WO2000068814A9 - Transient network architecture - Google Patents

Transient network architecture

Info

Publication number
WO2000068814A9
WO2000068814A9 PCT/US2000/012505 US0012505W WO0068814A9 WO 2000068814 A9 WO2000068814 A9 WO 2000068814A9 US 0012505 W US0012505 W US 0012505W WO 0068814 A9 WO0068814 A9 WO 0068814A9
Authority
WO
WIPO (PCT)
Prior art keywords
node
intermediate node
encrypted
destination
destination address
Prior art date
Application number
PCT/US2000/012505
Other languages
French (fr)
Other versions
WO2000068814A1 (en
Inventor
Jay E Mork
Robert J Wellington
Willie A Castile
Original Assignee
Gen Dynamics Inf Systems Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Gen Dynamics Inf Systems Inc filed Critical Gen Dynamics Inf Systems Inc
Priority to AU47067/00A priority Critical patent/AU4706700A/en
Publication of WO2000068814A1 publication Critical patent/WO2000068814A1/en
Publication of WO2000068814A9 publication Critical patent/WO2000068814A9/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/48Message addressing, e.g. address format or anonymous messages, aliases
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles

Definitions

  • the present invention relates to a transient network architecture to facilitate private communication between users, and more particularly, to a communication system capable of transmitting messages between two users over a publicly available network without disclosing to eavesdroppers the true network location of the source and destination of the message.
  • IP internet protocol
  • the network must know where the message is to be delivered in order to route it through the system.
  • the system also must know the source of the message in order to send acknowledgments, request retransmission of the message if necessary, etc.
  • each message routed through the system includes information from which the location of, and association between, the source and destination nodes can be determined. In most commercial applications, this poses no problem.
  • Military communications of a secret nature typically are transmitted over private networks that use off-line data encryption devices to secure data.
  • Teledesic uses hundreds of low earth orbit satellites to facilitate communications between users.
  • a first user can send a message on an appropriate radio frequency to one of the Teledesic satellites for ultimate delivery to a second user.
  • the Teledesic system forwards the message to a Teledesic network operations center, which in turn, forwards the message to an appropriate satellite that can transmit the message to the equipment of the second user.
  • an eavesdropper By intercepting the RF uplink and downlink signals localized to a particular geographic region, an eavesdropper can capture and identify the actual data packets associated with particular end-user nodes.
  • the RF link cannot be encrypted because important Teledesic control and routing information must be exposed to the orbiting satellites. Even though end users will be able to encrypt the data payload before passing packets to the Teledesic network, this will not be sufficient to hide the addresses.
  • the present invention is a communication system that uses a transient network architecture to achieve the foregoing objectives.
  • the system transmits messages from a first user at a source node to a second user at a destination node.
  • the system uses a public network, such as the Internet or
  • the system includes many geographically scattered transient network nodes that together form a virtual network that "piggy-backs" on the public telecommunications network.
  • Encrypted messages can be securely routed from the source node through a public network to a first intermediate destination that is a transient network node.
  • the first intermediate node then forwards the message through the public network to a second transient network node. This process can be continued for as many "hops" as necessary or desired for security reasons.
  • Eventually the message is directed to a node (which can be the second intermediate node) knowing the true location of the intended recipient user at the destination node. This node can forward the message to the destination user.
  • the system advantageously hides the source and destination information from eavesdroppers.
  • An eavesdropper on the public network can at best only determine the starting node and ending node for a particular "hop" in the path followed by the message. While theoretically, this would yield information to the eavesdropper, the system also includes the ability for each of the nodes in the transient network, and preferably each of the user nodes as well, to generate random meaningless messages to be sent to random nodes.
  • an eavesdropper would detect many messages being transmitted from node to node, but would have no way of identifying which ones are "real" messages.
  • the real and meaningless messages also can be arbitrarily padded with additional space to make it more difficult for an eavesdropper to determine how much information is being transmitted.
  • the source user sends to any first intermediate node over the public network through a NPN (Virtual Private Network) tunnel an encrypted message containing the data and intended destination, which can be an alias address for the destination user.
  • the message is encrypted in a manner that allows it to be decrypted by the first intermediate node.
  • the first intermediate node makes a policy decision regarding where to send the message next.
  • the first intermediate node may decide to transmit the data message to the second intermediate node, which can be the alias address for the destination user.
  • the first intermediate node forwards the message to the second intermediate node via a NPN tunnel through a public network.
  • the second intermediate node knows how to locate the destination user for this alias address and forwards the data message to the user over the public network through a NPN tunnel.
  • the policy decisions of the intermediate nodes can decide to add one or more additional hops in the path.
  • the algorithm for doing this can be in the policy router in the particular intermediate node and may be known only to that particular intermediate node.
  • the intermediate node can insert another intermediate node into the message's path and forward the information to the newly inserted node rather than to the destination address.
  • the newly inserted node can itself then insert yet another intermediate node, if desired, or can forward the message to the destination address. If desired, the system can place a limit on the number of hops that any message can take.
  • Each part of the message other than the addresses for the current hop is encrypted for security reasons. In this way, an eavesdropper cannot determine any information other than the starting node and ending node for this particular hop in the message's path. Of course, the eavesdropper cannot determine whether the message is a "real" message or how much information it contains.
  • FIG. 1 is a schematic diagram of a transient network architecture in accordance with the present invention
  • FIG. 2 is a schematic diagram of an example of a path through a public network in accordance with the present invention
  • FIG. 3 is a schematic diagram of another example of a path through a public network similar to FIG. 2, but having one or more additional, intermediate nodes in accordance with the present invention.
  • Transient network architecture 100 includes a public network, as shown for example, by Teledesic network 102.
  • Transient network architecture 100 can include other public networks such as the Internet 104 or other commercial carriers, generally designated by reference numeral 106.
  • Transient network nodes 108 Connected to public networks 102-106 are a plurality of transient network nodes 108, only four of which are shown in FIG. 1.
  • Transient network nodes 108 form a virtual network that "piggy-backs" on top of public networks 102-106.
  • Each transient node 108 preferably can be connected to multiple types of networks, such as networks 102-106.
  • Each transient node 108 preferably includes a policy router 110, a mobile agent 1 12, a gateway firewall 1 14 and a remote access server 116.
  • Policy router 110 routes messages to appropriate transient nodes through public networks 102-106 in accordance with the policies contained therein, for example as shown by connections 1 18. Policy router 110 preferably routes messages from one transient node 108 to another transient node 108 through one of the public networks 102-106. Policy router 110 can be a 1600 Series router with load balancing software available from Cisco Systems.
  • Mobile agent 1 12 provides the ability for a virtual end user 120 (two of which are shown in FIG. 1) to have an alias on the public network 102-106.
  • Each virtual end user 120 has a public address to which people can send messages on the public network.
  • the public address is associated with a respective transient node 108.
  • that transient node 108 can transmit the message to the true location of the appropriate virtual end user 120 as indicated by connections 122.
  • Connections 122 can route the message through one of the public networks 102-106.
  • Such users may have real addresses connected to the public network, in addition to having one or more alias addresses.
  • the features of mobile agent 1 12 can be implemented by software known as IOS 12.0(T) provided by Cisco.
  • Gateway firewall 1 14 is a conventional firewall used to protect the transient node network from the public networks 102-106.
  • Gateway firewall 1 14 can be the commercially available Firewall Feature Set sold by Cisco.
  • Remote access server 1 16 can be a NPN server supporting IPsec. Each end user can set up a NPN to a remote access server 1 16 running Point-to- Point-Tunneling Protocol in order to set up a secure tunnel. New packets created by the end user will travel through the encrypted tunnel to remote access server 116. The eventual destination address will not be exposed to public network 102-106.
  • Remote access server 1 16 interfaces with other transient nodes 108.
  • Anonymous VPN users 124 two of which are shown in FIG.
  • transient network node 108 can use dial-up temporary addresses through a public network 102-106 to connect to the transient network via a remote access server 1 16 of a transient network node 108.
  • anonymous users preferably also can dial-up through a public telephone network rather than a VPN.
  • the transient node 108 would include additional equipment such as the 2600 Series available from Cisco, to interface with the telephone line.
  • the transient network architecture also provides for fixed or mobile Internet end users 126, two of which are illustrated in FIG. 1, on the public internet. These end users 126 also can have private addresses in the transient network which are not publicly known outside the community of transient network users.
  • FIG. 2 there is shown a schematic diagram of a path 210 through a public network 102- 106 that can be used in practicing the present invention.
  • a user at a source node 212 desires to send a data message to a second user at a destination node 214.
  • Source node 212 may use node 216 as an alias address and destination node 214 may use node 218 as an alias address.
  • the user wishes to communicate using a public network 102-106. However, the users do not want the public network 102- 106 to carry information relating to the location of the source and destination nodes.
  • the first user at source node 212 creates a connection 220 to an intermediate node 216, which can be a transient node like transient nodes 108 of FIG. 1. If the user at source node 212 has an alias address at node 216, such a connection is readily made.
  • Connection 220 is made using a NPN across a public network 102-106 to access a remote access server (not shown) on intermediate transient node 216.
  • An eavesdropper on connection 220 will only be able to determine that a message has been sent from node 212 to node 216. Although in theory this would yield some information to the eavesdropper, in the preferred embodiment, all of the transient nodes, like node 216, and also preferably, the end user nodes, like nodes 212 and 214, generate random, meaningless messages to obscure traffic patterns.
  • Source node 212 is sending an encrypted data message to the user at destination node 214.
  • the message must be secure and encrypted by the user at node 212 with a code that the user at destination node 214 is capable of decrypting.
  • Source node 212 adds the destination address, such as the alias address at node 218, and the NPN software encrypts the entire packet with a code that intermediate node 216 is capable of decrypting.
  • the entire packet is sent to node 216 over a public network 102-106 using a NPN tunnel.
  • Intermediate node 216 decrypts the destination address.
  • the local policy and the final destination address tell node 216 to transmit the encrypted data message and final destination to intermediate transient node 218.
  • Node 216 knows the message must be routed to node 218 because that is the node at which the destination user's alias address is listed. Node 218 will know how to route the message to the true location of the user at destination node 214.
  • the destination address identifies the ultimate recipient of the data message as either the user at destination node 214 or an alias address by which the user at destination node 214 is known to the source 212.
  • Node 216 encrypts this information such that intermediate node 218 can read it and sends the information to node 218 over connection 224, which is a NPN tunnel through a public network 102-106.
  • a secure telephone would be used.
  • the transient node would also need a voice over IP gateway, such as the Cisco NG200IP telephony voice gateway, that converts voice to data.
  • connections 220 and 222 would be secure voice connections over the telephone network.
  • node 216 may elect to introduce one or more additional intermediate transient nodes for further security purposes. For example, upon receipt of the message from source node 212, intermediate node 216 determines the message ultimately is to be transmitted to intermediate node 218. However, for security policy reasons, which may be programmed, for example, into node 216 and known only to node 216, node 216 may elect to send the message and original destination address to an additional intermediate transient node 226. The destination address will instruct node 226 to forward the message to intermediate node 218, as illustrated, for example, by alternate path 210' in FIG. 3.
  • node 216 sends to node 226 over NP ⁇ connection 228 the original encrypted data message and the destination address.
  • node 226 makes a policy decision whether to forward the message to node 218 over VPN connection 230 or to insert an additional intermediate node instead.
  • node 226 has decided to transmit the message to the destination address, node 218, over VPN connection 230 through a public network 102- 106.
  • Any number of additional intermediate transient nodes may be included between nodes 216 and 218 and any such node may direct an additional intermediate routing of data, selecting encryption codes unique for each intermediate node separately. If desired, the system can be programmed to limit the maximum number of hops that a message can take.
  • the system could be designed to limit the number of hops any message takes to five.
  • an intermediate node such as node 216 selecting node 226, it is important that the message to node 226 additionally identify the ultimate transmission to node 218.
  • One benefit of the present invention is the ability to hide the location of both the source and the destination of a message and also to hide the traffic volume between them.
  • source node 212 needs to know it is transmitting to destination node 214. From the message encrypted by codes decryptable by destination node 214, destination node 214 would normally know it received a message from source node 212.
  • intermediate node 216 may provide a temporary alias address for source node 212 so that the true identity of source node 212 cannot be ascertained, except in the database of intermediate node 216.
  • intermediate node 218 may hold a temporary alias address for destination node 214 so that the true identity of destination node 214 cannot be ascertained except from the database of intermediate node 218.
  • intermediate node 216 does not need to know the true location of the user at destination node 214
  • intermediate node 218 does not need to know the true location of the user at source node 212.
  • intermediate node 226 does not need to know the true location of either the user at source node 212 or the user at destination node 214.
  • a communication system uses a public network to facilitate communication between users while effectively hiding from eavesdroppers on the system the location of the source and destination of any message detected as being conveyed through the public network.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A communication system and method allows users to send messages to one another, at least partially over a public network (102-106), while reducing or eliminating the possibility that an eavesdropper on the public network (102-106) can identify the location of the source node (212) and destination node (214) of the message. The system uses a network of transient nodes (108) 'piggy-backed' on a public network (102-106), such as the Internet (104), to route messages over the public network (102-106). The message is bounced through the public networks (102-106) several times, each time with a different wrapper, to reduce or eliminate the possibility that an eavesdropper could track the message from the source node (212) to the destination node (214). The transient nodes (108) can generate random traffic to further thwart the eavesdropper's efforts.

Description

TRANSIENT NETWORK ARCHITECTURE
Background of the Invention
1. Field of the Invention
The present invention relates to a transient network architecture to facilitate private communication between users, and more particularly, to a communication system capable of transmitting messages between two users over a publicly available network without disclosing to eavesdroppers the true network location of the source and destination of the message.
2. Description of the Related Art In recent years, computer communication over networks has become much more prevalent. Users are able to communicate with other users both over private networks, such as intranets, as well as over public networks, such as the Internet.
Public networks using an internet protocol ("IP") require certain information relating to the location (point of attachment to the network) of the user sending the message and the user who is to receive the message. For example, the network must know where the message is to be delivered in order to route it through the system. The system also must know the source of the message in order to send acknowledgments, request retransmission of the message if necessary, etc. Thus, each message routed through the system includes information from which the location of, and association between, the source and destination nodes can be determined. In most commercial applications, this poses no problem.
Military communications of a secret nature typically are transmitted over private networks that use off-line data encryption devices to secure data.
This practice hides all information regarding the transmission including both address and data content. Such private communication networks are costly to create, operate and maintain. It would be desirable, for cost and flexibility purposes, to use public networks to facilitate communications of a secret nature, such as military communications. Such use, however, presents dramatic security concerns. For example, one proposed public network, Teledesic, uses hundreds of low earth orbit satellites to facilitate communications between users. A first user can send a message on an appropriate radio frequency to one of the Teledesic satellites for ultimate delivery to a second user. The Teledesic system forwards the message to a Teledesic network operations center, which in turn, forwards the message to an appropriate satellite that can transmit the message to the equipment of the second user. By intercepting the RF uplink and downlink signals localized to a particular geographic region, an eavesdropper can capture and identify the actual data packets associated with particular end-user nodes. The RF link cannot be encrypted because important Teledesic control and routing information must be exposed to the orbiting satellites. Even though end users will be able to encrypt the data payload before passing packets to the Teledesic network, this will not be sufficient to hide the addresses. Thus, it is possible to monitor traffic on shared packet-switched networks, such as Teledesic, and to determine which end-users are corresponding and how much traffic is flowing between them by using a network protocol analyzer or packet "sniffer" directly attached to a particular network segment. Even without knowing the content of the messages, this traffic flow information can yield a great deal of intelligence. Thus, such messages should not include information that allows an eavesdropper on the public network to determine the network address of the source node or destination node for such messages. In the military context especially, disclosure of such information can have catastrophic consequences. Therefore, it would be desirable to have a communication system that capitalizes on the cost and flexibility advantages of a public network, while protecting the network addresses of the source and destination of the message. These addresses will identify the network locations of the points of attachment of the correspondents. Summarv of the Invention
The present invention is a communication system that uses a transient network architecture to achieve the foregoing objectives. The system transmits messages from a first user at a source node to a second user at a destination node. The system uses a public network, such as the Internet or
Teledesic or even the telephone network, to facilitate the transmission of the message. The system includes many geographically scattered transient network nodes that together form a virtual network that "piggy-backs" on the public telecommunications network. Encrypted messages can be securely routed from the source node through a public network to a first intermediate destination that is a transient network node. The first intermediate node then forwards the message through the public network to a second transient network node. This process can be continued for as many "hops" as necessary or desired for security reasons. Eventually the message is directed to a node (which can be the second intermediate node) knowing the true location of the intended recipient user at the destination node. This node can forward the message to the destination user.
The system advantageously hides the source and destination information from eavesdroppers. An eavesdropper on the public network can at best only determine the starting node and ending node for a particular "hop" in the path followed by the message. While theoretically, this would yield information to the eavesdropper, the system also includes the ability for each of the nodes in the transient network, and preferably each of the user nodes as well, to generate random meaningless messages to be sent to random nodes. Thus, an eavesdropper would detect many messages being transmitted from node to node, but would have no way of identifying which ones are "real" messages. The real and meaningless messages also can be arbitrarily padded with additional space to make it more difficult for an eavesdropper to determine how much information is being transmitted.
The source user sends to any first intermediate node over the public network through a NPN (Virtual Private Network) tunnel an encrypted message containing the data and intended destination, which can be an alias address for the destination user. The message is encrypted in a manner that allows it to be decrypted by the first intermediate node. The first intermediate node makes a policy decision regarding where to send the message next. In a simple example, the first intermediate node may decide to transmit the data message to the second intermediate node, which can be the alias address for the destination user. The first intermediate node forwards the message to the second intermediate node via a NPN tunnel through a public network. The second intermediate node knows how to locate the destination user for this alias address and forwards the data message to the user over the public network through a NPN tunnel.
In one embodiment of the invention, the policy decisions of the intermediate nodes can decide to add one or more additional hops in the path. The algorithm for doing this can be in the policy router in the particular intermediate node and may be known only to that particular intermediate node. The intermediate node can insert another intermediate node into the message's path and forward the information to the newly inserted node rather than to the destination address. The newly inserted node can itself then insert yet another intermediate node, if desired, or can forward the message to the destination address. If desired, the system can place a limit on the number of hops that any message can take.
Each part of the message other than the addresses for the current hop is encrypted for security reasons. In this way, an eavesdropper cannot determine any information other than the starting node and ending node for this particular hop in the message's path. Of course, the eavesdropper cannot determine whether the message is a "real" message or how much information it contains.
Description of the Drawings
FIG. 1 is a schematic diagram of a transient network architecture in accordance with the present invention; FIG. 2 is a schematic diagram of an example of a path through a public network in accordance with the present invention; and FIG. 3 is a schematic diagram of another example of a path through a public network similar to FIG. 2, but having one or more additional, intermediate nodes in accordance with the present invention.
Detailed Description of the Preferred Embodiment The present invention prevents end users from broadcasting IP source and destination addresses "in the clear." Referring first to FIG. 1 , there is shown a transient network architecture 100 in accordance with the present invention. Transient network architecture 100 includes a public network, as shown for example, by Teledesic network 102. Transient network architecture 100 can include other public networks such as the Internet 104 or other commercial carriers, generally designated by reference numeral 106.
Connected to public networks 102-106 are a plurality of transient network nodes 108, only four of which are shown in FIG. 1. Transient network nodes 108 form a virtual network that "piggy-backs" on top of public networks 102-106. Each transient node 108 preferably can be connected to multiple types of networks, such as networks 102-106. Each transient node 108 preferably includes a policy router 110, a mobile agent 1 12, a gateway firewall 1 14 and a remote access server 116.
Policy router 110 routes messages to appropriate transient nodes through public networks 102-106 in accordance with the policies contained therein, for example as shown by connections 1 18. Policy router 110 preferably routes messages from one transient node 108 to another transient node 108 through one of the public networks 102-106. Policy router 110 can be a 1600 Series router with load balancing software available from Cisco Systems.
Mobile agent 1 12 provides the ability for a virtual end user 120 (two of which are shown in FIG. 1) to have an alias on the public network 102-106. Each virtual end user 120 has a public address to which people can send messages on the public network. The public address is associated with a respective transient node 108. When a message is received by the transient node 108 with which the public address of virtual end user 120 is associated, that transient node 108 can transmit the message to the true location of the appropriate virtual end user 120 as indicated by connections 122. Connections 122 can route the message through one of the public networks 102-106. Such users may have real addresses connected to the public network, in addition to having one or more alias addresses. The features of mobile agent 1 12 can be implemented by software known as IOS 12.0(T) provided by Cisco.
Gateway firewall 1 14 is a conventional firewall used to protect the transient node network from the public networks 102-106. Gateway firewall 1 14 can be the commercially available Firewall Feature Set sold by Cisco. Remote access server 1 16 can be a NPN server supporting IPsec. Each end user can set up a NPN to a remote access server 1 16 running Point-to- Point-Tunneling Protocol in order to set up a secure tunnel. New packets created by the end user will travel through the encrypted tunnel to remote access server 116. The eventual destination address will not be exposed to public network 102-106. Remote access server 1 16 interfaces with other transient nodes 108. Anonymous VPN users 124, two of which are shown in FIG. 1, can use dial-up temporary addresses through a public network 102-106 to connect to the transient network via a remote access server 1 16 of a transient network node 108. Although not shown in FIG. 1 , anonymous users preferably also can dial-up through a public telephone network rather than a VPN. In such case, the transient node 108 would include additional equipment such as the 2600 Series available from Cisco, to interface with the telephone line.
The transient network architecture also provides for fixed or mobile Internet end users 126, two of which are illustrated in FIG. 1, on the public internet. These end users 126 also can have private addresses in the transient network which are not publicly known outside the community of transient network users.
Referring now to FIG. 2, there is shown a schematic diagram of a path 210 through a public network 102- 106 that can be used in practicing the present invention. A user at a source node 212 desires to send a data message to a second user at a destination node 214. Source node 212 may use node 216 as an alias address and destination node 214 may use node 218 as an alias address. Because there is no private network directly connecting nodes 212 and 214, the user wishes to communicate using a public network 102-106. However, the users do not want the public network 102- 106 to carry information relating to the location of the source and destination nodes. The first user at source node 212 creates a connection 220 to an intermediate node 216, which can be a transient node like transient nodes 108 of FIG. 1. If the user at source node 212 has an alias address at node 216, such a connection is readily made. Connection 220 is made using a NPN across a public network 102-106 to access a remote access server (not shown) on intermediate transient node 216.
An eavesdropper on connection 220 will only be able to determine that a message has been sent from node 212 to node 216. Although in theory this would yield some information to the eavesdropper, in the preferred embodiment, all of the transient nodes, like node 216, and also preferably, the end user nodes, like nodes 212 and 214, generate random, meaningless messages to obscure traffic patterns.
Source node 212 is sending an encrypted data message to the user at destination node 214. The message must be secure and encrypted by the user at node 212 with a code that the user at destination node 214 is capable of decrypting. Source node 212 adds the destination address, such as the alias address at node 218, and the NPN software encrypts the entire packet with a code that intermediate node 216 is capable of decrypting. The entire packet is sent to node 216 over a public network 102-106 using a NPN tunnel. Intermediate node 216 decrypts the destination address. The local policy and the final destination address tell node 216 to transmit the encrypted data message and final destination to intermediate transient node 218. Node 216 knows the message must be routed to node 218 because that is the node at which the destination user's alias address is listed. Node 218 will know how to route the message to the true location of the user at destination node 214. The destination address identifies the ultimate recipient of the data message as either the user at destination node 214 or an alias address by which the user at destination node 214 is known to the source 212. Node 216 encrypts this information such that intermediate node 218 can read it and sends the information to node 218 over connection 224, which is a NPN tunnel through a public network 102-106. Similarly, intermediate node 218, upon receipt of the message, forwards the encrypted data message to the user at destination node 214 through a public network 102-106 over a NPN connection 222. Alternatively, for a voice call, a secure telephone would be used. To complete a secure voice telephone call from a user, the user and gateway would require a secure telephone device. The transient node would also need a voice over IP gateway, such as the Cisco NG200IP telephony voice gateway, that converts voice to data. In the path illustrated in FIG. 2, connections 220 and 222 would be secure voice connections over the telephone network.
In the transmission of data from intermediate transient node 216 to intermediate transient node 218, node 216 may elect to introduce one or more additional intermediate transient nodes for further security purposes. For example, upon receipt of the message from source node 212, intermediate node 216 determines the message ultimately is to be transmitted to intermediate node 218. However, for security policy reasons, which may be programmed, for example, into node 216 and known only to node 216, node 216 may elect to send the message and original destination address to an additional intermediate transient node 226. The destination address will instruct node 226 to forward the message to intermediate node 218, as illustrated, for example, by alternate path 210' in FIG. 3.
Thus, node 216 sends to node 226 over NPΝ connection 228 the original encrypted data message and the destination address. Now node 226 makes a policy decision whether to forward the message to node 218 over VPN connection 230 or to insert an additional intermediate node instead. In FIG. 3, node 226 has decided to transmit the message to the destination address, node 218, over VPN connection 230 through a public network 102- 106. Any number of additional intermediate transient nodes may be included between nodes 216 and 218 and any such node may direct an additional intermediate routing of data, selecting encryption codes unique for each intermediate node separately. If desired, the system can be programmed to limit the maximum number of hops that a message can take. For example, the system could be designed to limit the number of hops any message takes to five. Where the selection of an intermediate node is made by an intermediate node, such as node 216 selecting node 226, it is important that the message to node 226 additionally identify the ultimate transmission to node 218.
One benefit of the present invention is the ability to hide the location of both the source and the destination of a message and also to hide the traffic volume between them. Ordinarily, source node 212 needs to know it is transmitting to destination node 214. From the message encrypted by codes decryptable by destination node 214, destination node 214 would normally know it received a message from source node 212. However, for purposes of anonymity, intermediate node 216 may provide a temporary alias address for source node 212 so that the true identity of source node 212 cannot be ascertained, except in the database of intermediate node 216. Similarly, intermediate node 218 may hold a temporary alias address for destination node 214 so that the true identity of destination node 214 cannot be ascertained except from the database of intermediate node 218. In FIG. 2, intermediate node 216 does not need to know the true location of the user at destination node 214, and intermediate node 218 does not need to know the true location of the user at source node 212. In FIG. 3, intermediate node 226 does not need to know the true location of either the user at source node 212 or the user at destination node 214.
Thus, a communication system has been described that uses a public network to facilitate communication between users while effectively hiding from eavesdroppers on the system the location of the source and destination of any message detected as being conveyed through the public network.
Whereas the present invention has been described with respect to specific embodiments thereof, it will be understood that various changes and modifications will be suggested to one skilled in the art and it is intended that the invention encompass such changes and modifications as fall within the scope of the appended claims.

Claims

What is claimed is:
1. A communication system, comprising: a source node for sending a data message; a destination node for receiving the data message; a first intermediate node; and a second intermediate node; wherein said source node has a first alias address at said first intermediate node and said destination node has a second alias address at said second intermediate node; wherein said source node is adapted to send to said first intermediate node an encrypted data message and an encrypted destination address corresponding to the second alias address, the encrypted destination address being readable by said first intermediate node; wherein said first intermediate node is adapted to receive the encrypted data message and encrypted destination address, to decrypt the destination address and to send to said second intermediate node the encrypted data message and the encrypted destination address, the destination address being readable by the second intermediate node; and wherein said second intermediate node is adapted to receive the encrypted destination address and to send the encrypted data message to said destination node in accordance with the destination address.
2. The system of claim 1 wherein said first intermediate node is a first transient network node adapted to receive the encrypted data message and the encrypted destination address from over a public network.
3. The system of claim 2 wherein said second intermediate node is a second transient network node adapted to receive the encrypted data message and the encrypted destination address from over a public network.
4. The system of claim 3 wherein each of said first transient network node and said second transient network node comprises a policy router, a mobile agent, a gateway firewall and a remote access server.
5. A method for communicating a data message between two nodes, comprising the steps of:
(a) providing a source node for sending a data message;
(b) providing a destination node for receiving the data message; (c) providing a first intermediate node and a second intermediate node;
(d) connecting the source node and the first intermediate node;
(e) connecting the destination node and the second intermediate node;
(f) sending from the source node to the first intermediate node the data message in encrypted form and a destination address in encrypted form readable by the first intermediate node;
(g) reading the destination address at the first intermediate node;
(h) sending from the first intermediate node to the second intermediate node in accordance with the destination address the data message in encrypted form and the destination address in encrypted form readable by the second intermediate node;
(i) reading the destination address at the second intermediate node;
(j) sending from the second intermediate node to the destination node the data message in encrypted form readable by the destination node; and
(k) reading the data message at the destination node.
6. The method of claim 5 wherein step (c) comprises providing a first transient network node as the first intermediate node and a second transient network node as the second intermediate node.
7. The method of claim 6 wherein the step of providing a first transient network node comprises providing a first transient network node having a policy router, a mobile agent, a gateway firewall and a remote access server.
8. The method of claim 7 wherein the step of providing a second transient network node comprises providing a second transient network node having a policy router, a mobile agent, a gateway firewall and a remote access server.
9. The method of claim 5 wherein step (h) further comprises sending, through at least one additional intermediate node, the data message in encrypted form and the destination address in encrypted form readable at each of the at least one additional intermediate node, prior to the data message and the destination address being received by the second intermediate node.
10. The method of claim 5 wherein step (h) comprises the steps of:
(1) sending from the first intermediate node to a third intermediate node chosen by the first intermediate node the data message in encrypted form and the destination address in encrypted form readable by the third intermediate node; and
(2) sending from the third intermediate node to the second intermediate node the data message in encrypted form and the destination address in encrypted form readable by the second intermediate node.
11. A communication system, comprising: a source node for sending a voice message; a destination node for receiving the voice message; a first intermediate node; and a second intermediate node; wherein said source node has a first alias address at said first intermediate node and said destination node has a second alias address at said second intermediate node; wherein said source node is adapted to send to said first intermediate node an encrypted voice message and an encrypted destination address corresponding to the second alias address, the encrypted destination address being readable by said first intermediate node; wherein said first intermediate node is adapted to receive the encrypted voice message and encrypted destination address, to decrypt the destination address, to convert the voice message to a data message and to send to said second intermediate node the encrypted data message and the encrypted destination address, the destination address being readable by the second intermediate node; and wherein said second intermediate node is adapted to receive the encrypted destination address, to convert the data message to a voice message and to send the encrypted voice message to said destination node in accordance with the destination address.
PCT/US2000/012505 1999-05-06 2000-05-05 Transient network architecture WO2000068814A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU47067/00A AU4706700A (en) 1999-05-06 2000-05-05 Transient network architecture

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US13289799P 1999-05-06 1999-05-06
US60/132,897 1999-05-06

Publications (2)

Publication Number Publication Date
WO2000068814A1 WO2000068814A1 (en) 2000-11-16
WO2000068814A9 true WO2000068814A9 (en) 2002-02-21

Family

ID=22456078

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2000/012505 WO2000068814A1 (en) 1999-05-06 2000-05-05 Transient network architecture

Country Status (2)

Country Link
AU (1) AU4706700A (en)
WO (1) WO2000068814A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014175830A1 (en) * 2013-04-25 2014-10-30 Treebox Solutions Pte Ltd Method performed by at least one server for processing a data packet from a first computing device to a second computing device to permit end-to-end encryption communication

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE3827172A1 (en) * 1987-08-13 1989-03-16 Peter Elsner MESSAGE IDENTIFICATION DEVICE
US5285496A (en) * 1992-12-14 1994-02-08 Firstperson, Inc. Methods and apparatus for providing a secure paging system
US5548646A (en) * 1994-09-15 1996-08-20 Sun Microsystems, Inc. System for signatureless transmission and reception of data packets between computer networks
US5640452A (en) * 1995-04-28 1997-06-17 Trimble Navigation Limited Location-sensitive decryption of an encrypted message
US5960086A (en) * 1995-11-02 1999-09-28 Tri-Strata Security, Inc. Unified end-to-end security methods and systems for operating on insecure networks
US5812670A (en) * 1995-12-28 1998-09-22 Micali; Silvio Traceable anonymous transactions
JP3446482B2 (en) * 1996-06-28 2003-09-16 三菱電機株式会社 Encryption device
US5983350A (en) * 1996-09-18 1999-11-09 Secure Computing Corporation Secure firewall supporting different levels of authentication based on address or encryption status
US5822430A (en) * 1996-11-20 1998-10-13 Technical Communications Corporation System for encoding encryption/decryption information into IFF challenges
US6005945A (en) * 1997-03-20 1999-12-21 Psi Systems, Inc. System and method for dispensing postage based on telephonic or web milli-transactions
US6084969A (en) * 1997-12-31 2000-07-04 V-One Corporation Key encryption system and method, pager unit, and pager proxy for a two-way alphanumeric pager network

Also Published As

Publication number Publication date
AU4706700A (en) 2000-11-21
WO2000068814A1 (en) 2000-11-16

Similar Documents

Publication Publication Date Title
KR101514647B1 (en) Apparatus for distributing data traffic in heterogeneous wireless networks
US7509491B1 (en) System and method for dynamic secured group communication
US8533465B2 (en) System and method of encrypting network address for anonymity and preventing data exfiltration
US5410602A (en) Method for key management of point-to-point communications
US6266704B1 (en) Onion routing network for securely moving data through communication networks
US7171493B2 (en) Camouflage of network traffic to resist attack
CN101682656B (en) Method and apparatus for protecting the routing of data packets
US6081600A (en) Method and apparatus for signaling privacy in personal communications systems
US20060182103A1 (en) System and method for routing network messages
US20070294407A1 (en) Method, system, and computer program product for a relay server
US20220278970A1 (en) Anonymous communication over virtual, modular and distributed satellite communications network
US20090059837A1 (en) System and method for management and administration of repeaters and antenna systems
CA2527550A1 (en) Method for securely associating data with https sessions
EP1133854A1 (en) Method and system for securing data objects
JP2003101523A (en) Communication network system and communication method having concealment function
Fasbender et al. Analysis of security and privacy in mobile IP
JP4752064B2 (en) Communication system on public line for restricting access, terminal connection device and server connection restriction device
ES2891359T3 (en) Data transmission device and procedure
WO2012024905A1 (en) Method, terminal and ggsn for encrypting and decrypting data in mobile communication network
WO2000068814A9 (en) Transient network architecture
Al-Muhtadi et al. Routing through the mist: design and implementation
Demirol et al. An android application to secure text messages
JP2007281918A (en) Communication system on public line for performing access restriction, terminal connection apparatus, and server connection restriction apparatus
US20240163661A1 (en) Methods, systems, and computer readable media for securing sensitive data to be transmitted in 5g and subsequent generation networks
JP4752062B2 (en) Terminal connection device and server connection restriction device on public line for performing access restriction

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CR CU CZ DE DK DM EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
AK Designated states

Kind code of ref document: C2

Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CR CU CZ DE DK DM EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: C2

Designated state(s): GH GM KE LS MW SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

COP Corrected version of pamphlet

Free format text: PAGES 1/2-2/2, DRAWINGS, REPLACED BY NEW PAGES 1/2-2/2; DUE TO LATE TRANSMITTAL BY THE RECEIVING OFFICE

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP