Encrypted network addresses

US 10,469,513 B2
Filed: 12/22/2016
Issued: 11/05/2019
Est. Priority Date: 10/05/2016
Status: Active Grant

First Claim

Patent Images

1. A system to provide digitally signed network addresses, the system comprising:

a domain name system (DNS) computing device configured with computer-executable instructions to;

obtain a request to resolve a domain name into a network address;

determine a routing prefix of the network address, wherein the routing prefix is associated with a network including a content server associated with the domain name;

determine a time-to-live (TTL) value for the network address;

encrypt with a cryptographic public key (i) the TTL value and (ii) a time of generation of the network address to result in an encrypted portion;

generate the network address, wherein the network address includes at least the routing prefix and the encrypted portion, and wherein the network address is formatted to include the routing prefix as a first set of bits within the network address and the encrypted portion as a second set of bits within the network address; and

return the network address in response to the request; and

a router computing device associated with the network and configured with computer-executable instructions to;

obtain a data packet addressed to the network address;

decrypt the encrypted portion of the network address using a cryptographic private key, corresponding to the cryptographic public key, to result in the TTL value and the time of generation of the network address; and

route the data packet based at least in part on whether a current time exceeds an expiration time determined by incrementing the time of generation of the network address by the TTL value.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are described to enable a DNS service to encode information into a network address to be advertised by the DNS service. Information encoded by a DNS service may include, for example, an identifier of a content set to which the network address corresponds (e.g., a domain name) and validity information, such as a digital signature, that verifies the validity of the network address. On receiving a request to communicate with the network address, a destination device associated with the network address may decode the encoded information within the network address to assist in processing the request. In some instances, the encoded information may be used to identify malicious network transmissions, such as transmissions forming part of a network attack, potentially without reliance on other data, such as separate mappings or contents of the data transmission.

1497 Citations

15 Claims

1. A system to provide digitally signed network addresses, the system comprising:
- a domain name system (DNS) computing device configured with computer-executable instructions to;
  
  obtain a request to resolve a domain name into a network address;
  
  determine a routing prefix of the network address, wherein the routing prefix is associated with a network including a content server associated with the domain name;
  
  determine a time-to-live (TTL) value for the network address;
  
  encrypt with a cryptographic public key (i) the TTL value and (ii) a time of generation of the network address to result in an encrypted portion;
  
  generate the network address, wherein the network address includes at least the routing prefix and the encrypted portion, and wherein the network address is formatted to include the routing prefix as a first set of bits within the network address and the encrypted portion as a second set of bits within the network address; and
  
  return the network address in response to the request; and
  
  a router computing device associated with the network and configured with computer-executable instructions to;
  
  obtain a data packet addressed to the network address;
  
  decrypt the encrypted portion of the network address using a cryptographic private key, corresponding to the cryptographic public key, to result in the TTL value and the time of generation of the network address; and
  
  route the data packet based at least in part on whether a current time exceeds an expiration time determined by incrementing the time of generation of the network address by the TTL value.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1, wherein the router computing device is configured to route the data packet based at least in part on the decrypted information by routing the data packet to the content server.
  - 3. The system of claim 1, wherein the network address is formatted as an Internet Protocol version 6 (IPv6) address.
  - 4. The system of claim 1, wherein the routing prefix represents routing information to route a data packet to the network including the content server from a publically addressable network.

5. A computer-implemented method comprising:
- obtaining a DNS request to resolve a domain name into a network address;
  
  determining a routing prefix of the network address, wherein the routing prefix is associated with a network including a computing device associated with the domain name;
  
  determining a time-to-live (TTL) value for the network address;
  
  encrypting with a cryptographic public key (i) the TTL value and (ii) a time of generation of the network address to result in an encrypted portion;
  
  generating the network address, wherein the network address includes at least the routing prefix and the encrypted portion, and wherein the network address is formatted to include the routing prefix as a first set of bits within the network address and the encrypted portion as a second set of bits within the network address;
  
  returning the network address in response to the request;
  
  obtaining a data packet addressed to the network address;
  
  decrypting the encrypted portion of the network address using a cryptographic private key, corresponding to the cryptographic public key, to result in the TTL value and the time of generation of the network address; and
  
  routing the data packet based at least in part on whether a current time exceeds an expiration time determined by incrementing the time of generation of the network address by the TTL value.
- View Dependent Claims (6, 7, 8, 9, 10)
- - 6. The computer-implemented method of claim 5, wherein the encrypted portion further includes, in encrypted form, at least one of a value assigned to the content server, DNS-level information associated with the DNS request, or a digital signature associated with a DNS server.
  - 7. The computer-implemented method of claim 5, wherein the DNS-level information includes at least one of the domain name, security information associated with the domain name, timing information of the DNS request, or information specifying a source of the DNS request.
  - 8. The computer-implemented method of claim 7 further comprising generating the DNS-level information by encoding at least one of the domain name according to one or more encoding rules.
  - 9. The computer-implemented method of claim 5, wherein the encrypted portion further includes, in encrypted form, the domain name, wherein decrypting the encrypted portion further results in the domain name, and wherein the method further comprises routing the data packet to the content server associated with the domain name.
  - 10. The computer-implemented method of claim 5, wherein the encrypted portion further includes, in encrypted form, a digital signature, wherein decrypting the encrypted portion further results in the digital signature, and wherein the method further comprises:
    - checking a validity of the digital signature utilizing a second cryptographic public key; and
      
      routing the data packet based at least in part on the validity of the encrypted value by at least one of routing the data packet to a content server when the encrypted value is valid or discarding the data packet when the encrypted value is invalid.

11. Non-transitory computer-readable media comprising:
- first computer-executable instructions that, when executed, cause a computing system to;
  
  obtain information corresponding to a DNS request to resolve a domain name into a network address;
  
  determine a routing prefix of the network address, wherein the routing prefix is associated with a network including a content server associated with the domain name;
  
  determine a time-to-live (TTL) value for the network address;
  
  encrypt with a cryptographic public key (i) the TTL value and (ii) a time of generation of the network address to result in an encrypted portion;
  
  generate the network address, wherein the network address includes at least the routing prefix and the encrypted portion, and wherein the network address is formatted to include the routing prefix as a first set of bits within the network address and the encrypted portion as a second set of bits within the network address; and
  
  return the network address in response to the request; and
  
  second computer executable instructions that, when executed by a router computing device, cause the router computing device to;
  
  obtain a data packet addressed to the network address;
  
  decrypt the encrypted portion of the network address using a cryptographic private key, corresponding to the cryptographic public key, to result in the TTL value and the time of generation of the network address; and
  
  route the data packet based at least in part on whether a current time exceeds an expiration time determined by incrementing the time of generation of the network address by the TTL value.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The non-transitory computer-readable media of claim 11, wherein the computer-executable instructions further cause the computing system to:
    - hash at least a portion of the network address according to a cryptographic hash function to result in a hash value; and
      
      encrypt the hash value according to a cryptographic private key of a DNS server to result in a digital signature;
      
      wherein the network address further includes the digital signature.
  - 13. The computer-implemented method of claim 11, wherein the encrypted portion further includes, in encrypted form, a digital signature, wherein decrypting the encrypted portion further results in the digital signature, and wherein the second computer executable instructions further cause the router computing device to check a validity of the digital signature utilizing a second cryptographic public key, and wherein the second computer executable instructions cause the router computing device to route the data packet further based at least in part on the validity of the encrypted value by at least one of routing the data packet to a content server when the encrypted value is valid or discarding the data packet when the encrypted value is invalid.
  - 14. The non-transitory computer-readable media of claim 11, wherein the computer-executable instructions cause the computing system to determine an additional portion of the network address by encoding DNS-level information associated with the DNS request according to one or more encoding rules, and wherein the encrypted portion further includes an encrypted representation of the additional portion.
  - 15. The non-transitory computer-readable media of claim 11, wherein the network address further comprises a version identifier indicating at least one of the cryptographic public key or a cryptographic private key corresponding to the cryptographic public key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Uppal, Hardeep Singh, Vasquez, Jorge, Howard, Craig Wesley, Radlein, Anton Stephen
Primary Examiner(s)
Lagor, Alexander
Assistant Examiner(s)
Ahsan, Syed M

Application Number

US15/389,314
Publication Number

US 20180097634A1
Time in Patent Office

1,048 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2101/604   Address structures or formats

H04L 2101/659   Internet protocol version 6...

H04L 45/20   Hop count for routing purpo...

H04L 45/7453   using hashing

H04L 61/4511   using domain name system [DNS]

H04L 63/0428   wherein the data content is...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

H04L 9/0643   Hash functions, e.g. MD5, S...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3247   involving digital signatures

Encrypted network addresses

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

1497 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Encrypted network addresses

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

1497 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links