Network device and method for processing a session using a packet signature

US 9,729,682 B2
Filed: 05/18/2015
Issued: 08/08/2017
Est. Priority Date: 05/18/2015
Status: Active Grant

First Claim

Patent Images

1. A network routing device for processing a session of an IP network having a plurality of nodes, the plurality of nodes including a next node having a next authentication key, the network routing device having a current authentication key distinct from the next authentication key and comprising:

an input interface at least partially implemented by an electronic circuit and configured to receive a first session packet, the first session packet having a digital signature, payload data, and meta-data;

wherein the session comprises the first session packet, a plurality of intermediate session packets, and a last session packet, the signature module being configured to digitally sign the first session packet only, the intermediate session packets being forwarded after receipt without a digital signature;

a signature module at least partially implemented by an electronic circuit and operatively coupled with the input interface, the signature module being configured to process the digital signature using the current authentication key to produce a processed digital signature, the signature module also being configured to process the payload data and the meta-data to produce validation information, the signature module further being configured to compare the processed digital signature and the validation information to determine if they match, the signature module further being configured to

1) discard the first session packet when there is not a match, and

2) digitally sign the first session packet using the next authentication key when there is a match; and

an output interface at least partially implemented by an electronic circuit and operatively coupled with the signature module, the output interface being configured to route the first session packet, after digitally signing, to the next node via the IP network using a Layer 3 protocol.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method processes a session having a first session packet received by a current node in an IP network having a plurality of nodes. The plurality of nodes includes a next node, and the current node that communicates with the next node using a Layer 3 protocol. The method receives the first session packet, which has a digital signature, payload data, and meta-data, at the current node. The method uses the payload data and meta-data to produce validation information, and uses the digital signature to produce a comparator digital signature. Next, the method compares the validation information with the comparator digital signature. If the validation information does not match the comparator digital signature, then the method discards the first session packet. If there is a match, then the method digitally signs the first session packet, and routes the first session packet to the next node via the IP network.

88 Citations

View as Search Results

28 Claims

1. A network routing device for processing a session of an IP network having a plurality of nodes, the plurality of nodes including a next node having a next authentication key, the network routing device having a current authentication key distinct from the next authentication key and comprising:
- an input interface at least partially implemented by an electronic circuit and configured to receive a first session packet, the first session packet having a digital signature, payload data, and meta-data;
  
  wherein the session comprises the first session packet, a plurality of intermediate session packets, and a last session packet, the signature module being configured to digitally sign the first session packet only, the intermediate session packets being forwarded after receipt without a digital signature;
  
  a signature module at least partially implemented by an electronic circuit and operatively coupled with the input interface, the signature module being configured to process the digital signature using the current authentication key to produce a processed digital signature, the signature module also being configured to process the payload data and the meta-data to produce validation information, the signature module further being configured to compare the processed digital signature and the validation information to determine if they match, the signature module further being configured to
  
  1) discard the first session packet when there is not a match, and
  
  2) digitally sign the first session packet using the next authentication key when there is a match; and
  
  an output interface at least partially implemented by an electronic circuit and operatively coupled with the signature module, the output interface being configured to route the first session packet, after digitally signing, to the next node via the IP network using a Layer 3 protocol.
- View Dependent Claims (2, 3, 4)
- - 2. The network routing device as defined by claim 1 wherein the signature module is configured to apply a hash function to the payload data and meta-data to produce the validation information.
  - 3. The network routing device as defined by claim 1 wherein the meta-data includes data relating to 1) the session, 2) the payload data, or 3) both the session and payload data.
  - 4. The network routing device as defined by claim 1 further comprising:
    - a key manager operatively coupled with the signature module, the key manager being configured to retrieve the next authentication key from a key network device across the network, the key network device having a copy of authentication keys for a set of the plurality of nodes.

5. A method of processing a session having a first session packet received by a current node in an IP network having a plurality of nodes, the plurality of nodes including a next node, the current node configured to communicate with the next node using a Layer 3 protocol, the method comprising:
- receiving the first session packet at the current node, the first session packet having a digital signature, payload data, and meta-data, wherein the session comprises the first session packet, a plurality of intermediate session packets, and a last session packet, the method digitally signing and forwarding the first session packet only;
  
  processing the payload data and the meta-data to produce validation information;
  
  processing the digital signature using a given authentication key to produce a processed digital signature;
  
  comparing the validation information with the processed digital signature;
  
  discarding the first session packet if the validation information does not match the processed digital signature;
  
  digitally signing the first session packet with a next authentication key of the next node if the validation information matches the processed digital signature, the next authentication key being distinct from the given authentication key; and
  
  routing the first session packet, after digitally signing, to the next node via the IP network.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 6. The method as defined by claim 5 wherein the current node has the given authentication key.
  - 7. The method as defined by claim 6 wherein the next node has a next authentication key, digitally signing the first session packet comprising digitally signing the first session packet using the next authentication key, the payload and the meta-data.
  - 8. The method as defined by claim 5 wherein the current node comprises a router device.
  - 9. The method as defined by claim 5 wherein the validation information matches the processed digital signature when the validation information is substantially exactly the same as the processed digital signature.
  - 10. The method as defined by claim 5 wherein the given authentication key comprises a public-private key pair, or a symmetric key.
  - 11. The method as defined by claim 5 wherein the network includes a public network having a source node and a destination node, the first session packet being received from the source node via a set of nodes, the first session packet having the destination node address as the ultimate destination of the first session packet.
  - 12. The method as defined by claim 5 wherein processing the payload and meta-data comprises processing the payload and meta-data using a one-way hash function.
  - 13. The method as defined by claim 5 further comprising:
    - receiving a second session packet at the current node, the second session packet having a second digital signature, second payload data, and second meta-data;
      
      processing the second payload data and the second meta-data to produce second validation information;
      
      processing the second digital signature using the given authentication key to produce a second processed digital signature;
      
      comparing the second validation information with the second processed digital signature;
      
      discarding the second session packet if the second validation information does not match the second processed digital signature;
      
      digitally signing the second session packet if the second validation information matches the second processed digital signature; and
      
      routing the second session packet, after digitally signing, to the next node via the IP network.
  - 14. The method as defined by claim 5 wherein the meta-data includes data relating to 1) the session, 2) the payload data, or 3) both the session and payload data.
  - 15. The method as defined by claim 5 wherein the first session packet comprises a SYN packet of the TCP protocol.
  - 16. The method as defined by claim 5 further comprising:
    - starting up the current node; and
      
      retrieving a next authentication key, for the next node, from a key network device across the network, the key network device having a copy of the authentication keys for a set of the plurality of nodes.
  - 17. The method as defined by claim 5 wherein the given authentication key is the authentication key for the current node,further wherein the next node has a next authentication key, the method digitally signing the first packet using the next authentication key if the authentication data matches both the payload data and meta-data.

18. A computer program product for use on a computer system for processing a session having a first session packet received by a current node in an IP network having a plurality of nodes, the plurality of nodes including a next node, the current node configured to communicate with the next node using a Layer 3 protocol, the computer program product comprising a tangible, non-transitory computer usable medium having computer readable program code stored thereon, the computer readable program code when executed by a microprocessor performing the steps of:
- receiving the first session packet at the current node, the first session packet having a digital signature, payload data, and meta-data, wherein the session comprises the first session packet, a plurality of intermediate session packets, and a last session packet, the program code being configured to digitally sign and forward the first session packet only;
  
  processing the payload data and the meta-data to produce validation information;
  
  processing the digital signature using a given authentication key to produce a processed digital signature;
  
  comparing the validation information with the processed digital signature;
  
  discarding the first session packet if the validation information does not match the processed digital signature;
  
  digitally signing the first session packet with a next authentication key of the next node if the validation information matches the processed digital signature, the next authentication key being distinct from the given authentication key; and
  
  routing the first session packet, after digitally signing, to the next node via the IP network.
- View Dependent Claims (19, 20, 21, 22, 23)
- - 19. The computer program product as defined by claim 18 wherein the current node has the given authentication key.
  - 20. The computer program product as defined by claim 19 wherein the next node has a next authentication key, the program code for digitally signing the first session packet comprising program code for digitally signing the first session packet using the next authentication key, the payload and the meta-data.
  - 21. The computer program product as defined by claim 18 wherein the validation information matches the processed digital signature when the validation information is substantially exactly the same as the processed digital signature.
  - 22. The computer program product as defined by claim 18 wherein the current authentication key comprises a public-private key pair, or a symmetric key.
  - 23. The computer program product as defined by claim 18 wherein the meta-data includes data relating to 1) the session, 2) the payload data, or 3) both the session and payload data.

24. A method of processing a session having a first session packet received by a current node in an IP network having a plurality of nodes, the plurality of nodes including a next node, the current node configured to communicate with the next node using a Layer 3 protocol, the method comprising:
- receiving the first session packet at the current node, the first session packet having a digital signature, payload data, and meta-data, wherein the session comprises the first session packet, a plurality of intermediate session packets, and a last session packet, the method digitally signing and forwarding the first session packet only;
  
  using the payload data and the meta-data to produce validation information;
  
  using the digital signature to produce a comparator digital signature;
  
  comparing the validation information with the comparator digital signature;
  
  discarding the first session packet if the validation information does not match the comparator digital signature;
  
  digitally signing the first session packet with a next authentication key of the next node if the validation information matches the comparator digital signature, the next authentication key being distinct from the given authentication key; and
  
  routing the first session packet, after digitally signing, to the next node via the IP network.
- View Dependent Claims (25, 26, 27, 28)
- - 25. The method as defined by claim 24 wherein using the payload data and the meta-data comprises using a hash function to produce the validation information.
  - 26. The method as defined by claim 24 wherein the current node has a given key, the method using the given key to produce the comparator digital signature.
  - 27. The method as defined by claim 24 wherein the validation information comprises the raw payload data and meta-data.
  - 28. The method as defined by claim 24 wherein the next node has an associated next authentication key, digitally signing comprising using the next authentication key to digitally sign the first session packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
128 Technology, Inc. (Juniper Networks Incorporated)
Original Assignee
128 Technology, Inc. (Juniper Networks Incorporated)
Inventors
Kumar, Prashant, Timmons, Patrick, MeLampy, Patrick J.
Primary Examiner(s)
Lagor, Alexander

Application Number

US14/715,036
Publication Number

US 20160344715A1
Time in Patent Office

813 Days
Field of Search

726 3, 726 13, 726 22, 726 23
US Class Current
CPC Class Codes

H04L 63/123   received data contents, e.g...

H04L 63/126   the source of the received ...

H04L 67/01   Protocols

H04L 67/06   specially adapted for file ...

H04L 67/14   Session management for real...

H04L 69/22   Parsing or analysis of headers

H04L 69/325   in the network layer [OSI l...

Network device and method for processing a session using a packet signature

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

88 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Network device and method for processing a session using a packet signature

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

88 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links