WO2002041101A9 - Method and system for transmitting data with enhanced security that conforms to a network protocol - Google Patents
Method and system for transmitting data with enhanced security that conforms to a network protocolInfo
- Publication number
- WO2002041101A9 WO2002041101A9 PCT/US2001/043087 US0143087W WO0241101A9 WO 2002041101 A9 WO2002041101 A9 WO 2002041101A9 US 0143087 W US0143087 W US 0143087W WO 0241101 A9 WO0241101 A9 WO 0241101A9
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data
- identifier
- encryption key
- segments
- encoding
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/30—Definitions, standards or architectural aspects of layered protocol stacks
- H04L69/32—Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
- H04L69/322—Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions
- H04L69/329—Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the application layer [OSI layer 7]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Definitions
- the present invention relates to a method and system for transmitting data with enhanced security, and more particularly, to method and system for encoding encrypted and unencrypted data to conform to a network protocol.
- the Internet continues to grow in popularity as an easy-to-use and effective medium for transmitting information. As the numbers of users of the Internet grows and as the amount of information transmitted continues to grow, the efficient and secure transmission of information has become a concern for many users.
- Networks which are channels for carrying data segments, are configured to operate in accordance with one or more network protocols.
- the protocol enables different devices attached to the network or in communication with the network to exchange data.
- Hypertext Transfer Protocol (HTTP) is one of the most commonly used network protocols for transmitting data across the Internet.
- Other common network protocols include File Transfer Protocol (FTP), Simple Mail Transfer protocol (SMTP), and Secure HTTP (SHTTP).
- FTP File Transfer Protocol
- SMTP Simple Mail Transfer protocol
- SHTTP Secure HTTP
- the most popular protocols in the Internet environment transmit data in an URL-encoded format that requires significant bandwidth or transmission capacity. Therefore, it would be advantageous to provide a method and system for transmitting the same amount of information using fewer bytes of information over existing networks.
- SSL Secure Socket Layer
- SHTTP Secure Socket Transfer Protocol
- the present invention is directed to a method and system for the efficient and secure transmission of data over a wide area network that substantially obviates one or more of the problems due to limitations and disadvantages of the related art.
- One object of the present invention is to provide a method and system for reducing network capacity by transmitting information in unsupported formats using existing network protocols.
- Another object of the present invention is to provide a method and system for encrypting and encoding binary data to conform to particular network protocols.
- a further object of the present invention is to provide a method and system for transmitting data that is compatible with different hardware architecture.
- Yet another object of the present invention is to securely transmit binary data using network protocols that do not support raw binary transmissions.
- Another object of the present invention is to provide a method and system for transmitting encrypted and unencrypted data with enhanced security.
- Another object of the present invention is to enable the transmission of data formats unsupported by existing protocols that does not require additional network administrative resources. Additional objects and advantages of the invention will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
- a method for transmitting data with enhanced security that conforms to a network protocol comprises providing data segments including a first segment having encrypted data, an unencrypted packet identifier identifying the encrypted data, an unencrypted data identifier associated with an encryption key used to encrypt the encrypted data in the first data segment, and a fourth data segment having data to verify integrity of transmission; encoding the data segments to conform to a network protocol; transmitting the data segments and encryption key; receiving and decoding the data segments; and decrypting the encrypted data using the encryption key that corresponds to the data identifier.
- the present invention provides a system for transmitting data with enhanced security that conforms to a network protocol that includes means for encrypting data with an encryption key and associating a data identifier with the encryption key; means for associating a packet identifier with the encrypted data; means for encoding the packet identifier, data identifier, and data into a format compatible with a network protocol; means for receiving and decoding the packet identifier, data identifier, and data; and means for retrieving the encryption key that corresponds to the data identifier and decrypting the data.
- FIG. 1 is a schematic diagram of an exemplary client/server environment
- FIG. 2 is a schematic diagram showing one embodiment of the wrapper protocol system as an interface between a user and application layer of a network
- FIG. 3 conceptually illustrates a protocol system in the context of the TCP/IP protocol suite
- FIG. 4 shows an embodiment of the present invention as an end-to-end client/server protocol system
- FIG. 5 shows the data segments utilized by one embodiment of the present invention
- FIG. 6 is a flow diagram for securely transmitting and receiving data according to one embodiment of the present invention.
- FIG. 7 shows a flow diagram of one embodiment of the present invention for securely transmitting data that conforms to HTTP; and FIG. 8 shows an HTTP request message.
- An interface protocol system has application for efficiently and securely transferring data, preferably binary data, between two or more network devices or nodes.
- data preferably binary data
- the protocol system acts as an interface protocol between the user, both human and software, and a particular network protocol.
- the user in this sense includes any computer program operation of a networked device.
- a network device or node can be a computer, Personal Digital Assistant (PDA), mobile phone, set-top box, fax machine, printer, or any device capable of sending and/or receiving data generated by other devices on the network.
- PDA Personal Digital Assistant
- FIG. 1 is a simplified illustration of an exemplary client-server environment, in which features of the present invention may be implemented.
- a client-server environment such as the World Wide Web (the Web)
- Web servers and clients connected to the Internet 120, communicate using a protocol such as Hypertext Transfer Protocol (HTTP).
- HTTP Hypertext Transfer Protocol
- An exemplary Web server 130 that includes a server engine 150, various Web pages 140, and a content database 160, receives HTTP requests from various client systems 100.
- a Web browser 110 such as Netscape NavigatorTM or Internet ExplorerTM, the user requests to access Web pages 140 identified by a URL (Uniform Resource Locator).
- URL Uniform Resource Locator
- the Web server 130 responds to the request and/or other queries by providing the requested Web pages 140 to the client system 100.
- the pages are typically in the form of a text document coded in a standard language such as Hypertext Markup Language (HTML).
- HTTP Hypertext Markup Language
- one or more clients of different hardware architecture can use the services of one server 130.
- FIG. 2 shows a conceptual illustration of the protocol system 210 as an interface protocol between the user 200, whether human or software, and the applications layer 220 of a network.
- TCP/IP Transfer Control Protocol/Internetworking Protocol
- the layered framework of a network system allows communications across all types of computer systems.
- the protocols of the applications layer 220 determine the data formats for transmitting data. Because many application protocols 220 and proxy servers do not support binary transmissions, the system of the present invention provides an interface protocol 210 for transmitting data, including binary data, that would otherwise not necessarily be supported by one of the available application protocols 220.
- the protocol system of the present invention encrypts and encapsulates the data in a manner that provides enhanced security in comparison with existing application protocols 220.
- FIG. 3 shows one embodiment of the present invention in the context of the layered design of the Internet.
- the protocol system of the present invention 210 acts as an interface between the user 200, whether human or software, and the following application layer protocols 220, which run on top of TCP/IP: HTTP 310, FTP 320, SMTP 330, and SHTTP 340.
- HTTP 310 HyperText Transfer Protocol
- FTP 320 FTP 320
- SMTP 330 Simple Stream Transfer Protocol
- SHTTP 340 SHTTP 340
- the protocol system 200 provides for the encryption and encoding of any data type
- the preferred embodiment of the present invention is adapted for transmitting binary data.
- the input data of an HTML form is transmitted as URL-encoded data using HTTP or SSL.
- using binary data to represent the answers to the 100 questions the data packet size would be significantly reduced. For example, a binary bit could represent each yes/no answer.
- the system of the ' present invention reduces the amount of data that must be transmitted by encoding binary data into an URL-encoded format supported by the most popular application protocols 220 of the Internet. While the preferred embodiment of the invention is adapted for transmitting binary data over the Internet, the invention is equally applicable to other wide area networks.
- the protocol system of the present invention functions as an end-to-end client/server protocol.
- the protocol system installed at a client 100 and server 130, connected to the Internet 410, enable the secure transfer of binary data using HTTP.
- one embodiment of the protocol system 400 serves as a protocol interface for encrypting and preparing binary data in a format that conforms to HTTP.
- the data is transferred to the server 130, where one embodiment of the protocol system 420 decodes and decrypts the data, thereby restoring it to its original binary state. While the preferred embodiment of the invention discloses transferring binary data from a client to a server, one skilled in the art will appreciate that the present invention is operable for transmitting binary data between any networked devices, including computers, PDA's, printers, fax machines, and mobile telephones.
- the method and system of the present invention include four data segments 500 or portions shown in FIG. 5.
- the unencrypted, ASCII packet identifier 510 indicates the type of data encrypted in the third segment 530.
- the unencrypted, binary data identifier 520 is used to identify the encryption key used to encrypt the data contained in the third data segment 530.
- the fourth data segment 540 includes data to verify the integrity of transmission.
- raw binary data is preferably encrypted at 600 with the Data Encryption Standard (DES).
- DES Data Encryption Standard
- a data identifier 520 preferable unencrypted and in a binary format, is associated with the encryption key used in the encryption process 600.
- an unencrypted and character-based packet identifier 510 identify the data segments 500 as having been encoded according to the protocol of the present invention.
- the packet identifier 510 also indicates the type of data (e.g. binary) encrypted at 600.
- the packet identifier 510 may also include data to indicate the type of computer system that was used to prepare and transmit the data segments 500. Then, when the data segments 500 are later received and decoded, the protocol system can determine whether the data should be converted to a format compatible with the recipient's computer system (big-endian to little-endian). Therefore, the system of the present system is compatible with different computer systems including, but not limited to, MacintoshTM, IBM-PC compatibles, and SUN SolarisTM servers.
- a fourth data segment utilized by the protocol system is created at 630 to include data integrity checks 540 or codes for verifying the integrity of the data after transmission.
- the system of the present embodiment includes a cyclic redundancy check (CRC) and an internal data integrity code.
- CRC cyclic redundancy check
- the data segments 500 at step 640 are encoded to conform to a particular network protocol. This usually entails converting the encrypted binary data and the binary data identifier into an ASCII or URL-encoded format. The non-binary data segments are also converted into a format supported by a particular application protocol 220.
- the data segments 500 are transmitted according to the standards of the application protocol 220.
- the encryption key is sent, preferably off- line, to the recipient of the data transmission.
- the recipient network device receives the data transmission and decodes the data segments 500 at 660. Using the data identifier 520, the recipient retrieves the appropriate encryption key 670 and decrypts the binary data 680.
- the present embodiment includes the encryption 600 of binary data 700, the constitution and encoding 640 of four data segments 500 into a standard HTTP format 720.
- the data segments 500 of the present invention alternatively can be encoded 640 for other network protocols 220 including, but not limited to, the FTP, SHTTP, and SMTP protocols.
- Both binary data segments, the data identifier 520 and the encrypted binary data 530, are converted to an URL-encoded format.
- the four data segments are configured or arranged such that the data segments conform to a standard HTTP method.
- FIG. 7 illustrates the data segments 500 encoded at 640 into a "pair value" format 720 compatible with standard HTTP GET/POST methods.
- the HTTP is mainly used to access and retrieve URL-named resource on the Web.
- An HTTP client/server session consists of a single request/response interchange.
- the client initializes a connection to a remote server by sending a request message.
- the server processes the request, returns a response message to the client, and closes the connection.
- the request message 800 shown in FIG. 8, consists of a request line 810, one or more optional headers 820, and an optional entity body 840.
- the entity body 840 is preceded by a blank line 830.
- Methods (or commands) from the client to the server are included in the request line 810 of the request message 800.
- Common HTTP methods are GET, which retrieves identified information, and POST, which requests the server to accept the entity body 840 enclosed in the request 800.
- POST POST
- a client can send HTML form's data to the specified URL.
- the present embodiment of the invention encodes 640 and configures the data segments 500 of FIG. 7 into a "pair value" format 720.
- input data from a HTML form is collected by the user's browser and transmitted to a Web server.
- the input data contained in one or more data entry fields of an HTML page, is sent to the Web server by invoking an HTTP method.
- Each "pair value” is URL-encoded by changing spaces into pluses and by encoding some characters into hexadecimal.
- the data segments 500 would take the following format:
- the Web browser invokes an HTTP GET or POST method and transmits the data to the server.
- the "pair values" are appended to the URL.
- the POST method is used, the "pair values” are sent in the body 840 of the request message 800.
- the server receives and parses the HTTP request message 800, which preferably includes the name of a Common Gateway Interface (CGI) program.
- CGI Common Gateway Interface
- the server recognizes the POST method and initiates communication with the CGI program.
- the message body is transmitted to the CGI program that parses the message containing the "pair values.”
- the present embodiment of the protocol system then decodes the data segments 500 into their original data formats, retrieves the encryption key associated with the data identifier, and decrypts the binary data.
- the present embodiment of the present invention is discussed in the context of a Web browser plug-in, in alternative embodiments of the invention the system is implemented as a stand-alone application, or as an enhancement to an existing software application.
- the protocol system can be used to facilitate the transfer of data along a network path.
- the wrapper protocol system instead of providing an interface protocol between two end nodes of a network, the wrapper protocol system alternatively can be implemented to receive data according to the protocol system of the present invention and forward it to another network device. At the intermediate network device, the data also can be manipulated before being forwarded along to an end-user.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
- Communication Control (AREA)
Abstract
Description
Claims
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU2002239252A AU2002239252A1 (en) | 2000-11-15 | 2001-11-14 | Method and system for transmitting data with enhanced security that conforms to a network protocol |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US71193200A | 2000-11-15 | 2000-11-15 | |
US09/711,932 | 2000-11-15 |
Publications (3)
Publication Number | Publication Date |
---|---|
WO2002041101A2 WO2002041101A2 (en) | 2002-05-23 |
WO2002041101A3 WO2002041101A3 (en) | 2003-03-13 |
WO2002041101A9 true WO2002041101A9 (en) | 2003-05-30 |
Family
ID=24860094
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2001/043087 WO2002041101A2 (en) | 2000-11-15 | 2001-11-14 | Method and system for transmitting data with enhanced security that conforms to a network protocol |
Country Status (2)
Country | Link |
---|---|
AU (1) | AU2002239252A1 (en) |
WO (1) | WO2002041101A2 (en) |
Families Citing this family (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP4734585B2 (en) * | 2001-09-28 | 2011-07-27 | ハイ デンスィティ デバイスィズ アクシエセルスカプ | Method and apparatus for data encryption / decryption in mass storage device |
GB2384663B (en) * | 2002-01-25 | 2004-12-29 | Actix Ltd | Data transmission systems |
JP2004056174A (en) * | 2002-07-16 | 2004-02-19 | Sharp Corp | Code structure and code reading terminal |
US7512972B2 (en) * | 2002-09-13 | 2009-03-31 | Sun Microsystems, Inc. | Synchronizing for digital content access control |
US7913312B2 (en) | 2002-09-13 | 2011-03-22 | Oracle America, Inc. | Embedded content requests in a rights locker system for digital content access control |
US6987481B2 (en) | 2003-04-25 | 2006-01-17 | Vega Grieshaber Kg | Radar filling level measurement using circularly polarized waves |
US7894607B1 (en) * | 2006-03-10 | 2011-02-22 | Storage Technology Corporation | System, method and media drive for selectively encrypting a data packet |
CN102624526A (en) * | 2011-11-28 | 2012-08-01 | 苏州奇可思信息科技有限公司 | Simple identity authentication method for file transfer protocol (FTP) |
US9258117B1 (en) | 2014-06-26 | 2016-02-09 | Amazon Technologies, Inc. | Mutual authentication with symmetric secrets and signatures |
US10142301B1 (en) * | 2014-09-17 | 2018-11-27 | Amazon Technologies, Inc. | Encrypted data delivery without intervening decryption |
US9621520B2 (en) * | 2015-03-19 | 2017-04-11 | Cisco Technology, Inc. | Network service packet header security |
US10122689B2 (en) | 2015-06-16 | 2018-11-06 | Amazon Technologies, Inc. | Load balancing with handshake offload |
US10122692B2 (en) | 2015-06-16 | 2018-11-06 | Amazon Technologies, Inc. | Handshake offload |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6377691B1 (en) * | 1996-12-09 | 2002-04-23 | Microsoft Corporation | Challenge-response authentication and key exchange for a connectionless security protocol |
US6049608A (en) * | 1996-12-31 | 2000-04-11 | University Technology Corporation | Variable length nonlinear feedback shift registers with dynamically allocated taps |
US6134591A (en) * | 1997-06-18 | 2000-10-17 | Client/Server Technologies, Inc. | Network security and integration method and system |
US6098108A (en) * | 1997-07-02 | 2000-08-01 | Sitara Networks, Inc. | Distributed directory for enhanced network communication |
-
2001
- 2001-11-14 AU AU2002239252A patent/AU2002239252A1/en not_active Abandoned
- 2001-11-14 WO PCT/US2001/043087 patent/WO2002041101A2/en not_active Application Discontinuation
Also Published As
Publication number | Publication date |
---|---|
AU2002239252A1 (en) | 2002-05-27 |
WO2002041101A2 (en) | 2002-05-23 |
WO2002041101A3 (en) | 2003-03-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US6502191B1 (en) | Method and system for binary data firewall delivery | |
KR100561496B1 (en) | Method and apparatus for networked information dissemination through secure transcoding | |
JP4813006B2 (en) | Secure packet-based data broadcasting architecture | |
US9619632B2 (en) | System for providing session-based network privacy, private, persistent storage, and discretionary access control for sharing private data | |
US5657390A (en) | Secure socket layer application program apparatus and method | |
US6516411B2 (en) | Method and apparatus for effecting secure document format conversion | |
US7533260B2 (en) | Method and apparatus for encoding and storing session data | |
US6442687B1 (en) | System and method for secure and anonymous communications | |
US7305548B2 (en) | Using atomic messaging to increase the security of transferring data across a network | |
US6212640B1 (en) | Resources sharing on the internet via the HTTP | |
HU223910B1 (en) | Method of transmitting information data from a sender to a reciever via a transcoder, method of transcoding information data, method of receiving transcoded information data, sender, receiver and transcoder | |
EP2273393A2 (en) | Method and apparatus for communicating information over low bandwidth communications networks | |
US10601897B2 (en) | Transfer of files with arrays of strings in SOAP messages | |
WO2002039286A1 (en) | Encoding of universal resource locators in a security gateway to enable manipulation by active content | |
US20030145229A1 (en) | Secure end-to-end notification | |
WO2002041101A9 (en) | Method and system for transmitting data with enhanced security that conforms to a network protocol | |
US20040088539A1 (en) | System and method for securing digital messages | |
WO1998013970A1 (en) | A system and method for securely transferring plaindata from a first location to a second location | |
WO2002046861A2 (en) | Systems and methods for communicating in a business environment | |
Kugler et al. | Internet printing protocol (IPP) encoding and transport | |
Kristol | FP D229 973-360-8648 bala@ research. att. com HA6163000-981207-01TM | |
WO2002045335A1 (en) | System and method for secure and anonymous communications | |
AU2002213673A1 (en) | Encoding of universal resource locators in a security gateway to enable manipulation by active content |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A2 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A2 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
COP | Corrected version of pamphlet |
Free format text: PAGES 1/8-8/8, DRAWINGS, REPLACED BY NEW PAGES 1/8-8/8 |
|
REG | Reference to national code |
Ref country code: DE Ref legal event code: 8642 |
|
32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: COMMUNICATION UNDER RULE 69 EPC ( EPO FORM 1205A DATED 29/09/03 ) |
|
122 | Ep: pct app. not ent. europ. phase | ||
NENP | Non-entry into the national phase in: |
Ref country code: JP |
|
WWW | Wipo information: withdrawn in national office |
Country of ref document: JP |