Authentication method and apparatus for detecting and preventing source address spoofing packets

US 8,966,609 B2
Filed: 11/28/2012
Issued: 02/24/2015
Est. Priority Date: 12/09/2011
Status: Active Grant

First Claim

Patent Images

1. An authentication apparatus for detecting and preventing a source address spoofing packet, the apparatus comprising:

a packet reception unit configured to receive a packet from a previous node or a user host;

a self-assurance type identification (ID) generation unit configured to generate a self-assurance type ID of a source node of the received packet by;

generating a digital signature value Sign1 obtained by signing a source address of the input packet by using a private key;

generating a result of hashing the digital signature value Sign1 and a public key, as the self-assurance type; and

when a length of the self-assurance type ID is not equal to a length of a hash function;

generating a random number R1,generates a middle value T1 as a result of hashing the source address, the public key, and the random number,generating a digital signature value Sign2 by signing the source address and the random number by using a private key, andgenerating a result of hashing the digital signature value Sign2 and the public key, as the self-assurance type ID, replacing the previously generated self-assurance type ID with newly generated self assurance type ID;

a self-assurance type ID verification unit configured to determine whether the source address of the received packet has been spoofed by using the self-assurance type ID;

a white list storage unit configured to store an identification of a reliable source node based on the result of determination of the source address spoofing;

a black list storage unit configured to store an identification of an unreliable source node based on the result of determination of the source address spoofing; and

a packet transmission unit configured to transmit the packet whose source has been verified through the self-assurance type ID verification unit to a next network node.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An authentication apparatus for detecting and preventing a source address spoofing packet, includes a packet reception unit configured to receive a packet from a previous node or a user host; a self-assurance type ID generation unit configured to generate a self-assurance type ID of a source node of the received packet; and a self-assurance type ID verification unit configured to determine whether the source address of the received packet has been spoofed. Further, the authentication apparatus includes a white list storage unit configured to store a reliable source node; a black list storage unit configured to store an unreliable source node; and a packet transmission unit configured to transmit the packet whose source has been verified through the self-assurance type ID verification unit to a next network node.

221 Citations

9 Claims

1. An authentication apparatus for detecting and preventing a source address spoofing packet, the apparatus comprising:
- a packet reception unit configured to receive a packet from a previous node or a user host;
  
  a self-assurance type identification (ID) generation unit configured to generate a self-assurance type ID of a source node of the received packet by;
  
  generating a digital signature value Sign1 obtained by signing a source address of the input packet by using a private key;
  
  generating a result of hashing the digital signature value Sign1 and a public key, as the self-assurance type; and
  
  when a length of the self-assurance type ID is not equal to a length of a hash function;
  
  generating a random number R1,generates a middle value T1 as a result of hashing the source address, the public key, and the random number,generating a digital signature value Sign2 by signing the source address and the random number by using a private key, andgenerating a result of hashing the digital signature value Sign2 and the public key, as the self-assurance type ID, replacing the previously generated self-assurance type ID with newly generated self assurance type ID;
  
  a self-assurance type ID verification unit configured to determine whether the source address of the received packet has been spoofed by using the self-assurance type ID;
  
  a white list storage unit configured to store an identification of a reliable source node based on the result of determination of the source address spoofing;
  
  a black list storage unit configured to store an identification of an unreliable source node based on the result of determination of the source address spoofing; and
  
  a packet transmission unit configured to transmit the packet whose source has been verified through the self-assurance type ID verification unit to a next network node.

2. The authentication apparatus of claim wherein when the self-assurance type ID verification unit receives a self-assurance type ID of a packet received from the packet reception unit, the self-assurance type ID verification unit determines whether the self-assurance type ID has been stored in a white list in which reliable source nodes are stored, and when the self-assurance type ID has been stored in the white list, the self-assurance type ID verification unit transfers the packet to the packet transmission unit.
- View Dependent Claims (3, 4)
- - 3. The authentication apparatus of claim 2, wherein when the self-assurance type ID of the packet has not been stored in the white list in which reliable source nodes are stored, the self-assurance type ID verification unit performs a procedure for verifying validity of the self-assurance type ID, and when the verification result is abnormal, the self-assurance type ID verification unit stores the source node of the packet in a black list and deletes the packet.
  - 4. The authentication apparatus of claim 3, wherein when the self-assurance type ID of the packet has not been stored in the white list in which reliable source nodes are stored, the self-assurance type ID verification unit performs a procedure for verifying validity of the self-assurance type ID, and when the verification result is normal, the self-assurance type ID verification unit stores the source node of the packet in the white list and transfers the packet to the packet transmission unit.

5. An authentication method for detecting and preventing a source address spoofing packet, the method comprising:
- receiving a packet from a previous node or a user host;
  
  generating a self-assurance type ID of a source node of the received packet, wherein generating the self-assurance type ID includes, when a length of the self-assurance type ID is not equal to a length of a hash function;
  
  generating a random number R1;
  
  generating a middle value T1 as a result of hashing the source address, the public key, and the random number;
  
  generating a digital signature value Sign2 by signing the source address and the random number by using a private key;
  
  generating a result of hashing the digital signature value Sign2 and the public key, as the self-assurance type ID;
  
  verifying whether the source address of the received packet has been spoofed by using the self-assurance type ID;
  
  storing a reliable source node in a white list, based on the result of verification of the source address spoofing;
  
  storing an unreliable source node in a black list, based on the result of verification of the source address spoofing; and
  
  transmitting the packet whose source has been verified through the self-assurance type ID verification to a next network node.
- View Dependent Claims (6, 7, 8, 9)
- - 6. The authentication method of claim 5, wherein generating a self-assurance type ID comprises:
    - generating a digital signature value Sign1 obtained by signing a source address of the input packet by using a private key; and
      
      generating a result of hashing the digital signature value Sign1 and a public key, as a self-assurance type ID.
  - 7. The authentication method of claim 5, wherein verifying whether the source address of the received packet has been spoofed comprises:
    - when a self-assurance type ID of the packet is received, determining whether the self-assurance type ID has been stored in a white list in which reliable source nodes are stored; and
      
      when the self-assurance type ID has been stored in the white list in which reliable source nodes are stored, verifying the self-assurance type ID.
  - 8. The authentication method of claim 7, further comprising:
    - when the self-assurance type ID of the packet has not been stored in the white list performing a procedure for verifying validity of the self-assurance type ID; and
      
      when the verification result is abnormal, storing the source node of the packet in the black list and deleting the packet.
  - 9. The authentication method of claim 8, further comprising, when the verification result is normal, storing the source node of the packet in the white list and transferring the packet to said transmitting the packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Electronics and Telecommunications Research Institute
Original Assignee
Electronics and Telecommunications Research Institute
Inventors
Lee, Sang-Woo, Seo, Dong IL
Primary Examiner(s)
Patel, Nirav B
Assistant Examiner(s)
Waliullah, Mohammed

Application Number

US13/687,187
Publication Number

US 20130152189A1
Time in Patent Office

818 Days
Field of Search
US Class Current

726/13
CPC Class Codes

H04L 2463/146   Tracing the source of attacks

H04L 63/0823   using certificates cryptogr...

H04L 63/101   Access control lists [ACL]

H04L 63/1408   by monitoring network traff...

H04L 63/1458   Denial of Service

Authentication method and apparatus for detecting and preventing source address spoofing packets

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

221 Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication method and apparatus for detecting and preventing source address spoofing packets

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

221 Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links