Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1999-10-07
2004-05-25
Barron, Gilberto (Department: 2132)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S156000, C713S188000
Reexamination Certificate
active
06742126
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention relates to identifying data communications over the Internet. More particularly, the invention relates to a method and apparatus for creating and using unique session identifiers for identifying individual data communications sessions between one apparatus and another.
2. Background
Security on the Internet is important to ensure the integrity of business transactions and the transfer of confidential information. Since existing means of personal identification, such as visual appearance and written signatures, are not exactly transferable to Internet transactions, new digital methods of identification must be employed. These new methods must not only provide positive identification, they must themselves be secure to prevent interlopers from misappropriating the identifying information.
Such identification schemes must comport themselves with protocols for Internet data communications that are in existence. For example, the Internet e-mail protocol described in RFC
822
, published under the auspices of the Internet Architecture Board, dictates that binary data should not be sent as eight-bit code. That is, the most significant bit (MSB) of each byte of transferred data must have a “0” value or else transmission errors may occur. Common schemes for addressing this issue include transmission as seven-bit ASCII code, base
64
encoding, universal resource locator (URL)-encoding, and hex encoding. These methods, in turn, are limited by considerations such as character compatibility with the underlying message and decoding scheme, bandwidth and data storage requirements, and limitations imposed at the application level. A further consideration is the computational ease of encoding and decoding, e.g. powers of two encoding such as base
64
can use shift/and operations while non-powers of two encoding such as base
62
encoding must use division/modulus operations.
Identification schemes may also take advantage of existing data transmission methods. Form submission is commonly used to send information from one apparatus or computer to another apparatus or computer. The first computer provides the second computer with on-screen buttons and dialog boxes with which the user of the second computer can enter data. After the data is entered into the second computer, the data is encoded for transmission and sent to the first computer. If the data is relatively short, it may be directly appended to the URL in the header of the message to the first computer, separated by a “?”. Data following the “?” is known as the query string, which is often limited in length because of the input buffer size of many servers. This method is known as GET mode. In an alternative method known as POST mode, longer data is sent in the body of the message to the first computer. Since information sent via either the GET or the POST method is usually primarily text, these transmissions are typically URL-encoded.
Data transmission sessions between computers may use GET or POST transmitted data to identify a particular data communications session. For example, an external computer or client may submit its identifying information by GET mode, and the URL-encoded identifying information may be appended to the URL for the duration of the session. This URL-encoded identifying information is then passed between the computers for the duration of the session.
There are shortcomings to this technique. For example, when identifying information is not adequately modified before being used to identify a session, the identification may not be unique to a session. In this case, if two computers submit identical identifying information during overlapping sessions resulting in identical URL-encoded identifying information, a host computer or server will not be able to differentiate between external computers.
Another shortcoming is that URL-encoding is inefficient for non-text characters. While letters and digits are encoded with one byte per character, other characters require three bytes. Thus, if the URL-encoded identifying information is not almost exclusively characters, it will require extra bandwidth and storage capacity. In some cases, URL-encoding may undesirably truncate or otherwise limit the identifying information.
The method and apparatus of this invention overcome these shortcomings.
BRIEF DESCRIPTION OF THE INVENTION
A method and apparatus for using a session identifier to identify a specific data communications session between an apparatus and an external apparatus is disclosed. When a data communications session is initiated between the apparatus and an external apparatus, the external apparatus sends authenticating information to the apparatus. The apparatus uses the authenticating information to determine the identity and the privileges of the external apparatus for the particular session. A unique session identifier is created by the apparatus, and the session identifier is associated with the external apparatus's identity and privileges. The session identifier is passed between the apparatus and the external apparatus with each subsequent data communication in the session until the session is terminated. The apparatus uses the session identifier received with the data communications to identify the external apparatus and its privileges and allocate resources accordingly. The session identifier is encoded using a six bit code, thereby making it compatible with the Internet e-mail protocol, while also optimizing data compression. The encoded session identifier may be transmitted by appending it to a URL like a query string.
REFERENCES:
patent: 4962532 (1990-10-01), Kasiraj et al.
patent: 5003595 (1991-03-01), Collins et al.
patent: 5033076 (1991-07-01), Jones et al.
patent: 5163147 (1992-11-01), Orita
patent: 5241594 (1993-08-01), Kung
patent: 5241599 (1993-08-01), Bellovin et al.
patent: 5351136 (1994-09-01), Wu et al.
patent: 5416842 (1995-05-01), Aziz
patent: 5421006 (1995-05-01), Jablon et al.
patent: 5440635 (1995-08-01), Bellovin et al.
patent: 5655077 (1997-08-01), Jones et al.
patent: 5671354 (1997-09-01), Ito et al.
patent: 5680461 (1997-10-01), McManis
patent: 5684950 (1997-11-01), Dare et al.
patent: 5708780 (1998-01-01), Levergood et al.
patent: 5764772 (1998-06-01), Kaufman et al.
patent: 5793763 (1998-08-01), Mayes et al.
patent: 5815665 (1998-09-01), Teper et al.
patent: 5835727 (1998-11-01), Wong et al.
patent: 5845070 (1998-12-01), Ikudome
patent: 5898780 (1999-04-01), Liu et al.
patent: 5918016 (1999-06-01), Brewer et al.
patent: 5933625 (1999-08-01), Sugiyama
patent: 5944824 (1999-08-01), He
patent: 5987232 (1999-11-01), Tabuki
patent: 5991802 (1999-11-01), Allard et al.
patent: 5991810 (1999-11-01), Shapiro et al.
patent: 6006334 (1999-12-01), Nguyen et al.
patent: 6011910 (2000-01-01), Chau et al.
patent: 6021496 (2000-02-01), Dutcher et al.
patent: 6023698 (2000-02-01), Lavey et al.
patent: 6041357 (2000-03-01), Kunzelman et al.
patent: 6044155 (2000-03-01), Thomlinson et al.
patent: 6047376 (2000-04-01), Hosoe
patent: 6092196 (2000-07-01), Reiche
patent: 6141687 (2000-10-01), Blair
patent: 6154751 (2000-11-01), Ault et al.
patent: 6549612 (2003-04-01), Gifford et al.
patent: 99/53408 (1999-04-01), None
“Access Control Product Information”, Ascend Communications, Inc., 4 pages.
Alexander, S., “DHCP Options and BOOTP Vendor Extensions,” Network Working Group, RFC 1533. Oct. 1993.
Bellare et al., “Keying Hash Functions for Message Authentication”, 1996, Advances in Cryptology-Crypto 96 Proceedings, Lecture Notes in Computer Science, vol. 1109, N. Koblitz ed., Springer-Verlag.
Bellovin, Steven M., “Problem Areas for the IP Security Protocols”, Jul. 22-25, 1996, Proceedings of the Sixth Usenix UNIX Security Symposium, San Jose, CA.
Cisco User Control Point, pp. 1-4, printed from http://www.cisco.com/warp.public/728/ucp/ucp ds.htm om Sep. 10, 1998.
IPSec Network Security, pp. 1-69, printed from http://www.cisco.com/univercd/cc/td/doc/products/software/ios113ed/113t/113t3/ipsec.
Krawczyk, Hugo, “SKEME: A
Deng Mingqi
Mann Joseph F.
Roden Thomas Anthony
Barron Gilberto
Cisco Technology Inc.
Fields Courtney D.
Ritchie David B.
Thelen Reid & Priest LLP
LandOfFree
Method and apparatus for identifying a data communications... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and apparatus for identifying a data communications..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and apparatus for identifying a data communications... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3253829