Digitally signed network address

US 10,505,961 B2
Filed: 12/22/2016
Issued: 12/10/2019
Est. Priority Date: 10/05/2016
Status: Active Grant

First Claim

Patent Images

1. A system to provide digitally signed network addresses, the system comprising:

a domain name system (DNS) computing device configured with computer-executable instructions to;

obtain a request to resolve a domain name into a network address;

determine a portion of the network address based at least in part on the domain name;

hash the portion of the network address according to a cryptographic hash function to result in a hash value;

encrypt the hash value with a cryptographic private key to result in a digital signature;

combine at least the portion and the digital signature to result in the network address, wherein the network address is represented by at least a set of bits, and wherein a first subset of bits within the network address represents the portion of the network address and wherein a second subset of bits within the network address represents the digital signature; and

return the network address in response to the request; and

a router computing device configured with computer-executable instructions to;

obtain a data packet addressed to the network address including the first subset of bits representing the portion and the second subset of bits representing digital signature;

hash the portion of the network address according to the cryptographic hash function to result in a second hash value;

decrypt the digital signature, as represented by the second subset of bits within the network address to which the data packet was addressed, with a cryptographic public key corresponding to the cryptographic private key to result in a decryption output;

compare the decryption output and the second hash value to determine a validity of the digital signature represented by the second subset of bits within the network address to which the data packet was addressed; and

route the data packet based at least in part on the validity of the digital signature represented by the second subset of bits within the network address to which the data packet was addressed.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are described to enable a DNS service to encode information into a network address to be advertised by the DNS service. Information encoded by a DNS service may include, for example, an identifier of a content set to which the network address corresponds (e.g., a domain name) and validity information, such as a digital signature, that verifies the validity of the network address. On receiving a request to communicate with the network address, a destination device associated with the network address may decode the encoded information within the network address to assist in processing the request. In some instances, the encoded information may be used to identify malicious network transmissions, such as transmissions forming part of a network attack, potentially without reliance on other data, such as separate mappings or contents of the data transmission.

1517 Citations

21 Claims

1. A system to provide digitally signed network addresses, the system comprising:
- a domain name system (DNS) computing device configured with computer-executable instructions to;
  
  obtain a request to resolve a domain name into a network address;
  
  determine a portion of the network address based at least in part on the domain name;
  
  hash the portion of the network address according to a cryptographic hash function to result in a hash value;
  
  encrypt the hash value with a cryptographic private key to result in a digital signature;
  
  combine at least the portion and the digital signature to result in the network address, wherein the network address is represented by at least a set of bits, and wherein a first subset of bits within the network address represents the portion of the network address and wherein a second subset of bits within the network address represents the digital signature; and
  
  return the network address in response to the request; and
  
  a router computing device configured with computer-executable instructions to;
  
  obtain a data packet addressed to the network address including the first subset of bits representing the portion and the second subset of bits representing digital signature;
  
  hash the portion of the network address according to the cryptographic hash function to result in a second hash value;
  
  decrypt the digital signature, as represented by the second subset of bits within the network address to which the data packet was addressed, with a cryptographic public key corresponding to the cryptographic private key to result in a decryption output;
  
  compare the decryption output and the second hash value to determine a validity of the digital signature represented by the second subset of bits within the network address to which the data packet was addressed; and
  
  route the data packet based at least in part on the validity of the digital signature represented by the second subset of bits within the network address to which the data packet was addressed.
- View Dependent Claims (2, 3)
- - 2. The system of claim 1, wherein the router computing device is configured to route the data packet based at least in part on the validity of the digital signature by at least one of routing the data packet to a content server when the digital signature is valid or discarding the data packet when the digital signature is invalid.
  - 3. The system of claim 1, wherein the network address is formatted as an Internet Protocol version 6 (IPv6) address.

4. A computer-implemented method comprising:
- obtaining a DNS request to resolve a domain name into a network address;
  
  determining a portion of the network address based at least in part on the DNS request;
  
  hashing the portion of the network address according to a cryptographic hash function to result in a hash value;
  
  encrypting the hash value with a cryptographic private key to result in an encrypted value representing the portion of the network address in a hashed and encrypted form;
  
  combining at least the portion and the encrypted value to result in the network address, wherein the network address is represented by at least a set of bits, and wherein a first subset of bits within the network address represents the portion of the network address and wherein a second subset of bits within the network address represents the encrypted value representing the portion of the network address in the hashed and encrypted form; and
  
  returning the network address, including the first subset of bits that represents the portion and the second subset of bits that represents the encrypted value representing the portion in the hashed and encrypted form, in response to the request.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 5. The computer-implemented method of claim 4 further comprising:
    - obtaining a data packet addressed to the network address including the first subset of bits that represents the portion and the second subset of bits that represents the encrypted value representing the portion in the hashed and encrypted form;
      
      hashing the portion of the network address according to the cryptographic hash function to result in a second hash value;
      
      decrypting the encrypted value, as represented by the second subset of bits within the network address to which the data packet was addressed, with a cryptographic public key to result in a decryption output;
      
      comparing the decryption output and the second hash value to determine a validity of the encrypted value represented by the second subset of bits within the network address to which the data packet was addressed; and
      
      routing the data packet based at least in part on the validity of the encrypted value represented by the second subset of bits within the network address to which the data packet was addressed.
  - 6. The computer-implemented method of claim 5, the method is performed without inspection of the content of the data packet.
  - 7. The computer-implemented method of claim 5, wherein routing the data packet based at least in part on the validity of the encrypted value comprises at least one of routing the data packet to a content server when the encrypted value is valid or discarding the data packet when the encrypted value is invalid.
  - 8. The computer-implemented method of claim 5, wherein the private key is included in a set of private keys, wherein individual private keys of the set of private keys are associated with individual time periods, wherein the cryptographic private key is selected according to a time of the encrypting, and wherein the cryptographic public key is selected according to a time of the decrypting.
  - 9. The computer-implemented method of claim 4, wherein hashing the portion of the network address according to the cryptographic hash function comprises hashing a combination of the portion and a routing prefix according to the cryptographic hash function.
  - 10. The computer-implemented method of claim 4, wherein the network address further includes a third subset of bits representing a routing prefix.
  - 11. The computer-implemented method of claim 4, wherein the portion of the network address represents DNS-level information associated with the DNS request, the DNS-level information including at least one of the domain name, security information associated with the domain name, timing information of the DNS request, or information specifying a source of the DNS request.
  - 12. The computer-implemented method of claim 4, wherein the portion of the network address includes a cryptographic public key.
  - 13. The computer-implemented method of claim 4 further comprising providing a cryptographic public key to an originating device of the DNS request, wherein the originating device is configured to:
    - obtain the network address;
      
      hashing the portion of the network address according to the cryptographic hash function to result in a second hash value;
      
      decrypting the encrypted value with the cryptographic public key to result in a decryption output; and
      
      comparing the decryption output and the second hash value to determine a validity of the network address.

14. Non-transitory computer-readable media comprising computer-executable instructions that, when executed, cause a computing system to:
- obtain a request for a network address, wherein the request includes DNS-level information associated with a DNS request to resolve a domain name into the network address;
  
  determine a portion of the network address based at least in part on the DNS request;
  
  hash the portion of the network address according to a cryptographic hash function to result in a hash value;
  
  encrypt the hash value with a private key to result in an encrypted value representing the portion of the network address in a hashed and encrypted form;
  
  combine at least the portion and the encrypted value to result in the network address, wherein the network address is represented by at least a set of bits, and wherein a first subset of bits within the network address represents the portion of the network address and wherein a second subset of bits within the network address represents the encrypted value representing the portion of the network address in the hashed and encrypted form; and
  
  return the network address, including the first subset of bits that represents the portion and the second subset of bits that represents the encrypted value representing the portion in the hashed and encrypted form, in response to the request.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The non-transitory computer-readable media of claim 14, wherein the request for the network address is at least one of the DNS request or a request generated in response to the DNS request.
  - 16. The non-transitory computer-readable media of claim 14, wherein the computer-executable instructions cause the computing system to determine the portion of the network address based at least in part on the DNS request by referencing information mapping the network address to the portion.
  - 17. The non-transitory computer-readable media of claim 14, wherein the computer-executable instructions cause the computing system to determine the portion of the network address based at least in part on the DNS request by encoding the DNS-level information according to one or more encoding rules.
  - 18. The non-transitory computer-readable media of claim 14, wherein the set of bits further comprises a third subset of bits that represents a version identifier, the version identifier indicating at least one of the cryptographic hash function or which bits, within the set of bits, correspond to the second subset of bits.
  - 19. The non-transitory computer-readable media of claim 14, wherein the computer-executable instructions further cause the computing system to:
    - obtain a data packet addressed to the network address including the first subset of bits that represents the portion and the second subset of bits that represents the encrypted value representing the portion in the hashed and encrypted form;
      
      hash the portion of the network address according to the cryptographic hash function to result in a second hash value;
      
      decrypt the encrypted value, as represented by the second subset of bits within the network address to which the data packet was addressed, with a cryptographic public key to result in a decryption output;
      
      compare the decryption output and the second hash value to determine a validity of the encrypted value represented by the second subset of bits within the network address to which the data packet was addressed; and
      
      route the data packet based at least in part on the validity of the encrypted value represented by the second subset of bits within the network address to which the data packet was addressed.
  - 20. The non-transitory computer-readable media of claim 19, wherein the computer-executable instructions further cause the computing system to route the data packet based at least in part on the validity of the encrypted value by at least one of routing the data packet to a content server when the encrypted value is valid or discarding the data packet when the encrypted value is invalid.
  - 21. The non-transitory computer-readable media of claim 14, wherein the computer-executable instructions further cause the computing system to encrypt the network address according to a cryptographic public key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Uppal, Hardeep Singh, Vasquez, Jorge, Howard, Craig Wesley, Radlein, Anton Stephen
Primary Examiner(s)
Herzog, Madhuri R

Application Number

US15/389,302
Publication Number

US 20180097631A1
Time in Patent Office

1,083 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2101/604   Address structures or formats

H04L 2101/659   Internet protocol version 6...

H04L 45/20   Hop count for routing purpo...

H04L 45/7453   using hashing

H04L 61/4511   using domain name system [DNS]

H04L 63/0428   wherein the data content is...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

H04L 9/0643   Hash functions, e.g. MD5, S...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3247   involving digital signatures

Digitally signed network address

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

1517 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Digitally signed network address

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

1517 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links