« PreviousContinue »
INTERMEDIATE NETWORK AUTHENTICATION
BACKGROUND OF THE INVENTION
The present invention relates generally to network security in a distributed network or between networks, and more particularly to an internetwork authentication method which is capable of intermediate authentication as well as authen- 10 tication of fragmented data regardless of the network protocol.
Historically, most networking protocols and architectures have not included solid authentication or confidentiality mechanisms. The MIT Athena project has been the exception to this rule with its development of the Kerberos authentication system. This system is beginning to be implemented at some sites and some workstation manufacturers are considering implementing Kerberos in their standard OS releases, but the overwhelming majority of networked sites have no authentication or confidentiality mechanisms in their network architectures. The ISO (International Standards Organization) OSI (Open Standards Interconnection) suite provides for confidentiality services in the upper layers but does not require authentication of any of the lower layer protocols. These lower layer protocols have a number of security problems in protocols commonly used in the internet and have certain limitations intrinsic to the Kerberos protocols. The security issues in the ISO OSI suite appear to have gotten less attention than in the Internet suite because the Internet suite is more widely implemented at present.
Recently, the Internet Engineering Task Force has begun to incorporate authentication and confidentiality mechanisms in some protocols, notably the Simple Network Management Protocol (referred to as "SNMP") and Privacy Enhanced Mail. A few other recent protocol specifications, such as for the Border Gateway Protocol (referred to as "BGP") and Open Shortest Path First (referred to as "OSPF") routing protocols provide hooks for authentication to be added later but do not define or mandate any real authentication mechanism. The BGP version 3 specification explicitly states that the definition of authentication mechanisms other than the default "no authentication" option are out of the scope of the specification. Similarly, the OSPF version 2 specification asserts that "OSPF also provides for the authentication of routing updates,..." when in fact the only authentication mechanisms specified are "no authentication" or "cleartext password." Overall, there is no fundamental systemic security architecture in the Internet protocol suite at present.
Bellovin, in his article entitled "Security Problems in the TCP/IP Protocol Suite" ACM Computer Communications Review, Vol. 19, No. 2 (April 1989), pp. 32-^-8 identifies that there are security flaws in the TCP/IP (Transmission Control Protocol/Internet Protocol) protocol suite because hosts rely on IP source address for authentication and also because routing protocols have minimal to no authentication. The Bellovin article is incorporated herein by reference. Similarly, the ISO protocol has not paid sufficient attention to building security mechanisms into the network, transport, or routing protocols.
Some proposed computer security policies, such as ClarkWilson, are not practical to implement using current network protocols, which rely on datagram fragmentation, unless intermediate authentication is provided. For a discussion of such policies, see D. D. Clark and D. R. Wilson, "A
Comparison of Commercial and Military Computer Security Policies," Proceedings of the 1987 IEEE Symposium on Security & Privacy, IEEE Computer Society, Oakland, Calif. (1987), which is incorporated herein by reference.
Aside from concerns about attacks, there is recently much interest in implementing policy-based routing, network usage accounting, and network auditing. None of these may be dependably implemented unless the network protocol headers may be authenticated by routers as well as the end hosts. If there is no intermediate authentication, then it is straight forward to spoof policy-based routing and to cause others to pay for one's network traffic. Without authentication, auditing cannot yield meaningful results. It is clear that network protocol header authentication is essential for both existing and future services.
Thus, there is a need for providing intermediate authentication in networking. By being able to authenticate a packet while in route, the possibility of host masquerading and network attacks are reduced. Additionally, policy-based routing, network usage accounting, and network auditing may be implemented.
SUMMARY OF THE INVENTION
It is therefore an object of the present invention to provide an authentication method which will provide for both intermediate authentication as well as host to host authentication in a datagram network that permits fragmentation of datagrams.
It is a further object to provide an accurate method for determining the network traffic generated by a particular host.
It is yet another object to provide a means for accurately billing a host for its use of network traffic and facilities.
It is yet another object to provide for detection of a non-valid host on a network.
It is yet another object to improve network reliability as well as network security.
It is yet another object to provide support for network auditing, network traffic counting, and policy based routing.
In all of the above embodiments, it is an object to provide an authentication system which utilizes an asymmetric key system in the authentication system.
It is still another object of the invention to provide an authentication system in which the first packet or datagram fragment is dynamically routed while all succeeding packet fragments or datagram fragments then follow the established path of the first packet fragment or datagram fragment.
According to one broad aspect of the present invention, there is provided a method for network authentication comprising the steps of: obtaining a network address and a public key for a receiving host; utilizing the public key from the receiving host in combination with a private key from the sending host to generate a cryptographic signature; transmitting the signature along with data through a first subnetwork in at least one packet; receiving at least one packet at the receiving host; and the receiving host utilizing a private key for said receiving host site and a public key for said sending host to verify said cryptographic signature.
According to another broad aspect of the invention, there is provided a method for network authentication of fragmented packets comprising the steps of: requesting a network address for a receiving host from a subnetwork name system; utilizing a private key from a sending host to generate a cryptographic signature; transmitting the signature along with data to a first subnetwork in at least one packet, having a first packet size which is different from that of the transmitting host and thereby fragmenting the original packet into at least two packet fragments, the packet fragments having a first packet fragment which is transmitted to 5 a first available intermediate gateway or router in the first subnetwork, and each subsequent fragment of that first packet fragment following the progress of the first packet fragment through the first subnetwork in a train-like fashion; reassembling the fragmented packets at an intermediate 10 gateway or router; performing a verification of the cryptographic signature on the reassembled packet; retransmitting the fragmented packets through the first subnetwork; receiving at least one packet at the receiving host; and utilizing a public key for the sending host to verify the cryptographic 15 signature.
By being able to provide both host to host authentication as well as intermediate authentication, the possibilities of host masquerading and network attacks are reduced or eliminated. Additionally, policy-based routing, network 20 usage accounting, and network auditing may be implemented.
Other objects and features of the present invention will be apparent from the following detailed description of the preferred embodiment.
BRIEF DESCRIPTION OF THE DRAWINGS
The invention will be further described in conjunction with the accompanying drawings, in which: 30
FIG. 1 is a flow chart illustrating a method utilized in a typical or prior art communications transaction between hostA and hostB in which no authentication is conducted in a network which may employ fragmentation of datagrams;
FIG. 2 is an exemplary network topography of communications between hostA and hostB according to the prior art;
FIG. 3 is a flow chart illustrating a first preferred communications transaction between hostA and hostB in which end to end authentication is conducted in a network which 40 may employ fragmentation of datagrams; and
FIG. 4 is a flow chart illustrating a second preferred communications transaction between hostA and hostB in which both intermediate and end to end authentication may be conducted in a network which may employ fragmentation 45 of datagrams.
DETAILED DESCRIPTION OF THE
With reference to the Figures, wherein like reference characters indicate like elements throughout the several views and, in particular, with reference to FIGS. 1 and 2, a generic method of host to host communication is illustrated. In order to appreciate the improvements associated with the 55 invention disclosed herein, a detailed description of the prior approach to network communication is essential.
In prior network communication applications, a host, genetically referred to as hostA or element 60 will wish to communicate with a hostB or element 83. HostA 60 may be 60 in the same subnetwork or network as host6 83 or may be in a different subnetwork or network. Network! 82 is the network containing hostA 60 and network2 84 is the network containing hostB 83. FIGS. 1 and 2 illustrate the condition where hostA 60 and hostB 83 are in different subnetworks. 65 When hostA 60 wishes to communicate with hostB 83, hostA 60 will obtain the address and key of hostB 83 from a
network name system via the networks or from a configuration table at hostA 60. This request is illustrated by box 10 in FIG. 1. The network name system will provide the network address of hostB 83 to hostA 60 as illustrated by box 12. Next, the network address is received by host,, 60, see box 14. After receiving the address, hostA 60 begins to transmit datagrams or packets towards hostB 83 via a gateway 62, see box 16. The physical communication protocol being used between hostA 60 and subnetwork 82 will vary with the particular type of host and network. The above described method is one of several well known methods for obtaining the network address of a host.
Subnetworkj 82, as illustrated by box 18, will then process data into packets which are link or subnetwork specific. A standard protocol which is utilized is the IP. In this protocol, datagrams or packets are formed from the data stream. Packets generally comprise a header section, a data section and a trailer section. The specific relationship between these sections or the existence of these sections are protocol specific and thus will not be discussed in any detail. The data may be fragmented by the creation of packets for subnetworkj 82 and thereby take different routes through subnetworkj 82 towards hostB 83. For illustrative purposes, three packets or fragmented packets, Pj, P2 and P3 are illustrated. These packets are transmitted through subnetworkj 82 by a conventional transmission method. Each packet or fragment may take a different route through the subnetwork as illustrated by lines 26, 28 and 30 which correspond to the routes of packets P^ P2 and P3, respectively. Thus, each packet may go through a different intermediate router 64, 66, 68 or 70 as illustrated in FIG. 2.
U.S. Pat. No. 5,175,765 to Perlman is exemplary of the drawbacks of the prior art. Perlman discloses an authentication system which utilizes an asymmetric key system to authenticate a data packet. This system utilizes a robust broadcasting technique and therefore is not capable of performing intermediate fragmentation or intermediate authentication for the reasons discussed above. Both of these capabilities are important for proper network usage accounting.
Eventually, packets P], P2 and P3 will migrate through subnetworkj 82 along the dashed lines in FIG. 2. In a configuration not shown, if hostB 83 were located within subnetworkj 82, hostB 83 would receive the packets and reassemble them to gain access to the data contained therein. HostB 83 would utilize this data and will assume that the sender, hostA 60, is the actual sender of the data. Thus, there would not be any end to end or intermediate authentication of the host or data. In this situation, the data would be fragmented only one time, i.e., during the creation of packets Pi, P2 and P3.
In the configuration shown in FIG. 2, hostB 83 is located in a different subnetwork! 84 than subnetwork] 82. Packets Pi, P2 and P3 will be transmitted from gateway 72 of subnetwork] 82 to gateway 74 of subnetwork2 84. This step is illustrated in FIG. 1 as block 32. The link/subnetwork protocols utilized in subnetwork] 82 may differ from those of subnetwork2 84. In this situation, subnetwork2 84 will create additional packets P4, P5, P6 and P7, see block 34. Four packets have been used for illustrative purposes only but any number of packets may be generated by subnetwork 84. Since the link or subnetwork protocols of subnetwork] 82 and subnetwork2 84 may be different, the size of the packets may also be different. Thus, the original data, header and trailer information of each packet in subnetwork] 82 may now appear in different packets in subnetwork2 84, i.e., the information from packet Pi may now be contained
between packets P4 and P5. Thus, the data has been fragmented for a second time. Packets P4, Ps, P6 and P7 are transmitted through the intermediate routers 76 and 78 of subnetwork2 84 along the dashed lines of subnetwork2 84 and in a similar fashion to that of subnetwork; 82 above. 5 There may be any number of intermediate routers and those used in FIG. 2 are for illustrative purposes only. Lines 44, 46, 48 and 50 illustrate the transmission concept in FIG. 1.
In such a technique, the ability to authenticate packets at an intermediate gateway or router, such as router 76, is 10 completely lost since each packet fragment may take a different route through subnetwork2 84. Additionally, since the information contained in packet Pj may be split between packets P4 and P5, it is impossible to assemble the information of packet P\ at an intermediate gateway or router. In 15 this situation, the original data is fragmented two times, i.e., once when packets P^ P2 and P3 are created and once when packets P4, P5, P6 and P7 are created.
Eventually, packets P4, P5, P6 and P7 will migrate through subnetwork2 84 along the dashed lines in FIG. 2. HostB 83 will receive the packets and reassemble them to gain access to the data contained therein, see blocks 52 through 56. HostB 83 will utilize this data and will assume that the sender, hostA 60, is the actual sender of the data. Thus, there is no end to end or intermediate authentication of the host or 25 data.
Several U.S. Patents have touched on the subject of authentication. For example, U.S. Pat. No. 4,965,827 to McDonald discloses an authentication algorithm for verify- 3Q ing that a message has not been corrupted or changed during transmission. This method utilizes a symmetric cryptographic hash function which is only used for the authentication of the data. In a symmetric key system, the same key is used for encryption and decryption and does not provide 3J the protection of an asymmetric key system. The McDonald system provides no means for authenticating that a particular host has actually sent the data. Thus, a host may masquerade as a valid host and send invalid data over the network. Additionally, network applications including intermediate 4Q authentication are not described by the McDonald patent. As another example of a U.S. Patent discussing authentication, U.S. Pat. No. 5,241,599 to Bellovin et al., discloses a key management protocol which could be used over a network which is not secure. 45
The above description provides a basic understanding of how data is transferred between host^ 60 and hostB 83. Now we will turn to a new method of host authentication as illustrated in FIGS. 3 and 4. FIG. 3 illustrates a host to host authentication method and FIG. 4 illustrates a host to 50 intermediate gateway or router authentication method. Like reference numerals have been utilized where there is no significant difference between the invention and the prior art. Primes above the reference numerals have been utilized where the elements are similar to the prior art but have 55 additional features or modifications. Finally, new reference numerals are provided for new steps which are conducted.
reference. In a symmetric key system, the same key is used for encryption and decryption. When providing confidentiality using an asymmetric system, each party has two keys, one public and one private, and data is usually encrypted using the sender's private key and the recipients public key. When providing authentication using an asymmetric system, the data and the keys are used to generate a digital signature. That signature is verified by the recipient using the data received and the appropriate decryption keys.
Host to Host Authentication
Turning now to FIG. 3, the steps involved in a new method of host authentication are illustrated. A host, generically refereed to as hostA or element 60 will wish to communicate with a hostB or element 83. HostB 83 may be in the same subnetwork or network 82 as hostA 60 or may be in a different subnetwork or network 84. FIGS. 1 and 2 illustrate the condition where hostA 60 and hostB 83 are in different subnetworks, 82 and 84, respectively. When host^ 60 wishes to communicate with hostB 83, hostA 60 will request the address and public key of hostB 83 from a subnetwork name system. This request is illustrated by box 10' in FIG. 3. The public key request is important in this new method and its importance will be discussed in detail below.
Subnetwork Name System
It is possible to distribute the public keys to all hosts and users of the internetwork, see Mockapetris, Paul, Domain Names—Implementation and Specification, RFC-1035, DDN Network Information Center (November, 1987) which is hereby incorporated by reference. Public keys for hosts are included in the nameservice database and all nameservice responses are authenticated. This means that all of host public keys are distributed in an authenticated manner. Name service requests need not be authenticated or confidential in the general case. However, if the visibility of some data in the nameservice database is to be controlled, then authenticated confidential requests would be required to access non-published data and authenticated confidential responses to such requests would also be required. The public keys for the root nameservers should be made readily available, such as by telephone and postal mail, so that system administrators may have confidence in the authenticity of the root public key. Otherwise, if the correct root public key were not widely known, an intruder would be easily able to masquerade as the legitimate nameserver.
Because the user and application level keys are distributed using mechanisms implemented in the local host, those keys may be changed easily by the user without much concern for the key change being delayed in propagation to all of the directory or network name service providers. Host keys are less easily changed, but such changes should be regularly scheduled in order to limit damage from compromised keys.
Modifications To Current Protocol
This section described additions and changes to the Internet Protocol suite to enable its use to distribute asymmetric keys and to enable its responses to be authenticated.
A new TYPE field is added to the resource records in the Domain Name System. This new field contains a signed asymmetric host authentication key to be used by hosts attempting to authenticate network packets. Each host which transmits any authenticated frames must have this record in the Domain Name System (referred to as "DNS") and the value of the record must be correctly advertised. The pro