Establishing secure TCP/IP communications using embedded IDs

US 7,660,980 B2
Filed: 03/23/2007
Issued: 02/09/2010
Est. Priority Date: 11/18/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method for selectively requiring secure TCP/IP communications between a source node and a destination node within a computer network, the method comprising:

assigning a unique user identifier to each authorized user within the computer network;

creating a plurality of policy rules defining when secure communications are required for TCP/IP communications within the computer network as a function of the authorized users initiating the TCP/IP communications;

identifying the respective authorized user logged into the source node;

retrieving the unique user identifier associated with the respective authorized user;

upon initiation of a TCP/IP communication from the source node, intercepting by a first interceptor a TCP SYN packet of the TCP/IP communication prior to transmission of the TCP SYN packet to the destination node, wherein the packet includes a packet header;

embedding the unique user identifier into the packet header;

forwarding the TCP SYN packet with the embedded unique user identifier to the destination node;

intercepting by a second interceptor the TCP SYN packet with the embedded unique user identifier prior to arrival of the packet at the destination node;

determining whether secure communications are required for the respective authorized user logged into the source node by comparing the unique user identifier embedded in the TCP SYN packet header to the plurality of policy rules to identify a policy rule for the respective authorized user;

if secure communications are required for the respective authorized user logged into the source node based on an identified policy rule, refusing passage of the TCP SYN packet to the destination node and returning an embed signal RST packet to the source node, the RST packet including a secure communications identifier to indicate that secure communications are required;

intercepting by the first interceptor the RST packet and verifying the inclusion of the secure communications identifier; and

thereafterrequiring secure communications for all subsequent packets associated with the TCP/IP communication in either direction between the source node and the destination node until the TCP/IP communication is completed.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for establishing secure TCP/IP communications for individual network connections include the steps of intercepting a conventional TCP SYN packet prior to transmission from a source node to a destination node, embedding unique identifiers into standard fields of the packet header, wherein the unique identifiers are associated with the specific connection attempt and wherein the unique identifiers identify the user account and/or the computer hardware initiating the communication attempt, then forwarding the modified TCP SYN packet to the destination node and intercepting the modified TCP SYN packet prior to arrival, determining whether secure communications are required based on the unique identifiers extracted from the packet headers, based on other TCP/IP information, and based on predefined rules associated with the same. If secure communications are required, such requirement is communicated within either an RST or a SYN-ACK back to the source node.

Citations

28 Claims

1. A method for selectively requiring secure TCP/IP communications between a source node and a destination node within a computer network, the method comprising:
- assigning a unique user identifier to each authorized user within the computer network;
  
  creating a plurality of policy rules defining when secure communications are required for TCP/IP communications within the computer network as a function of the authorized users initiating the TCP/IP communications;
  
  identifying the respective authorized user logged into the source node;
  
  retrieving the unique user identifier associated with the respective authorized user;
  
  upon initiation of a TCP/IP communication from the source node, intercepting by a first interceptor a TCP SYN packet of the TCP/IP communication prior to transmission of the TCP SYN packet to the destination node, wherein the packet includes a packet header;
  
  embedding the unique user identifier into the packet header;
  
  forwarding the TCP SYN packet with the embedded unique user identifier to the destination node;
  
  intercepting by a second interceptor the TCP SYN packet with the embedded unique user identifier prior to arrival of the packet at the destination node;
  
  determining whether secure communications are required for the respective authorized user logged into the source node by comparing the unique user identifier embedded in the TCP SYN packet header to the plurality of policy rules to identify a policy rule for the respective authorized user;
  
  if secure communications are required for the respective authorized user logged into the source node based on an identified policy rule, refusing passage of the TCP SYN packet to the destination node and returning an embed signal RST packet to the source node, the RST packet including a secure communications identifier to indicate that secure communications are required;
  
  intercepting by the first interceptor the RST packet and verifying the inclusion of the secure communications identifier; and
  
  thereafterrequiring secure communications for all subsequent packets associated with the TCP/IP communication in either direction between the source node and the destination node until the TCP/IP communication is completed.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 23, 24, 25, 26, 27, 28)
- - 2. The method of claim 1, further comprising embedding a unique static computer identifier into the packet header, wherein the unique static computer identifier corresponds to specific computer hardware associated with the source node, and wherein the step of determining whether secure communications are required is further determined by comparing the unique static computer identifier to the plurality of policy rules to identify a policy rule for the specific computer hardware.
  - 3. The method of claim 1, further comprising intercepting by the first interceptor the TCP SYN packet at the source node.
  - 4. The method of claim 1, further comprising intercepting by the first interceptor the TCP SYN packet at a network location near the source node.
  - 5. The method of claim 1, further comprising embedding the unique user identifier utilizing IP options in an IP header.
  - 6. The method of claim 1, further comprising embedding the unique user identifier utilizing TCP options in a TCP header.
  - 7. The method of claim 1, further comprising embedding the unique user identifier utilizing existing fields in an IP header.
  - 8. The method of claim 1, further comprising embedding the unique user identifier utilizing existing fields in a TCP header.
  - 23. The method of claim 1, wherein the unique user identifier is embedded in a specific field of the packet header, wherein the specific field is selected from the group comprising:
    - an identification field, a sequence (SEQ) number field, an acknowledgement number (ACK) field, an urgent pointer field, and a window field.
  - 24. The method of claim 1, wherein the step of intercepting by the first interceptor the RST packet further comprises intercepting the RST packet prior to arrival of the RST packet at the source node.
  - 25. The method of claim 1, wherein the step of intercepting by the first interceptor the RST packet further comprises intercepting the RST packet at the source node.
  - 26. The method of claim 1, wherein the step of determining whether secure communications are required is further determined based on a resource or application at the destination node with which the respective authorized user is initiating TCP/IP communications.
  - 27. The method of claim 1, wherein secure communications comprises encrypting packets between the source node and the destination node.
  - 28. The method of claim 27, wherein secure communications further comprises checking message integrity of the encrypted packets between the source node and the destination node.

9. A method for selectively requiring secure TCP/IP communications between a source node and a destination node within a computer network, the method comprising:
- assigning a unique user identifier to each authorized user within the computer network;
  
  intercepting by a first interceptor a TCP SYN packet associated with a TCP/IP communication prior to arrival of the packet at the destination node, the TCP SYN packet including a packet header with a unique user identifier embedded therein;
  
  extracting the unique user identifier from the packet header of the TCP SYN packet;
  
  determining whether secure communications are required for the respective authorized user associated with the TCP/IP communication based on the unique user identifier extracted from the TCP SYN packet header;
  
  if secure communications are required for the respective authorized user associated with the TCP/IP communication, refusing passage of the TCP SYN packet to the destination node and returning an embed signal RST packet to the source node, the RST packet including a secure communications identifier to indicate that secure communications are required;
  
  intercepting by a second interceptor the RST packet and verifying the inclusion of the secure communications identifier; and
  
  thereafterrequiring secure communications for all subsequent packets associated with the TCP/IP communication in either direction between the source node and the destination node until the TCP/IP communication is completed.
- View Dependent Claims (10)
- - 10. The method of claim 9, further comprising determining whether secure communications are required by accessing the unique user identifier embedded in the packet header of the TCP SYN packet and performing a query for a corresponding entry in a secure communications policy rule base.

11. A method for selectively requiring secure TCP/IP communications between a source node and a destination node within a computer network, the method comprising:
- assigning a unique user identifier to each authorized user within the computer network;
  
  identifying the respective authorized user logged into the source node;
  
  retrieving the unique user identifier associated with the respective authorized user;
  
  upon initiation of a TCP/IP communication from the source node, intercepting by a first interceptor a TCP SYN packet of the TCP/IP communication prior to transmission of the TCP SYN packet to the destination node, wherein the packet includes a packet header;
  
  embedding the unique user identifier into the packet header;
  
  forwarding the TCP SYN packet with the embedded unique user identifier to the destination node;
  
  intercepting by a second interceptor the TCP SYN packet with the embedded unique user identifier prior to arrival of the packet at the destination node;
  
  determining whether secure communications are required for the respective authorized user logged into the source node based on the unique user identifier embedded in the packet header of the TCP SYN packet;
  
  if secure communications are required for the respective authorized user logged into the source node, allowing passage of the TCP SYN packet to the destination node;
  
  intercepting by the second interceptor a SYN-ACK packet traveling from the destination node to the source node;
  
  embedding a secure communications identifier into the SYN-ACK packet header to indicate that secure communications are required;
  
  sending the SYN-ACK packet with the embedded secure communications identifier to the source node;
  
  intercepting by the first interceptor the SYN-ACK packet and verifying the inclusion of the secure communications identifier; and
  
  thereafterrequiring secure communications for all subsequent packets associated with the TCP/IP communication in either direction between the source node and the destination node until the TCP/IP communication is finished.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, wherein the unique user identifier corresponds to a user account associated with the respective authorized user logged into the source node.
  - 13. The method of claim 11, further comprising embedding a unique static computer identifier into the packet header, wherein the unique static computer identifier corresponds to specific computer hardware associated with the source node, and wherein the step of determining whether secure communications are required is further based upon the unique static computer identifier.
  - 14. The method of claim 11, further comprising intercepting by the first interceptor the TCP SYN packet at the source node.
  - 15. The method of claim 11, further comprising intercepting by the first interceptor the TCP SYN packet at a network location near the source node.
  - 16. The method of claim 11, further comprising embedding the unique user identifier utilizing IP options in an IP header.
  - 17. The method of claim 11, further comprising embedding the unique user identifier utilizing TCP options in a TCP header.
  - 18. The method of claim 11, further comprising embedding the unique user identifier utilizing existing fields in an IP header.
  - 19. The method of claim 11, further comprising embedding the unique user identifier utilizing existing fields in a TCP header.
  - 20. The method of claim 11, further comprising determining whether secure communications are required by extracting the unique user identifier from the header of the TCP SYN packet and comparing the unique user identifier to a secure communications policy rule base.

21. A method for selectively requiring secure TCP/IP communications between a source node and a destination node within a computer network, the method comprising:
- assigning a unique user identifier to each authorized user within the computer network;
  
  intercepting by a first interceptor a TCP SYN packet associated with a TCP/IP communication prior to arrival of the packet at the destination node, the TCP SYN packet including a packet header with a unique user identifier embedded therein;
  
  extracting the unique user identifier from the packet header of the TCP SYN packet;
  
  determining whether secure communications are required for the respective authorized user associated with the TCP/IP communication based on the unique user identifier extracted from the TCP SYN packet header;
  
  if secure communications are required for the respective authorized user associated with the TCP/IP communication, allowing passage of the TOP SYN packet to the destination node;
  
  intercepting by the first interceptor a SYN-ACK packet traveling from the destination node to the source node;
  
  embedding a secure communications identifier into the SYN-ACK packet header to indicate that secure communications are required;
  
  sending the SYN-ACK packet with the embedded secure communications identifier to the source node;
  
  intercepting by a second interceptor the SYN-ACK packet and verifying the inclusion of the secure communications identifier; and
  
  thereafterrequiring secure communications for all subsequent packets associated with the TCP/IP communication in either direction between the source node and the destination node until the TCP/IP communication is finished.
- View Dependent Claims (22)
- - 22. The method of claim 21, further comprising determining whether secure communications are required by accessing the unique user identifier embedded in the packet header of the TCP SYN packet and performing a query for a corresponding entry in a secure communications policy rule base.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Liquidware Labs, Inc.
Original Assignee
Liquidware Labs, Inc.
Inventors
Leima, Patricia Joy, Xuan, Chaoting, Alexander, Jonathan, Berger, Joubert, Shay, A. David
Primary Examiner(s)
Kim; Jung
Assistant Examiner(s)
PERUNGAVOOR, VENKATANARAY

Application Number

US11/690,532
Publication Number

US 20070300290A1
Time in Patent Office

1,054 Days
Field of Search

713153-154, 713260-163, 713167-168, 726 1- 4, 726 12- 13, 726/21, 726 27- 30
US Class Current

713/154
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/123   received data contents, e.g...

H04L 69/16   Implementation or adaptatio...

H04L 69/163   In-band adaptation of TCP d...

Establishing secure TCP/IP communications using embedded IDs

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Establishing secure TCP/IP communications using embedded IDs

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links