol server function operable in conjunction with the communication protocol client function to receive data records securely using the unreliable communication protocol,wherein the communication protocol client function encrypts each data record using a nonce and an encryption key and appends the respective nonce to each of the encrypted data records; and
  
  wherein the communication protocol server function decrypts each of the data records using the respectively appended nonce and the encryption key; and
  
  a third computer coupled to the second computer and having a cache memory for storing at least the encryption key, wherein the third computer is a memory cache server, andfurther including a fourth computer that canobtain the at least the encryption key stored in the cache memory of the third computer;
  
  receive encrypted records from the first computer;
  
  decrypt records the received records using at least the encryption key stored in the cache memory; and
  
  forward the decrypted records received from the first computer to a server computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Aventail LLC
Original Assignee
Aventail Corporation A Wholly Owned Subsidiary of Sonicwall Incorporated
Inventors
VanHeyningen, Marc D., Erickson, Rodger D.
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Brown; Christopher J.

Application Number

US09/783,146
Publication Number

US 20020112152A1
Time in Patent Office

2,618 Days
Field of Search

713/151, 713/168, 713/171, 713/160, 380/259
US Class Current

713/151
CPC Class Codes

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/0428   wherein the data content is...

H04L 63/0457   wherein the sending and rec...

H04L 63/12   Applying verification of th...

H04L 63/166   at the transport layer

H04L 9/0838   Key agreement, i.e. key est...

H04L 9/12   Transmitting and receiving ...

H04L 9/32   including means for verifyi...

Method and apparatus for providing secure streaming data transmission facilities using unreliable protocols

First Claim

18 Assignments

0 Petitions

Accused Products

Abstract

Citations

41 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for providing secure streaming data transmission facilities using unreliable protocols

First Claim

18 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

41 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links