Cryptography – Particular algorithmic function encoding – Nbs/des algorithm
Reissue Patent
1996-09-20
2001-05-15
Cangialosi, Salvatore (Department: 3642)
Cryptography
Particular algorithmic function encoding
Nbs/des algorithm
C380S028000, C380S030000
Reissue Patent
active
RE037178
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
This invention relates to the field of network communications.
2. Background Art
Personal computers, or workstations, may be linked through a computer network to allow the sharing of data, applications, files, processing power, communications and other resources, such as printers, modems, mass storage and the like. Generally, the sharing of resources is accomplished the use of a network server. The server is a processing unit dedicated managing the centralized resources, managing data and sharing these resources with other PC's and workstations, often referred to as “clients”. The server, network and PC's or workstations, combined together, constitute client/server computer network. An example of a client/server network model is illustrated in FIG.
1
.
FIG. 1
illustrates a client machine
101
coupled to a server macabre
102
. The client machine
101
may be a PC, workstation, etc. The server machine may be a dedicated processor, PC, workstation, etc, that includes mass storage on which files are stored. Typically, the mass storage is a disk drive or other suitable device.
The client machine
101
is comprised of a client
102
that communicates with a client stub
103
. The client stub
103
communicates with a transport entity
104
. The server machine
105
includes a server
106
, server stub
107
, and transport entity
108
.
Referring to the client machine
101
, the client
102
is a local processor that utilizes files of the server. The client stub
103
is a collection of local procedures that enable the client to access the server. The transport entity
104
provides access to the network, or “wire”
109
. Wire
109
refers to the communications medium between the client and server and may be an actual hardwired communications medium, or may be a wireless connection. Similarly, the server stub
107
is a collection of procedures that enable the server to communicate with the client, and transport entity
108
provides access from the server to the wire
109
.
In operation, communication between the client and server is in the form of requests (from the client) and replies (from the server). This communication is in the form of remote procedure calls. The client is analogous to an application calling a procedure and getting a result. The difference is that the procedure is not necessarily on the same machine as the client
101
, but rather on the server machine
105
.
Initially, the client
102
calls a stub procedure located on the client machine in the client stub
103
(resident in the client
102
local address space). The client stub
103
constructs a message from the call and provides it to the transport entity
104
. The transport entity
104
communicates the message on the wire
109
to the server machine
105
. At the server, the transport entity
108
passes the message to the server stub
107
. The server stub then calls the appropriate server procedure front the server
106
. The server
106
operates on the message and then returns the procedure and any result to the server stub
107
. The server stub
107
constructs a reply message and provides it to the transport entity
108
. The reply message is sent to the transport entity
104
of the client machine
101
over the wire
109
. The transport entity provides the reply message to the client stub
103
. The client stub
103
returns the procedure and any value returned by the server to the client
102
.
On a computer network, clients and users have different levels of privileges. Certain functions, adding users, deleting users, changing passwords, etc., are restricted to the highest privileged users. These users and clients are often network administrators, and it is necessary for these users to be able to modify the network as necessary. In addition, there may be certain types of files or activities that are restricted from most users. For example, financial data is often restricted to users who have a need to know or use the financial data. Generally, other users are not permitted to access that data.
In a client/server model, messages are transported as “packets”. An example of a message packet is illustrated in FIG.
3
A. The message consists of a 4-byte length header (low high) indicator
301
. The length header
301
identifies the length of the message that follows and includes the following information:
CheckSum
PacketLength
TransportControl
HPacketType
DestinationNet
DestinationNode
DestinationSocket
SourceNet
SourceNode
SourceSocket
The length header
301
is followed by a request code
302
. The request code
302
is the particular type of procedure being requested by the client. The request code
302
is followed by data
303
. The data
303
may be of variable length.
One particular type of message packet is referred to as an “NCP packet”, where NCP refers to NetWare Core Protocol. (NetWare is a trademark of Novell, Corporation of Provo, Utah). NetWare is an operating system for network systems. An NCP packet includes the following additional information in the length header:
packet type
sequence number
connection low
task
connection high
The standard portion of the message packet provides source address, destination address and length, among other pieces of information. The NCP portion includes a connection number and a sequence number. The station connection number provides the server with an index into a table of active stations. The server uses the active station table to track information about that station's session, including the station's network address and sequence number.
The connection number is used in part as a security check. When a server receives a request packet, it uses the packet's connection number as an index into its connection table. The request packer's network address must match the network address stored in the connection table entry corresponding to the connection number contained in the request packet. This is one method of validating a request packet.
The sequence number is also used to validate packets. The sequence number is a byte that is maintained by both the server and the client. When the client sends a request packet, that client increments the sequence number. Likewise, when a server receives a request packet, it increments that client's sequence number (stored in the server's connection table). The sequence number wraps around on every 256th request made by the client (because it is one byte in length).
Before incrementing the client's sequence number, the server checks the sequence number against a list of already-received request packets. This check is to ensure that the server does not service duplicate request packets. If the sequence number does not indicate a duplicate request packet, the server checks the request packet's sequence number against the sequence number stored in the server's connection table. If these two numbers are not equal, the server discards the packet.
In spite of these precautions, it is sometimes possible to forge a message packet by detecting the network address, connection station, the station's connection number, and the station's sequence number. Typically, the purpose in forging a message packet is to “imitate” a higher privileged user or client so that the privilege level of the forger can be upgraded. The forger may obtain a more privileged station's connection number by capturing network packets from the communications medium. These are network packets that are sent from a higher privileged station to the server. A forger may capture these packets using a protocol analysis tool.
By obtaining a connection number, a forger may attempt to forge a message by sending a message to the server destination address, using the same station connection number as in the intercepted message. However, that alone is not sufficient to enable an intruder to forge a message. As noted above, the server checks the sequence number and compares it against a list of already-received requests. The sequence number
Cangialosi Salvatore
Dinsmore & Shohl LLP
Novell Inc.
LandOfFree
Method and apparatus for authentication of client server... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and apparatus for authentication of client server..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and apparatus for authentication of client server... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2516697