WO2015177789A1 - A method for establishing a secure private interconnection over a multipath network - Google Patents

A method for establishing a secure private interconnection over a multipath network Download PDF

Info

Publication number
WO2015177789A1
WO2015177789A1 PCT/IL2015/050528 IL2015050528W WO2015177789A1 WO 2015177789 A1 WO2015177789 A1 WO 2015177789A1 IL 2015050528 W IL2015050528 W IL 2015050528W WO 2015177789 A1 WO2015177789 A1 WO 2015177789A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
shares
network
secret
destination
Prior art date
Application number
PCT/IL2015/050528
Other languages
French (fr)
Other versions
WO2015177789A8 (en
Inventor
Shlomi Dolev
Shimrit Tzur-David
Original Assignee
B. G. Negev Technologies And Application Ltd., At Ben-Gurion Universitiy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by B. G. Negev Technologies And Application Ltd., At Ben-Gurion Universitiy filed Critical B. G. Negev Technologies And Application Ltd., At Ben-Gurion Universitiy
Priority to EP15796374.5A priority Critical patent/EP3146668A4/en
Priority to US15/311,911 priority patent/US10356054B2/en
Priority to CN201580039555.XA priority patent/CN107078898A/en
Publication of WO2015177789A1 publication Critical patent/WO2015177789A1/en
Publication of WO2015177789A8 publication Critical patent/WO2015177789A8/en
Priority to US16/381,055 priority patent/US11595359B2/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/12Shortest path evaluation
    • H04L45/128Shortest path evaluation for finding disjoint paths
    • H04L45/1287Shortest path evaluation for finding disjoint paths with disjoint nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/24Multipath
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/067Network architectures or network communication protocols for network security for supporting key management in a packet data network using one-time keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/065Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
    • H04L9/0656Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0827Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving distinctive intermediate devices or communication paths
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/102Route integrity, e.g. using trusted paths
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/12Shortest path evaluation
    • H04L45/128Shortest path evaluation for finding disjoint paths

Definitions

  • the present invention relates to the field of communication networks, such as the Internet. More specifically, the present invention is related to a secret sharing scheme, which is particularly effective for establishing a private channel for two parties communicating over multipath communication over hybrid infrastructures including clouds, servers in Points of Present (PoPs) and backup communication channels.
  • the secret sharing scheme may use fused public directories authentication to replace the secrecy and authenticity provided by the public key infrastructure, for eliminating the need for trusted authority and protection of keys.
  • Public key infrastructure is based on modern cryptography, where the existence of one-way-functions is assumed and such speculated to be one-way-functions are used in practice.
  • the security is based on computational security, rather than the classical information theoretical secure techniques, such as the one-time-pad (a random collection of letters each used at most once to encrypt messages with complete security) that implies unconditional secrecy, in particular, cannot be broken by extensive computation for revealing keys.
  • the computational security promise there is a need to avoid man-in-the-middle attacks by authenticating the parties using a trusted authority that authenticates the user and stores keys. In turn, the existence of keys is a target for attacks.
  • a Virtual Private Network (VPN - a network that uses a public infrastructure, such as the Internet, to provide secure access and ensured privacy through security procedures and tunneling protocols) provides easy access from the cloud into a corporate network and its internal resources.
  • PKI -- public key infrastructure encryption keys
  • the destination In order to create a secure channel between two entities, the destination must provide the sender a certification of its public key, signed by a trusted Certification Authority (CA). If the sender trusts the certification, the sender uses the public key of the CA to reveal the destination public key and a secure session begins.
  • CA trusted Certification Authority
  • an intruder steals identification of some entity and provides a certified key to the client, the client may use the intruder's key to encrypt the data (e.g., man-in-the-middle attack MITM). Therefore, one of the vulnerabilities of using PKI is identity spoofing that causes the source to use the attacker's key.
  • MITM man-in-the-middle attack
  • VPNs are based on computational secured protocols, i.e., with enough computational power, an intruder can reveal the encrypted data. Since the computational power of machines continuously grows over the years, the length of the eno ption key must increase in order to maintain the desired level of security. However, increasing the length of the key implies degradation in the performance of the encryption process. In addition, there are many existing hardware devices that do not support this new length of the keys and therefore, there are cases where the encryption is vulnerable at a portion of the channel.
  • an attacker can sniff the data anywhere in network (in the immediate perimeter, in the close zone e.g., a country, or in the backbone - between countries) and then, or at any time in the future, try to break the encryption.
  • Cloud computing a form of distributed computing accessed through the network, with the ability to run a program on many connected computers at the same time
  • Enterprises use the Infrastructure-as-a-Service model (IaaS model - a form of cloud computing that provides virtualized computing resources over the Internet), to build private and public clouds that reduce operating costs and increase the reliability of their critical information systems.
  • CloudBridge technology presented by Citrix® Systems, Inc. (Fort Lauderdale, FL, U.S.A.), which provides a unified platform that accelerates applications across public and private networks, resulting in superior application performance and end user experience.
  • CloudBridge connects across third-party public cloud and private networks, thereby offering a platform for cloud-enabling third-party applications.
  • the privacy of CloudBridge is achieved using a standard VPN, and therefore, is limited to a computational secured channel.
  • Secret- sharing is a tool used in many cryptographic protocols.
  • a secret-sharing scheme involves a dealer who has a secret, a set of n parties, and a collection of subsets of k parties. According to a secret-sharing scheme, the dealer distributes shares to the parties such that any subset of k parties can reconstruct the secret from its shares, and any subset with less than k parties cannot reveal any partial information on the secret.
  • Secret- sharing schemes have numerous applications in cryptography and distributed computing including secure information storage, secure multiparty computations, access control and more. However, none of these schemes solve the problem of providing information theoretically secure source- destination communication over several optional paths.
  • NIDS Network Intrusion Detection Systems
  • CIDS Central IDS
  • the sender sends the packet to a proxy and the proxy forwards it to the receiver as well as to the CIDS.
  • CIDS Central IDS
  • Each connection is secured by VPN but thus unauthorized network sniffing is prevented.
  • proxies are still able to access network packets relayed through them, which may expose the network packets to unwanted scrutiny.
  • proxies In order to ensure confidentiality with respect to the proxies, secret-sharing is used, such that the sender splits the packet to n shares and sends the shares to n proxies, the proxies further send the shares to the receiver and the CIDS.
  • secret-sharing is used, such that the sender splits the packet to n shares and sends the shares to n proxies, the proxies further send the shares to the receiver and the CIDS.
  • VPN routes may cross common network components, the security of the prior art suggested scheme is essentially identical to the security of VPN.
  • SPREAD Improving Network Security by Multipath Routing
  • T,N secret sharing scheme
  • the message to be protected can be divided into N shares such that from any T or more shares, it can easily recover the message, while from any TH or less shares, it should be impossible to recover the message. Then the shares are delivered across the network via multiple independent paths. The destination node reconstructs the original message upon receiving T or more shares.
  • a MULTIPATH ROUTING APPROACH FOR SECURE DATA DELIVERY' discloses an approach to enhance data confidentiality when transmitting across insecure networks by taking advantage of the distributed nature of networks such as Internet or wireless networks and combine the secret sharing scheme and multipath routing.
  • T,N secret sharing scheme
  • the secure message is divided into N shares such that the message can be easily recovered from any T or more shares, while from any T-l or less shares, it is computationally impossible to recover the message.
  • the shares are delivered across the network via N different paths using the multipath routing algorithm, where no T or more paths can share a single node.
  • the destination node can reconstruct the original message upon receiving T or more shares. Any intermediate node does not intercept T shares necessary for the message recovery.
  • the algorithm takes path independence, path quantity, as well as path cost into consideration and is able to find sets of node disjoint paths between any source-destination pair.
  • the present invention is directed to a method for establishing a fully private, information theoretically secure interconnection between a source and a destination over an unmanaged data network having at least a portion of a public infrastructure. Accordingly, n shares of the source data are created at the source according to a predetermined secret sharing scheme and the shares are sent to the data network, while encrypting the sent data using (n,k) secret sharing.
  • a plurality of intermediating nodes are deployed in different locations over the network, to create a pluralhry of fully and/or partially independent paths in different directions on the path from the source to the destination, and with sufficient data separation. Then, the shares are sent over the plurality of fully and/or partially independent paths while forcing shares' carrying packets to pass through selected intermediate nodes, such that no router at any intermediating nodes intercepts k or more shares.
  • the intermediating nodes may include one or more of the following:
  • Computational clouds having a dedicated process for forcing shares' carrying packets to pass through selected intermediate nodes, according to a desired routing scheme
  • the portion of the public infrastructure may include alternative paths supplied by the same/different network/Internet providers.
  • the separation between tunnels belonging to fully and/or partially independent paths may be made by encapsulation of the shares' packets according to a routing scheme that creates at least partially independent routing paths from source to destination, such that no node along a tunnel intercepts k or more shares.
  • each share-carrying packet may be changed to a modified header, for forcing the shares' carrying packets to pass through selected nodes, where each packet is forced to pass a possible different subset of selected nodes.
  • Public clouds deployed over the network may be used as nodes, by embedding a dedicated agent into a plurality of them, such that the modified header (which may be a part of the payload) will determine the next intermediate destination which will be the node that has been elected while creating each modified header.
  • the flow may be tested offline, to obtain the distribution of data through different nodes and deploy the dedicated agents accordingly, to create the optimal routing paths.
  • recovery tools may be used to obtain the expected distribution of data through different nodes and verify, before sending the share carrying packets.
  • the path/topology recovery tools may be HPOpenView, Freenats, Traceroute, TraceMAC or Batctl.
  • Sufficient data separation may be obtained by dynamically allocating nodes, through which the share carrying packets will pass.
  • IPv6 The inherent additional header of IPv6 may be used for creating tunnels between IPv6 nodes, where data between nodes is sent over IPv4 protocol links.
  • Data packets may be encrypted by creating a one-time-pad in the background at the sender side! sending the created one-time-pad to the destination over several paths! performing a bitwise XOR operation between the payload data and the bit string of the common one-time-pad; and sending the resulting bits of encrypted payload data over possibly a single channel.
  • the present invention is also directed to a method for establishing a fully private, information theoretically secure interconnection between a source and a destination over a managed data network having at least a portion of a public infrastructure, comprising the steps of :
  • a centralized network controller such as network controller is a controller for managing an SDN
  • network management tools at the sender for dynamically managing a plurality of partially independent paths, over which the shares are routed from the source to the destination, such that the number of shares that pass the router at each node along each path does not exceed a threshold of k-1 shares.
  • Optimal paths are dynamically determined by the network controller/sender, according to the threshold and to the load/current- eavesdropping-coalition-risks on each router in the data network.
  • the problem of finding paths may be reduced to the maximum flow problem (which may be solved for example, using the Dinitz's algorithm, or one of a plurality of other existing maximum flow algorithms) by expanding the original (directed or undirected) graph representing the data network.
  • the number of unique paths that are required to apply the (n,k) secret sharing scheme on the network may be varied by the controller in response to a coalition of two or more routers.
  • the sender or the controller may be adapted to merge the nodes of the coalition and to find a flow that fulfills the sharing scheme constraints.
  • the secret sharing scheme may be implemented on the network's Application Layer by:
  • the secret sharing scheme may be implemented on the network's Transport Layer by:
  • the secret sharing scheme may be implemented on the Network Layer by ' - at the source, applying secret-sharing on the payload and the headers of the Transport Layer, while keeping the headers of the Network Layer public, thereby creating n packets with the same headers of the Data Link and the Network Layers while allowing some minor changes, like length, checksum and CRC).
  • the destination buffering k out of n shares and applying secret -sharing algorithm to construct the original data;
  • the secret sharing scheme may be implemented on the Data Link layer by applying secret-sharing on the payload and the headers of the Network Layer and Transport Layer, while keeping the headers of the Data Link layer public on the LAN or on a Virtual LAN (VLAN), while allowing some minor changes, like length and CRC).
  • VLAN Virtual LAN
  • the secret sharing scheme may be implemented on the Physical Layer by applying secret-sharing on the payload and the headers of the Data Link Layer, Network Layer and Transport Layer, while keeping all headers private.
  • the secret sharing scheme may be implemented to perform one side identification between a client and a server, without the need to use a key that is certified by a third party, by:
  • the client receives the server's data from addresses mentioned in the public directory and sends the shares over different separated channels, such that each channel gets a share of the data and only by having all shares or a threshold of the shares, the data can be reconstructed;
  • the secret sharing scheme may be implemented to perform double side identification between a client and a server, without the need to use a key that is certified by a third party, using one/two/three handshake protocols, by:
  • the server creates shares from the nonce, receives the client address data from the public directory and sends the shares over different channels!
  • the server sends its own information with the nonce it got from the client through multiple channels to the client, such that each channel gets only a share of the data!
  • the client verifies the nonce and gets the server information
  • the client verifies the nonce and sends an acknowledgement through different channels to multiple addresses of the server along with the nonce to the server; the server finalizes the authentication by reconstructing the acknowledgement, and starts a session using one or more channels.
  • the present invention is further directed to a method for establishing a fully private, information theoretically secure interconnection between a source and a destination over a managed data network having at least a portion of a public infrastructure, comprising:
  • the secret sharing scheme may be hierarchical secret sharing, where at least one secret share is further secret shared by an intermediate network component, and gathered by one of the next components or by the destination.
  • Figs, la and lb illustrate an original undirected graph and its corresponding expanded graph, respectively;
  • Fig. 2a illustrates an original directed graph G of a flow example
  • Fig. 2b illustrates the resulting flow and the paths of the different shares on the corresponding expanded graph of Fig. 2a;
  • Fig. 3 illustrates a conventional process for obtaining a certification from a CA
  • Fig. 4a illustrates a process of one side authentication, using the secret sharing scheme proposed by the present invention.
  • Fig. 4b illustrates a process of double side authentication, using the secret sharing scheme proposed by the present invention.
  • the present invention proposes a novel alternative for establishing information theoretical secure and private interconnection, which is based on multipath communication that is efficiently implementable by current technology, cloud computing, point-of-presence, backup lines and infrastructures (wired connection, phone, messaging systems, internet, wireless, satellite, etc.) together with social networks and their searchable directories (phone directory, Facebook, Twitter, Linked) for robust authentication and avoidance of identity theft.
  • the present invention uses a data separation scheme for establishing an information theoretically secure private channel in communication networks. In case when a service provider uses a cloud to extend its available services by using virtualized servers on the cloud, the service provider must guarantee the customers that the interconnections between datacenters is private, and therefore, these interconnection is transparent to any potential customer.
  • the proposed interconnection is information theoretic secured, in particular, there is no key that by revealing it, privacy will be compromised.
  • the proposed solution uses secret sharing scheme along with different tunnels, to transfer the data while ensuring privacy.
  • Encryption with (n; k) secret sharing scheme (n>k) is done by creating n shares from the data, such that only by having at least k shares, the data can be decrypted, and any subset of less than k shares cannot be used to decrypt the data.
  • the present invention proposes using a secret sharing scheme (such as Shamir : "How to share a secret", ACM 22 (11), 1979) as a communication infrastructure for indefinitely securing data in transit.
  • the source creates n shares from the data and sends them over a data network to the destination through several tunnels, such that no node (router) along a tunnel intercepts k or more shares.
  • no node router
  • the secret-sharing scheme can be implemented in several communication layers for example, in the Transport Layer, where onry the payload of each packet is shared or at the Network Layer, where also the Transport layer headers are shared.
  • This data network can be either unmanaged, such as the current IP network with normal routing or managed (e.g., SDN).
  • encapsulation is used (i.e., a special header which forces the packets of the shares to pass via predetermined nodes) to create tunnels. These tunnels are created in different directions on the path from the source to the destination, such that no router intercepts k or more shares.
  • the appliance/virtual-appliance required for implementing the proposed data separation scheme can easily be integrated into any enterprise environment and is compatible with any communication and/or security infrastructures.
  • the appliance/virtual-appliance is installed inside the enterprise, before the data traffic leaves or enters the enterprise.
  • the appliance or another routing device after it and inside the enterprise
  • the appliance must have at least two interfaces, or routes to another entity along the path with at least two interfaces, to form at least two separate routes between each pair of sites. In any case, there is no effect on current traffic and configuration and the sharing process is transparent to the routers across the paths.
  • the specific deployment locations of the appliance may vary, depending on several constraints. On the sender side, typically the earliest point where the secret sharing process can be implemented is after the implementation of the upper layer in the networking stack.
  • the appliance may be installed before or after the existing VPN. By installing it after the VPN on the sender side, it means that the VPN encrypted data is split into shares and reconstructed on the receiver side before sending it to the VPN. Switching locations is also supported, i.e., any share of the appliance/virtual- appliance passes to the VPN to be encrypted.
  • Example l unmanaged network
  • the separation between tunnels can be made by encapsulation of the shares' packets according to a routing scheme that creates at least partially independent routing paths from source to destination, along which no node (router) along a tunnel intercepts k or more shares. This is done by changing the headers of each share -carrying packet to a modified header and deploying a plurality of Points of Presence (PoPs— e.g., servers) in different locations (e.g., countries) over the network, and forcing the shares' carrying packets to pass through selected PoPs (which are nodes, as well). Each packet may be forced to pass a possible different subset of selected PoPs.
  • PoPs Points of Presence
  • PoPs public clouds that are anyway deployed over the network, as PoPs
  • the share carrying packets will be sent from the source to the destination, such that the modified header will determine the next intermediate destination which will be the PoP or cloud agent that has been selected while creating each modified header.
  • Each agent will be able to receive an encapsulated packet (with the modified header), read its destination, encapsulate it by replacing its header with another modified header which corresponds to the next intermediate destination (the next PoP or cloud agent) and send it over the data network to that next intermediate.
  • the modified header may be a part of the payload. This process is repeated until the last PoP or cloud agent sends the packet to the original destination. This way, shares of encrypted data are routed in a controllable manner, thereby creating the required tunnels that force sufficient separation between segments of each path.
  • each dedicated agent determines only a segment until the next intermediate destination along the path from source to destination.
  • This routing scheme is superior over the prior art solutions since unlike prior art, it does not require totally independent paths from source to destination.
  • the data network is unmanaged but has a known topology, say by network management tools, it is possible to test the flow offline or online at the sender side, in order to obtain the distribution of data through different nodes and deploy/redeploy the dedicated agents (and thereby to determine the PoPs or cloud agent) accordingly, to create the optimal routing paths.
  • traceroute a utilit ⁇ that records the route through the Internet between a source computer and a specified destination computer
  • TraceMAC traceroute for MAC acldresses
  • Batctl B.A.T.M.A.N.
  • HP OpenView a Hewlett Packard product family that consisted of network and systems management products
  • FreeNATS - is an open source network monitoring software application
  • nodes dedicated agents or PoPs
  • 10 agents or PoPs may be deployed at different locations and the initial routing scheme resulting from using traceroute indicated that 6 agents (out of 10) were selected to establish several routing paths with sufficient separation.
  • traceroute After sending the shares according to the initial routing scheme (via the initially selected nodes), it is possible to periodically use traceroute to verify if there are unexpected problems (e.g., congestion, delay or temporary inactive router) at one or more nodes along each routing paths. If no problematic node is detected, packets will be sent according to the initial routing scheme.
  • unexpected problems e.g., congestion, delay or temporary inactive router
  • a modified routing scheme will be created dynamically using some other nodes that will be allocated to bypass the problematic node, using another combination of 6 agents or more (out of 10), and packets will be sent according to the modified routing scheme. This process is repeated, until all packets arrive to their destination.
  • This solution may also improve performance, since the router at each node has predetermined routing priority (according to the source or destination of the packet). Therefore, if the share cari ing packets are forced to pass via intermediate nodes, some of these intermediate nodes may have improved routing priority. As a result, a proper selection of the intermediate nodes can improve the time it takes the packets to reach their destination.
  • dynamic path selection may be used to avoid tracing the communication pattern, e.g., packet timing pattern, by sniffers that sniff a subset of the paths.
  • IPv6 protocol Internet Protocol version 6, in which IP addresses are 128 bits long
  • IPv4 protocol links Internet Protocol version 4, in which IP addresses are 32 bits long
  • the proposed data sharing scheme may be used to encrypt the destination IP address, along with the payload data. This is done by creating n shares from the IP address of the destination (i.e., the header data) and sending these shares via several different paths between pairs of neighboring intermediate nodes, using the proposed data sharing scheme, such that the header data can be decrypted at each intermediate nodes only by having at least k shares, and any subset of less than k shares cannot be used to decrypt the header data. This way, each intermediate node will collect the shares of the destination, reconstruct the IP address of the destination and add the header to the next intermediate node, until the destination is reached.
  • This additional splitting of the destination IP address (which is essentially similar to tunneling between source and destination) will be made preferably in path segments with higher probability for coalitions of eavesdroppers reducing the possible identification of related packets, and hiding the vicinity of the source/destination from eavesdroppers, which contains much information.
  • Splitting accompanied by secret sharing must be done while preserving the hierarchy according to which each share has been re-split, such that all re-split shares that are collected by an intermediate node will be of the same level (to avoid collision between shares resulting from unequal numbers of re-splitting, which will require more effort to be combined).
  • Each intermediate node can transmit data regarding the splitting level in the hierarchy, to the next intermediate node.
  • the proposed data sharing scheme may be used to encrypt the source IP address, along with the payload data. This is done by creating n shares from the IP address of the source and sending these shares as part of the payload of the secret shared packet, using the proposed data sharing scheme, such that the real source IP (which is secret shared as part of the payload by the source) will be revealed only by the destination.
  • the first (or any/every) intermediate node along the path sets itself as the source, in order to forward the shares to the next intermediate node.
  • the proposed data sharing scheme can be enhanced by creating secret shared packets of different length by padding the after secret shared packets with random string of varying lengths, to avoid correlation of packets by a coalition of eavesdroppers. Also, delaying some of the secret shared packets to avoid time correlation, and even sending some corrupted secret shared packets that can be discarded by the destination that receives enough secret shares but can full the coalition of eavesdroppers.
  • the proposed data sharing scheme may be used to encrypt data packets with restricted latency and deadlines (such as of voice or video packets) that can be influenced and can be more sensitive to synchronization issues that maybe yielded from multiple splitting to secret shares (at the sender) and gathering (at the receiver).
  • a one-time-pad (being a random bit string) is created in the background at the sender side and is then securely sent to the destination over several paths (using the proposed secret sharing scheme).
  • only the destination can reconstruct this one-time- pad, in order to be later used to decrypt the received (latency sensitive payload) data that will be sent using (bitwise, bit by bit, XOR, with) the common established one-time-pad.
  • the sender performs a bitwise (bit by bit) XOR operation between the payload data and the random bit string (to obtain encryption of the payload data) and sends the resulting bits of encrypted payload data over a single channel (just as it was originally transmitted, with no splitting). Then, the payload data, encrj'pted by the shared produced one-time-pad, is sent over a single path to the destination, with no additional latency problems.
  • This technique can be used for securely sending movies as well, since no extra latency or reliability problems are introduced, while sending the data from side to side over a single path.
  • the shared one time pad can be also regarded as a shared key when one wants to turn to using computational based schemes.
  • the method proposed by the present invention suggests using secret sharing in combination with a managed network, such as an SDN, to enable the secret sharing scheme to be managed by the SDN controller.
  • a managed network such as an SDN
  • the general idea of the proposed solution is to use SDN to enable the creation of several tunnels between each pair of datacenters that intercommunicate.
  • the source uses a secret sharing technique to encrypt its data and create n shares.
  • the destination In order to reconstruct the data, the destination must have at least k shares out of the n shares that were sent by the sender.
  • the present invention proposes a method for creating these tunnels with the constraint that only less than k shares of the same information can reach a single router. This way, a private and secure interconnection between the datacenters is obtained.
  • n _ k secret sharing is used to encrypt the data.
  • the source creates n shares of its data and sends them to the network.
  • the SDN controller manages the paths such that no k or more shares pass the same router. This way, the interconnection between the datacenters is information theoretically secured, i.e. unless two or more routers share their data, the encrypted data can never be revealed.
  • the problem of finding these paths can be reduced to the maximum flow problem by expanding the original graph.
  • a controller or network management tools at the sender it is possible to compute the flow on the network and determine a bound on the ratio n/k, which is the number of unique paths that are required to apply the n-k secret sharing scheme on the network.
  • the sender creates n shares of each packet such that each flow is expanded to n flows where the flow ID is the flow data along with the share index.
  • the controller which gets the first packet of each flow (corresponding to the new definition of flow), routes the shares to the corresponding paths and the private channel between the datacenters/endpoints is established.
  • the SDN controller defines the route of each flow that occurs in the data plane.
  • the controller calculates a rotite for each flow, and adds an entry for that flow in each of the routers along the path.
  • routers simply manage flow tables whose entries can be populated only by the controller. Communication between the controller and the routers uses a standardized protocol and API. Most commonly, this interface is the OpenFlow specification ("OpenFlow ⁇ Enabling innovation in campus networks", SIGCOMM Comput. Commun. Rev., 38(2):69-74, March 2008).
  • OpenFlow OpenFlow ⁇ Enabling innovation in campus networks
  • the router When a packet of a known flow is encountered, the router forwards it out the appropriate port based on the flow table.
  • the flow table may include some additional information dictated by the controller.
  • each router may have more than one entry but up to k - 1 entries for each flow, where k is the threshold of the secret sharing scheme.
  • This index can be added either by adding this field into the matching fields structure in the SDN controller platform which causes a change also at the routers, or to use vendor extensions which allow different kinds of matching.
  • a secret-sharing scheme is a method by which a dealer distributes n shares to parties such that only authorized subsets of at least k parties can reconstruct the secret.
  • a dealer distributes n shares to parties such that only authorized subsets of at least k parties can reconstruct the secret.
  • one datacenter intends to communicate with another datacenter, it creates n shares of its message and distributes these shares over the network.
  • the SDN controller routes these shares to the target datacenter in a way that no router on the way intercepts k or more shares. This way, a private channel between the datacenters is established.
  • k can be equal to n if it is assumed that the channels are reliable and nodes do not omit or corrupt shares.
  • a graph G (V, E) is given, with a source node s (which has only outgoing flow) and a sink node t (which has only incoming flow).
  • Each node v e V has a determined non-negative capacity C v .
  • the goal is to push as much flow as possible from s to t in the graph.
  • Each path has a flow f pi , the rule is that the sum of the flows of all paths that each node intercepts cannot exceed its capacity, formally, for each node v,
  • each edge e in E has an associated non-negative capacity C e , where for all non- edges it is implicitly assumed that the capacity is 0.
  • the goal is to push as much flow as possible from s to t in G, such that no edge can have flow exceeding its capacity, and for any vertex except s and t, the flow into the vertex must be equal to the flow out from the vertex.
  • each vertex v in G is expanded to a directed edge (v 1 ; v 2 ).
  • the expansion process is presented at Algorithm l: Algorithm l: The expansion process
  • V V ⁇ u ⁇
  • V V u ⁇ t4i i ⁇
  • Fig. 2a illustrates an original undirected graph G.
  • Fig. 2b illustrates its corresponding expanded graph.
  • the input of the algorithm is the original undirected graph G, the source s and sink t and the threshold k of the secret sharing scheme.
  • a directed edge G? £ , v l2 is added for each vertex v in G (except for s and t), for example, ( ⁇ , ⁇ , ⁇ , ) in Fig. 2b.
  • the capacity of this new edge is the capacity Cv; of the vertex vj.
  • each edge (s, Vj) from the source is replaced by the directed edge (s, Vj , i) i.e., edges (s, v 1 ?
  • each edge directed to the sink (vj, t) is replaced by (vj,2, t), i.e., (v 5 ,2, t) and (v 6 ,z, t) in Fig. 2b, respectively.
  • vj, Vj two directed edges, (vi,2, Vj,i) and (vj,2, Vi,i) are added, for example, (vi,2, V2,i) and ( 2,2, via).
  • the capacity of these edges is set to be k - 1.
  • Gt is a graph with ( I V I— 2) x 2 + 2 vertices and up to (
  • the expanded graph Gt is directed to force the paths to include the edges of the expanded vertexes but the input graph can be either directed or undirected.
  • a directed edge (vi, V2) is still added for each vertex v, but for each other directed edge (vi, Vj ), only the edge (vi,2, Vj, i) is added (and not (vj,2, vi, i) as was done for an undirected G).
  • G (V, E) be a network with s, t ⁇ V being the source and the sink of G, respectively.
  • the capacity of an edge is a mapping c ' -E ⁇ R + , denoted by c(u, v). It represents the maximum amount of flow that can pass through an edge.
  • a flow is a mapping f ⁇ E ⁇ R+ , denoted by f (u, v), subject to the following two constraints ⁇
  • the last definition is dist(v), which is the length of the shortest path from s to v in Gf .
  • the maximum flow problem is related to the minimum-cut problem.
  • the problem of s-t minimum cut in a flow network is finding the minimum number of edges in the cut-set that creates a cut where the source and the sink are in different subsets.
  • the cut-set only consists of edges going from the source's side to the sink's side. In other words, if the edges in the cut-set are removed, then flow form the source to the sink is completely cut off.
  • the cut- set value is the sum of the flow capacities in the source- to-sink direction over all of the edges in the cut-set.
  • the minimum cut problem is to find the cut-set that has the minimum cut value over all possible cuts in the network.
  • the maximum possible flow from source to sink is equal to the minimum cut value for all cuts in the network.
  • the proof stems from the fact that the maximum flow through a series of linked pipes equals the maximum flow in the smallest pipe in the series, i.e., the flow is limited by the bottleneck pipe.
  • Fig. 3a illustrates an original directed graph G of a flow example.
  • the s _ t minimum cut is calculated on the expanded graph. If the minimum cut-set contains t edges, then n/k has to be less than t.
  • the cut-set in this example consists of two edges, (v 4 ,i, v 4 ,2) and (v5,i , V5,2). This implies that in this graph, n/2 must be lower than k.
  • Fig. 3b illustrates the resulting flow and the paths of the different shares on its corresponding expanded graph.
  • the method proposed by the present invention considers the network overhead, as well.
  • Each packet that is sent between the source and the destination is split into n shares. Assuming that each share is sent within a packet, n packets are sent for a single packet of data.
  • n x m packets are sent. This might be considered impractical and a high volume of data is sent in the network in general and in particular between the two nodes. Therefore, if this is the case, the proposed scheme can be used for exchanging keys for the use of standard VPNs. This way, the privacy of the keys is information theoretically secured and man-in-the-middle attacks are eliminated.
  • the controller operates maximum once for each flow to construct the maximum flow algorithm on the network topology. In practice, it will compute the algorithm only a few times for each couple of source and destination since the network is typically undergo only limited and infrequent dynamic changes.
  • the computational complexity of the controller depends on the network size and it is 0(V 2 E). In the realistic case where several controllers manage the network where each controller has its own part of the network, this computation can be done in parallel, thus V and E are nodes and edges at each part of the network.
  • the cut-set contains 1 edges
  • This set of possibilities is called ⁇ .
  • This is equivalent to distributing n balls in £ cells such that no cell contains more than k - 1 balls, or by rephrasing, all the possibilities to distribute n balls to the 1 cells minus the possibilities that any of the cells contains k or more balls.
  • the number of possibilities in ⁇ is :
  • the sender knows about the possibility of a specific coalition and the probability to find a flow given that coalition is positive, it can first merge the nodes of the coalition and then find a flow that fulfills the sharing scheme constraints.
  • the above analysis was done for a single coalition of two nodes, in case there are more nodes in the coalition or another coalition, the same process can be done recursively.
  • the time computation of the secret sharing scheme depends on n and k. Therefore, when there is full trust on the routers, n and k should be relatively low. In order to increase the probability of a private channel, in case there is some positive probability for a coalition in the network, the source may choose larger n and k, even in the price of compromising the algorithm efficiency.
  • the proposed secret sharing scheme may be implemented on different layers of the Open Systems Interconnection (OSI) model. This allows a system to communicate over different communication layer that perfectly secure the data in transit over a communication link.
  • OSI Open Systems Interconnection
  • the data to be shared are the application layer packets, before splitting the data into packets.
  • the proposed secret sharing process on the source receives the data before it gets into the networking stack implementation.
  • the process applies the secret- sharing algorithm on the entire data.
  • it establishes a connection for each route and sends the shares on the different sockets (endpoints in a communication flow).
  • the process can use either Transmission Control Protocol (TCP) or User Datagram Protocol (UDP- a communications protocol that offers a limited amount of service when messages are exchanged between computers in a network that uses the Internet Protocol), depending on the required service.
  • TCP Transmission Control Protocol
  • UDP- User Datagram Protocol
  • the receiver should maintain several sockets to get different shares, this time after the networking stack is done with the packets.
  • the process reconstructs the original data at the application.
  • the data to be shared is only the payload, while keeping the headers of the Transport layer public.
  • the process on the source gets the packet before it leaves. Then, it applies the secret- sharing algorithm on the payload, while creating n packets with the same headers of all layers (Data Link layer, the Network layer and the Transport layer). Since the routers on the way of the packets traversing the network do not process the payload at any time, the proposed secret sharing process is transparent to them.
  • the proposed secret sharing process on the destination gets the packets when they enter the local network (before they reach the destination on the Transport Layer implementation), first the secret sharing process buffers k out of n shares and applies the secret- sharing algorithm, to reconstruct the original data. Then the secret sharing process adds the headers of the Transport Layer and sends a single packet (out of the k shares) to the Transport Layer implementation of the destination.
  • This secret sharing process is also transparent to the Transport layer implementation on both the sender and the receiver sides.
  • the implementation on the Transport Layer does not interfere with any device that inspects the packet headers at all levels, such as a firewall or a conventional VPN.
  • IDS Intrusion Detection System
  • the data to be shared is the packets of the Transport Layer, i.e., the payload and the headers of the Transport Layer, while keeping the headers of the Network Layer public.
  • the proposed secret sharing process on the source gets the packet before it leaves, and applies the secret-sharing algorithm on the payload and the headers of the Transport Layer. The process creates n packets with the same headers of Data Link and the Network Layers.
  • the process on the destination gets the packets when they enter the local network (again, before they reach the destination in the Transport Layer implementation). It buffers k out of n shares and applies the secret -sharing algorithm, to construct the original data. Here, the data already contains the headers of the Transport Layer. Then it sends a single packet (out of the k shares) to the Transport Layer implementation of the destination.
  • the proposed secret sharing process is also transparent to the Transport Layer implementation, both at the sender and the receiver sides.
  • the implementation on the Network Layer is made right after the OS finishes the implementation of the Network layer and on the transport layer, and also interferes devices that inspect the headers of the transport layer, such as a firewall.
  • the splitting process should be after the firewall or it should bypass the firewall, exactly as it happens today when a VPN and a firewall listen to the same port.
  • the data to be shared is the Network Layer's packets, i.e., the payload and the headers of the Network Layer and Transport Layer, while keeping the headers of the Data Link layer public.
  • the first architecture is on the LAN, and the other is on a Virtual LAN (VLAN).
  • VLAN Virtual LAN
  • the network When implemented on the LAN, the network should be in a graph structure, rather than tree structure, namely, there are two or more paths for connecting between host A and host B. In order to find the multiple paths, it is possible to execute the proposed flow algorithm in the LAN. Then, after splitting the data, the source sends the shares through more than one switch to the destination.
  • MPLS Multiprotocol Label Switching
  • the routing in the VLAN is done through several switches by the Data Link layer protocol (sometimes is considered as layer 2.5).
  • This protocol creates tunnels in the Network Layer, so using the Network Layer, the source and destination in the VLAN are in the same LAN.
  • the proposed secret sharing process can be applied by creating multiple tunnels between the source and the destination.
  • the data to be shared is the Data Link packets, i.e., the payload and the headers of the Data Link Layer, Network Layer and Transport Layer, while keeping all headers private. This can be done by separating the physical bandwidth, for example, by splitting light waves and sending the shares at the different waves.
  • the earliest point where the process can be implemented is after the implementation of the above layer in the networking stack.
  • the Network Layer implementation can be implemented right after the OS completes the implementation of the transmission layer in the networking stack. In any case, it can be right before the packet leaves the network. With the same constraints for the receiver, it can be the first step when the packets enter the network or just before the above layer implementation, in the above example, it should be right before the implementation of the transmission layer in the networking stack.
  • IDS Intrusion Detection System
  • the Application Layer and Transport Layer layers implementation does not interfere any device that examines the packet headers at all levels such as firewall or VPN.
  • IDS Intrusion Detection System
  • the IDS should be before the split into shares at the sender side and after it, at the receiver side (again, at the same place where a VPN is located).
  • the Physical layer, Data Link layer and Network Layer implementation includes also devices that examine Transport Layer and Network Layer headers, such as a firewall.
  • the splitting process should be after the firewall or it should bypass the firewall, exactly as happens today when the VPN and the firewall are installed on the same port.
  • the proposed secret sharing scheme or a random string sharing scheme, to perform identification between a client and a server, without the need to use a key that is certified by a third party.
  • identification to authenticate two parties
  • CA Certification Authority
  • Each entity has two keys, a public key and a private key.
  • the public key is used to decrypt data by the other party and the private key is used to decrypt it.
  • data that was encrypted by a private key can be decrypted by a public key.
  • the conventional process for obtaining a certification from a CA on a public key is illustrated in Fig. 1.
  • the CA 10 receives from one party a public key 11 along with the party's identifying data 12.
  • the CA 10 signs the public key 11 using its private key 13 and issues a certificate 14 for that public key 11.
  • the browser or the other party already possesses the public key of the CA and consequently can verify the signature, trust the certificate and the public key in it. Since the first partj ⁇ uses a public key that the CA certifies, a fake first party can only use the same public key. Since the fake first party does not know the corresponding private key, it cannot create the signature needed to verify its authenticity.
  • a server For example, if a server requires that a client will send some private data (e.g., a password), it needs to authenticate itself to the client. Normally, the server does that by using a service of one of the CAs (such as Verisign, Reston, Virginia, U.S.A.).
  • the CA identifies the server and uses its private key to sign the server's identification and public key.
  • the server is authenticated to the client.
  • the client uses the public key of the CA to reveal the server public key.
  • There are two main problems with this authentication process one is the need to trust a CA and the other is the strength of the encryption. Today, anyone (benign or possibly malicious entity) can establish a CA and in practice, this is the situation in many cases.
  • the browser does alert the client if it gets a certification from unknown CA but the typical client would simply press the "OK" button to continue. This is a major vulnerability that can be solved using the proposed secret sharing scheme. Furthermore, in many cases the strength of the identification depends on some password that the client chooses. As was proven many times, in many of the cases, these passwords are easy to guess.
  • the new identification process proposed by the present invention does not require using any certificates or certificate authorities. Instead, it creates several separated channels (tunnels) between communicating parties, along with some of the public information of entities in the Internet.
  • a user in order to identify using the secret sharing scheme of the present invention, a user must have at least two (logical or preferably also actual) networking paths (and/or applications) where the user can get data in, for example, email, Facebook, Linkedln, SMS, etc. (this collection is sometimes called a "public trust", where publicly available identity information is used for authentication, as a redundancy for a trusted authority).
  • the main idea of the new identification process is that one side sends some data through these (at least logically) separated channels to the other side and by having all (or some threshold of) the pieces of the data, the other side can construct the data, find the details on the entity that proposes the connection and verify it.
  • the new identification process proposed by the present invention can have one side authentication or both sides authentication.
  • the one side authentication process will include the following steps (which are illustrated in Fig. 5a):
  • the client takes the following actions to send some message or/and nonce (a random number generated for a specific use, such as session authentication) together with own identification information via multiple channels to the server according to the listing of the server in several (self-verifiable) public directories (e.g., a phone directory, email, Facebook, Twitter Linkedln searches, government agencies, newspaper, IP address, etc.).
  • a self-verifiable public directory is a public directory which essentially can withstand identity-theft attempts. Each entity in a self-verifiable public directory can verify its own details, so as to make sure that the data representing these details is up-to-date and has not corrupted by a 3 rd party.
  • the self-verifiable public directory will notify the public directory's moderator that the data is not up-to-date.
  • the data is secret shared by the client.
  • the client received the server's data from the addresses mentioned in public directory and sends the shares over different separated channels, such that each channel gets a share of the data and only by having all (or a threshold of the) shares, the data can be reconstructed.
  • the data may include all the found listing information so that the server may identify its own wrong listing in some of the directories, as a result of non-updated listing or phishing.
  • the server gets the required number of shares and reconstructs the client's nonce.
  • the server receives the message of the client, and the client has succeeded sending the message to the server in a secure fashion, in this "one-way authenticated" version the server does not send the identifier of the client over multiple channels.
  • the client side will perform the steps described before (for one side authentication).
  • the double side authentication process will further include the following steps (which are illustrated in Fig. 5b):
  • the client sends its ID and some nonce (a number generated for a specific use, such as session authentication) via multiple public accounts of the server over multiple channels, such that each channel gets a share of the data and only by having all (or a threshold of the) shares, the data can be reconstructed.
  • the data may include all the found listing information so that the server may identify its own wrong listing in some of the directories, as a result of non-updated listing or phishing.
  • each channel gets a share of the data, so that, only by having all (or a threshold of the) shares, the data can be reconstructed.
  • the server creates shares from the nonce received, possibly augmenting the nonce with a new nonce, and its own ID information, searches the client data in the public directories and sends the shares over different channels. .
  • the client verifies the nonce and gets the server information.
  • the client sends an acknowledgement through the different channels to multiple addresses of the server along with the nonce (or with a combination, such as bitwise XOR of the two nonce, when the server replies with a new nonce) to the server.
  • the server finalizes the authentication by reconstructing the acknowledgement, and, in case also confidentiality is required, starts a session using multiple channels (using the agreed IP addresses that are part of the identification information), possibly using the nonce as a (first) common shared secret or a seed for creating sequence numbers for the shares.
  • One/two/three way handshake procedures based on using public directories and secret shares sent by multi-path communication are essentially the core of the proposed authentication schemes.
  • a public trust may be sometimes vulnerable to phishing and identity stealing attempts.
  • Such vulnerabilities may be overcome by using a self-authentication process, during which an entity (e.g., a bank) periodically performs self- searches of its own public contact details in all public directories (in the same way that other entities search these public directories), to ensure that there is no identity theft (by comparing the search results to its authentic public contact details).
  • an identity detects a mismatch in a public directory (i.e., a stolen or fake identity)
  • the frequency of performing these self-searches is normally increased if the risk level increases.
  • the secret sharing scheme proposed by the present invention can overcome some levels of identity theft, by using error correction algorithms.
  • error correction algorithms such as the Berlekamp Welch technique. This may be done by finding a polynomial in which one or more points (up to a threshold e) are incorrect, but is still revocable by the redundancy implied by n>k.
  • the proposed solution may use other data separation schemes. For example, it is possible to select a sequence of bits (a coding sequence) with the same length as of the data sequence and decode and encode the data sequence by performing a logic operation (such as XOR) between the two sequences. Then, the resulting (encoded) bit sequence and the coding sequence are sent to the destination via separate tunnels. This way, only the destination (which receives the full sequences will be able to decode the data sequence and reveal the data by performing another XOR operation. Such a solution also keeps the size of the sent packets the same as the original packet's size.
  • a logic operation such as XOR
  • the solution proposed by the present invention may be used to protect selected systems in an enterprise, such as emails or other types of data, rather than protecting the entire data traffic that is sent from, or received by, the enterprise.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A method for establishing a fully private, information theoretically secure interconnection between a source and a destination, over an unmanaged data network with at least a portion of a public infrastructure. Accordingly, n shares of the source data are created at the source according to a predetermined secret sharing scheme and the shares are sent to the data network, while encrypting the sent data using (n,k) secret sharing. A plurality of intermediating nodes are deployed in different locations over the network, to create a plurality of fully and/or partially independent paths in different directions on the path from the source to the destination, and with sufficient data separation. Then, the shares are sent over the plurality of fully and/or partially independent paths while forcing shares' carrying packets to pass through selected intermediate nodes, such that no router at any intermediating nodes intercepts k or more shares.

Description

A METHOD FOR ESTABLISHING A SECURE PRIVATE INTERCONNECTION
OVER A MULTIPATH NETWORK
Field of the Invention
The present invention relates to the field of communication networks, such as the Internet. More specifically, the present invention is related to a secret sharing scheme, which is particularly effective for establishing a private channel for two parties communicating over multipath communication over hybrid infrastructures including clouds, servers in Points of Present (PoPs) and backup communication channels. The secret sharing scheme may use fused public directories authentication to replace the secrecy and authenticity provided by the public key infrastructure, for eliminating the need for trusted authority and protection of keys.
Background of the Invention
Public key infrastructure is based on modern cryptography, where the existence of one-way-functions is assumed and such speculated to be one-way-functions are used in practice. The security is based on computational security, rather than the classical information theoretical secure techniques, such as the one-time-pad (a random collection of letters each used at most once to encrypt messages with complete security) that implies unconditional secrecy, in particular, cannot be broken by extensive computation for revealing keys. Beyond the computational security promise, there is a need to avoid man-in-the-middle attacks by authenticating the parties using a trusted authority that authenticates the user and stores keys. In turn, the existence of keys is a target for attacks.
A Virtual Private Network (VPN - a network that uses a public infrastructure, such as the Internet, to provide secure access and ensured privacy through security procedures and tunneling protocols) provides easy access from the cloud into a corporate network and its internal resources. However, the encryption protocols that are used today for establishing a VPN are based on encryption keys (PKI -- public key infrastructure). In order to create a secure channel between two entities, the destination must provide the sender a certification of its public key, signed by a trusted Certification Authority (CA). If the sender trusts the certification, the sender uses the public key of the CA to reveal the destination public key and a secure session begins. However, if an intruder steals identification of some entity and provides a certified key to the client, the client may use the intruder's key to encrypt the data (e.g., man-in-the-middle attack MITM). Therefore, one of the vulnerabilities of using PKI is identity spoofing that causes the source to use the attacker's key.
Another limitation of existing VPNs is the fact that they are based on computational secured protocols, i.e., with enough computational power, an intruder can reveal the encrypted data. Since the computational power of machines continuously grows over the years, the length of the eno ption key must increase in order to maintain the desired level of security. However, increasing the length of the key implies degradation in the performance of the encryption process. In addition, there are many existing hardware devices that do not support this new length of the keys and therefore, there are cases where the encryption is vulnerable at a portion of the channel. Also, there are many attacks from the last few years that succeed to break these protocols even without having the key, such as, the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack, (which is a man-in-the-middle exploit), or "Compression Ratio Info-leak Made Easy" (CRIME) attack, (which is a security exploit against secret web cookies). Moreover, unlike information theoretical secure based protocol, the computational secured protocol is not everlasting and basically, it is just a matter of time for the information to be revealed. As a result of the above limitations, an attacker can sniff the data anywhere in network (in the immediate perimeter, in the close zone e.g., a country, or in the backbone - between countries) and then, or at any time in the future, try to break the encryption. Cloud computing (a form of distributed computing accessed through the network, with the ability to run a program on many connected computers at the same time) is one of the fastest growing opportunities for enterprises and service providers. Enterprises use the Infrastructure-as-a-Service model (IaaS model - a form of cloud computing that provides virtualized computing resources over the Internet), to build private and public clouds that reduce operating costs and increase the reliability of their critical information systems.
One of the existing solutions is CloudBridge technology presented by Citrix® Systems, Inc. (Fort Lauderdale, FL, U.S.A.), which provides a unified platform that accelerates applications across public and private networks, resulting in superior application performance and end user experience. CloudBridge connects across third-party public cloud and private networks, thereby offering a platform for cloud-enabling third-party applications. However, the privacy of CloudBridge is achieved using a standard VPN, and therefore, is limited to a computational secured channel.
Secret- sharing is a tool used in many cryptographic protocols. A secret-sharing scheme involves a dealer who has a secret, a set of n parties, and a collection of subsets of k parties. According to a secret-sharing scheme, the dealer distributes shares to the parties such that any subset of k parties can reconstruct the secret from its shares, and any subset with less than k parties cannot reveal any partial information on the secret. Secret- sharing schemes have numerous applications in cryptography and distributed computing including secure information storage, secure multiparty computations, access control and more. However, none of these schemes solve the problem of providing information theoretically secure source- destination communication over several optional paths.
Other prior art solutions deal with security issues that arise when using SDN, such as using secure multiparty computation techniques to secure the data in the controller. Another prior art method focuses on the effects of end-to-end encrypted networks on Network Intrusion Detection Systems (NIDS) operations. All data traffic sent to a receiver by a sender must be replicated and forwarded also to a Central IDS (CIDS), i.e., the sender sends the packet to a proxy and the proxy forwards it to the receiver as well as to the CIDS. Each connection is secured by VPN but thus unauthorized network sniffing is prevented. However, proxies are still able to access network packets relayed through them, which may expose the network packets to unwanted scrutiny. In order to ensure confidentiality with respect to the proxies, secret-sharing is used, such that the sender splits the packet to n shares and sends the shares to n proxies, the proxies further send the shares to the receiver and the CIDS. However, since VPN routes may cross common network components, the security of the prior art suggested scheme is essentially identical to the security of VPN.
"SPREAD: Improving Network Security by Multipath Routing" (Lou et al., Military Communications Conference, MILCOM Ό3, 2003 IEEE, Vol. 2) discloses an end'to-end multipath secure data delivery scheme, secure protocol for reliable data delivery (SPREAD), as a complementary mechanism for the data confidentiality service in the public networks. The confidentiality is improved by forcing the secret sharing principle in the network via multipath routing. With a (T,N) secret sharing scheme, the message to be protected can be divided into N shares such that from any T or more shares, it can easily recover the message, while from any TH or less shares, it should be impossible to recover the message. Then the shares are delivered across the network via multiple independent paths. The destination node reconstructs the original message upon receiving T or more shares.
"A MULTIPATH ROUTING APPROACH FOR SECURE DATA DELIVERY' (Lou et al., Military Communications Conference, MILCOM '01, 2001 IEEE, Vol. 2) discloses an approach to enhance data confidentiality when transmitting across insecure networks by taking advantage of the distributed nature of networks such as Internet or wireless networks and combine the secret sharing scheme and multipath routing. With a (T,N) secret sharing scheme, the secure message is divided into N shares such that the message can be easily recovered from any T or more shares, while from any T-l or less shares, it is computationally impossible to recover the message. Then, the shares are delivered across the network via N different paths using the multipath routing algorithm, where no T or more paths can share a single node. The destination node can reconstruct the original message upon receiving T or more shares. Any intermediate node does not intercept T shares necessary for the message recovery. The algorithm takes path independence, path quantity, as well as path cost into consideration and is able to find sets of node disjoint paths between any source-destination pair.
However, both solutions proposed by Lou et al are not highly performance efficient, since shares must be routed in predetermined totally independent source-to-destination paths, without considering the varying data traffic congestion/restrictions in each node. Therefore, in order to obtain the desired level of security, the performance of packet delivery may be compromised. In addition, there are situations where according to the solutions proposed by Lou et al, it will be impossible to find totally independent source-to-destination paths, while there is an existing solution, in which less than k shares traverse each node in the network. For example, when each of the nodes A and B that are connected to C forward (k-l)/2 of the arriving shares to C, while their other (k-l)/2 are forwarded in different paths and some are merged in other nodes later, resulting in non- independent paths that still fulfill the k-1 restriction.
It is therefore an object of the present invention, to provide an improved and secure VPN solution which is based on data separation scheme that overcomes the security vulnerabilities of the existing VPNs.
It is still an object of the present invention to provide a data separation scheme, for establishing private interconnection between a sender and a receiver, without the need to use encryption keys or trusted third party authorities for achieving security and privacy.
It is another object of the present invention to provide a data separation scheme, which is particularly effective for establishing a private channel, in which the information is information theoretically secure and is not bounded by the security of the VPN used.
It is a further object of the present invention to provide a data separation scheme for establishing a private channel in communication networks, in which the transmitted information cannot be revealed, unless at least k shares are revealed.
It is yet another object of the present invention to provide a data separation scheme, particularly effective for establishing a private channel in the network, which does not require using a Certification Authority for identification to encrypt data communicated between two parties over a data network, even if the data network exploits the internet, public clouds and untrusted channels.
Other objects advantages of the present invention will become clear as the description proceeds.
Summary of the Invention
The present invention is directed to a method for establishing a fully private, information theoretically secure interconnection between a source and a destination over an unmanaged data network having at least a portion of a public infrastructure. Accordingly, n shares of the source data are created at the source according to a predetermined secret sharing scheme and the shares are sent to the data network, while encrypting the sent data using (n,k) secret sharing. A plurality of intermediating nodes are deployed in different locations over the network, to create a pluralhry of fully and/or partially independent paths in different directions on the path from the source to the destination, and with sufficient data separation. Then, the shares are sent over the plurality of fully and/or partially independent paths while forcing shares' carrying packets to pass through selected intermediate nodes, such that no router at any intermediating nodes intercepts k or more shares.
The intermediating nodes may include one or more of the following:
Points of Presence (PoPs);
Computational clouds having a dedicated process for forcing shares' carrying packets to pass through selected intermediate nodes, according to a desired routing scheme;
Backup channels and paths.
The portion of the public infrastructure may include alternative paths supplied by the same/different network/Internet providers.
The separation between tunnels belonging to fully and/or partially independent paths may be made by encapsulation of the shares' packets according to a routing scheme that creates at least partially independent routing paths from source to destination, such that no node along a tunnel intercepts k or more shares.
During encapsulation, the header of each share-carrying packet may be changed to a modified header, for forcing the shares' carrying packets to pass through selected nodes, where each packet is forced to pass a possible different subset of selected nodes. Public clouds deployed over the network may be used as nodes, by embedding a dedicated agent into a plurality of them, such that the modified header (which may be a part of the payload) will determine the next intermediate destination which will be the node that has been elected while creating each modified header.
Whenever the data network has a known topology, the flow may be tested offline, to obtain the distribution of data through different nodes and deploy the dedicated agents accordingly, to create the optimal routing paths.
Whenever the data network has unknown topology a path/topology, recovery tools may be used to obtain the expected distribution of data through different nodes and verify, before sending the share carrying packets.
The path/topology recovery tools may be HPOpenView, Freenats, Traceroute, TraceMAC or Batctl.
Sufficient data separation may be obtained by dynamically allocating nodes, through which the share carrying packets will pass.
The inherent additional header of IPv6 may be used for creating tunnels between IPv6 nodes, where data between nodes is sent over IPv4 protocol links.
It is possible to encrypt the destination IP address, along with the payload data, by creating n shares from the IP address of the destination and sending the shares via several different paths between pairs of neighboring intermediate nodes, such that the header data is decrypted at each intermediate nodes only by having at least k shares, and any subset of less than k shares cannot be used to decrypt the header data. Secret shared packets of different length may be created by padding the after secret shared packets with random string of varying lengths, to avoid correlation of packets by a coalition of eavesdroppers. Some of the secret shared packets may be delayed to avoid time correlation.
Data packets may be encrypted by creating a one-time-pad in the background at the sender side! sending the created one-time-pad to the destination over several paths! performing a bitwise XOR operation between the payload data and the bit string of the common one-time-pad; and sending the resulting bits of encrypted payload data over possibly a single channel.
The present invention is also directed to a method for establishing a fully private, information theoretically secure interconnection between a source and a destination over a managed data network having at least a portion of a public infrastructure, comprising the steps of:
at the source, creating n shares of the source data according to a predetermined secret sharing scheme and sending the shares to the data network, while encrypting the sent data using (n,k) secret sharing;
using a centralized network controller (such as network controller is a controller for managing an SDN) or network management tools at the sender for dynamically managing a plurality of partially independent paths, over which the shares are routed from the source to the destination, such that the number of shares that pass the router at each node along each path does not exceed a threshold of k-1 shares. Optimal paths are dynamically determined by the network controller/sender, according to the threshold and to the load/current- eavesdropping-coalition-risks on each router in the data network.
The problem of finding paths may be reduced to the maximum flow problem (which may be solved for example, using the Dinitz's algorithm, or one of a plurality of other existing maximum flow algorithms) by expanding the original (directed or undirected) graph representing the data network.
The number of unique paths that are required to apply the (n,k) secret sharing scheme on the network, may be varied by the controller in response to a coalition of two or more routers.
Whenever a coalition of routers is detected/suspected, the sender or the controller may be adapted to merge the nodes of the coalition and to find a flow that fulfills the sharing scheme constraints.
The secret sharing scheme may be implemented on the network's Application Layer by:
receiving the data before it gets into the networking stack;
applying secret-sharing on the entire data;
establishing a connection for each route and sending the shares on different sockets using TCP or UDP, depending on the required service.
The secret sharing scheme may be implemented on the network's Transport Layer by:
at the source, applying secret-sharing only on the packet's payload, while keeping the headers of the Transport Layer public, while allowing some minor changes, like the length and the checksum;
at the source, creating n packets with the same headers of all layers;
at the destination, buffering k out of n shares and applying the secret-sharing algorithm, to reconstruct the original data;
reconstructing the header of the Transport Layer and sends a single packet (out of the k shares) to the Transport Layer implementation of the destination.
The secret sharing scheme may be implemented on the Network Layer by'- at the source, applying secret-sharing on the payload and the headers of the Transport Layer, while keeping the headers of the Network Layer public, thereby creating n packets with the same headers of the Data Link and the Network Layers while allowing some minor changes, like length, checksum and CRC). at the destination, buffering k out of n shares and applying secret -sharing algorithm to construct the original data;
sending a single packet (out of the k shares) to the Transport Layer implementation of the destination.
The secret sharing scheme may be implemented on the Data Link layer by applying secret-sharing on the payload and the headers of the Network Layer and Transport Layer, while keeping the headers of the Data Link layer public on the LAN or on a Virtual LAN (VLAN), while allowing some minor changes, like length and CRC).
The secret sharing scheme may be implemented on the Physical Layer by applying secret-sharing on the payload and the headers of the Data Link Layer, Network Layer and Transport Layer, while keeping all headers private.
The secret sharing scheme may be implemented to perform one side identification between a client and a server, without the need to use a key that is certified by a third party, by:
allowing the client to send a nonce via multiple channels to the server according to the listing of the server in several self-verifiable public directories!
applying secret- sharing by the client;
the client receives the server's data from addresses mentioned in the public directory and sends the shares over different separated channels, such that each channel gets a share of the data and only by having all shares or a threshold of the shares, the data can be reconstructed;
the server gets the required number of shares and reconstructs the sent data. The secret sharing scheme may be implemented to perform double side identification between a client and a server, without the need to use a key that is certified by a third party, using one/two/three handshake protocols, by:
allowing the client to send its ID and a nonce, while each channel gets a share of the data, so that, only by having all or a threshold of the shares, the data can be reconstructed;
the server creates shares from the nonce, receives the client address data from the public directory and sends the shares over different channels!
the server sends its own information with the nonce it got from the client through multiple channels to the client, such that each channel gets only a share of the data!
the client verifies the nonce and gets the server information;
the client verifies the nonce and sends an acknowledgement through different channels to multiple addresses of the server along with the nonce to the server; the server finalizes the authentication by reconstructing the acknowledgement, and starts a session using one or more channels.
The present invention is further directed to a method for establishing a fully private, information theoretically secure interconnection between a source and a destination over a managed data network having at least a portion of a public infrastructure, comprising:
at the source, creating n shares of the source data according to a predetermined secret sharing scheme and sending the shares to the data network, while encrypting the sent data using n-k secret sharing;
using a centralized network controller for dynamically managing a plurality of partially independent paths, over which the shares are routed from the source to the destination, such that the number of shares that pass the router at each node along each path does not exceed a threshold of k-1 shares. Optimal paths are dynamically determined by the network controller, according to the threshold and to the load on each router in the data network. The secret sharing scheme may be hierarchical secret sharing, where at least one secret share is further secret shared by an intermediate network component, and gathered by one of the next components or by the destination.
Brief Description of the Drawings
In the drawings:
Figs, la and lb illustrate an original undirected graph and its corresponding expanded graph, respectively;
Fig. 2a illustrates an original directed graph G of a flow example!
Fig. 2b illustrates the resulting flow and the paths of the different shares on the corresponding expanded graph of Fig. 2a;
Fig. 3 (prior art) illustrates a conventional process for obtaining a certification from a CA;
Fig. 4a illustrates a process of one side authentication, using the secret sharing scheme proposed by the present invention; and
Fig. 4b illustrates a process of double side authentication, using the secret sharing scheme proposed by the present invention.
Detailed Description of the Invention
The present invention proposes a novel alternative for establishing information theoretical secure and private interconnection, which is based on multipath communication that is efficiently implementable by current technology, cloud computing, point-of-presence, backup lines and infrastructures (wired connection, phone, messaging systems, internet, wireless, satellite, etc.) together with social networks and their searchable directories (phone directory, Facebook, Twitter, Linked) for robust authentication and avoidance of identity theft. The present invention uses a data separation scheme for establishing an information theoretically secure private channel in communication networks. In case when a service provider uses a cloud to extend its available services by using virtualized servers on the cloud, the service provider must guarantee the customers that the interconnections between datacenters is private, and therefore, these interconnection is transparent to any potential customer. The proposed interconnection is information theoretic secured, in particular, there is no key that by revealing it, privacy will be compromised.
In one embodiment, the proposed solution uses secret sharing scheme along with different tunnels, to transfer the data while ensuring privacy. Encryption with (n; k) secret sharing scheme (n>k) is done by creating n shares from the data, such that only by having at least k shares, the data can be decrypted, and any subset of less than k shares cannot be used to decrypt the data. The present invention proposes using a secret sharing scheme (such as Shamir : "How to share a secret", ACM 22 (11), 1979) as a communication infrastructure for indefinitely securing data in transit.
According to the proposed scheme, the source creates n shares from the data and sends them over a data network to the destination through several tunnels, such that no node (router) along a tunnel intercepts k or more shares. This way, only the destination that gets all the shares can decrypt the data, resulting in a private channel between the source and the destination. When n > k, n-k shares can get lost, due to congestion or even by malicious routers. The secret-sharing scheme can be implemented in several communication layers for example, in the Transport Layer, where onry the payload of each packet is shared or at the Network Layer, where also the Transport layer headers are shared. This data network can be either unmanaged, such as the current IP network with normal routing or managed (e.g., SDN).
If there are no different routes between the two edges, encapsulation is used (i.e., a special header which forces the packets of the shares to pass via predetermined nodes) to create tunnels. These tunnels are created in different directions on the path from the source to the destination, such that no router intercepts k or more shares.
The appliance/virtual-appliance required for implementing the proposed data separation scheme can easily be integrated into any enterprise environment and is compatible with any communication and/or security infrastructures. The appliance/virtual-appliance is installed inside the enterprise, before the data traffic leaves or enters the enterprise. In order to have multiple paths between the edges, the appliance (or another routing device after it and inside the enterprise) must have at least two interfaces, or routes to another entity along the path with at least two interfaces, to form at least two separate routes between each pair of sites. In any case, there is no effect on current traffic and configuration and the sharing process is transparent to the routers across the paths.
The specific deployment locations of the appliance may vary, depending on several constraints. On the sender side, typically the earliest point where the secret sharing process can be implemented is after the implementation of the upper layer in the networking stack.
The appliance may be installed before or after the existing VPN. By installing it after the VPN on the sender side, it means that the VPN encrypted data is split into shares and reconstructed on the receiver side before sending it to the VPN. Switching locations is also supported, i.e., any share of the appliance/virtual- appliance passes to the VPN to be encrypted.
Example l: unmanaged network
If the data network is unmanaged (like in most cases), the separation between tunnels can be made by encapsulation of the shares' packets according to a routing scheme that creates at least partially independent routing paths from source to destination, along which no node (router) along a tunnel intercepts k or more shares. This is done by changing the headers of each share -carrying packet to a modified header and deploying a plurality of Points of Presence (PoPs— e.g., servers) in different locations (e.g., countries) over the network, and forcing the shares' carrying packets to pass through selected PoPs (which are nodes, as well). Each packet may be forced to pass a possible different subset of selected PoPs. Alternatively or in addition, it is possible to use public clouds that are anyway deployed over the network, as PoPs, by embedding a dedicated agent into many of them. The share carrying packets will be sent from the source to the destination, such that the modified header will determine the next intermediate destination which will be the PoP or cloud agent that has been selected while creating each modified header. Each agent will be able to receive an encapsulated packet (with the modified header), read its destination, encapsulate it by replacing its header with another modified header which corresponds to the next intermediate destination (the next PoP or cloud agent) and send it over the data network to that next intermediate. The modified header may be a part of the payload. This process is repeated until the last PoP or cloud agent sends the packet to the original destination. This way, shares of encrypted data are routed in a controllable manner, thereby creating the required tunnels that force sufficient separation between segments of each path. In any case, each dedicated agent determines only a segment until the next intermediate destination along the path from source to destination.
This routing scheme is superior over the prior art solutions since unlike prior art, it does not require totally independent paths from source to destination. Using encapsulation and PoPs or cloud agents as routing nodes, it is possible to route share carrying packets via many segments, resulting from additional splitting of the paths between intermediate destinations. For example, if n=6 and k=4, it is possible to send 3 packets via one segment and 3 via another segment. It is possible that later some of the first group of 3 packets and the second group will traverse the same node as long as their total number is smaller than 4. Thus, no particular share has an independent path, but still the secrecy is preserved. Also, if one of the nodes of the segments is congested or inactive, it is possible to split the packet delivery to 3 segments, each of which carries 2 packets.
There are cases in which the network in unmanaged but there are more than one VLANs between the source and the destination. In such a case, assuming these VLANs use different routers, it is possible to use the existing VLANs as several paths between the source and the destination.
If the data network is unmanaged but has a known topology, say by network management tools, it is possible to test the flow offline or online at the sender side, in order to obtain the distribution of data through different nodes and deploy/redeploy the dedicated agents (and thereby to determine the PoPs or cloud agent) accordingly, to create the optimal routing paths.
If the data network is unmanaged and has an unknown topology, it is possible to use traceroute (a utilit}^ that records the route through the Internet between a source computer and a specified destination computer), or similar tools such as TraceMAC (traceroute for MAC acldresses)/Batctl (B.A.T.M.A.N. advanced control and management tool), HP OpenView (a Hewlett Packard product family that consisted of network and systems management products) or the Free Network Automatic Testing System (FreeNATS - is an open source network monitoring software application) in order to obtain the expected distribution of data through different nodes and verify, before sending the share carrying packets, such that no node (router) along a path intercepts k or more shares, regardless the nodes from which they arrive.
According to another embodiment, it is possible to perform dynamic allocation of nodes (dedicated agents or PoPs), through which the share carrying packets will pass, in order to obtain sufficient data separation. For example, 10 agents or PoPs may be deployed at different locations and the initial routing scheme resulting from using traceroute indicated that 6 agents (out of 10) were selected to establish several routing paths with sufficient separation. Then, after sending the shares according to the initial routing scheme (via the initially selected nodes), it is possible to periodically use traceroute to verify if there are unexpected problems (e.g., congestion, delay or temporary inactive router) at one or more nodes along each routing paths. If no problematic node is detected, packets will be sent according to the initial routing scheme. On the other hand, whenever a problematic node is detected, a modified routing scheme will be created dynamically using some other nodes that will be allocated to bypass the problematic node, using another combination of 6 agents or more (out of 10), and packets will be sent according to the modified routing scheme. This process is repeated, until all packets arrive to their destination. This solution may also improve performance, since the router at each node has predetermined routing priority (according to the source or destination of the packet). Therefore, if the share cari ing packets are forced to pass via intermediate nodes, some of these intermediate nodes may have improved routing priority. As a result, a proper selection of the intermediate nodes can improve the time it takes the packets to reach their destination. In addition, dynamic path selection may be used to avoid tracing the communication pattern, e.g., packet timing pattern, by sniffers that sniff a subset of the paths.
According to a further embodiment, in case the data network uses an IPv6 protocol (Internet Protocol version 6, in which IP addresses are 128 bits long) it is possible to use the inherent additional header of IPv6 for creating tunnels between IPv6 nodes, where data between nodes can be sent over IPv4 protocol links (Internet Protocol version 4, in which IP addresses are 32 bits long). This tunneling implementation save the overhead involved while performing encapsulation via adding a modified header to the payload.
According to an additional embodiment, when it is required to hide the IP address of the destination of the forwarded data shares, the proposed data sharing scheme may be used to encrypt the destination IP address, along with the payload data. This is done by creating n shares from the IP address of the destination (i.e., the header data) and sending these shares via several different paths between pairs of neighboring intermediate nodes, using the proposed data sharing scheme, such that the header data can be decrypted at each intermediate nodes only by having at least k shares, and any subset of less than k shares cannot be used to decrypt the header data. This way, each intermediate node will collect the shares of the destination, reconstruct the IP address of the destination and add the header to the next intermediate node, until the destination is reached. This additional splitting of the destination IP address (which is essentially similar to tunneling between source and destination) will be made preferably in path segments with higher probability for coalitions of eavesdroppers reducing the possible identification of related packets, and hiding the vicinity of the source/destination from eavesdroppers, which contains much information. Splitting accompanied by secret sharing must be done while preserving the hierarchy according to which each share has been re-split, such that all re-split shares that are collected by an intermediate node will be of the same level (to avoid collision between shares resulting from unequal numbers of re-splitting, which will require more effort to be combined). Each intermediate node can transmit data regarding the splitting level in the hierarchy, to the next intermediate node.
In a similar way, the proposed data sharing scheme may be used to encrypt the source IP address, along with the payload data. This is done by creating n shares from the IP address of the source and sending these shares as part of the payload of the secret shared packet, using the proposed data sharing scheme, such that the real source IP (which is secret shared as part of the payload by the source) will be revealed only by the destination. In this case, the first (or any/every) intermediate node along the path sets itself as the source, in order to forward the shares to the next intermediate node.
The proposed data sharing scheme can be enhanced by creating secret shared packets of different length by padding the after secret shared packets with random string of varying lengths, to avoid correlation of packets by a coalition of eavesdroppers. Also, delaying some of the secret shared packets to avoid time correlation, and even sending some corrupted secret shared packets that can be discarded by the destination that receives enough secret shares but can full the coalition of eavesdroppers.
According to another embodiment, the proposed data sharing scheme may be used to encrypt data packets with restricted latency and deadlines (such as of voice or video packets) that can be influenced and can be more sensitive to synchronization issues that maybe yielded from multiple splitting to secret shares (at the sender) and gathering (at the receiver).. In this case, a one-time-pad (being a random bit string) is created in the background at the sender side and is then securely sent to the destination over several paths (using the proposed secret sharing scheme). As a result, only the destination can reconstruct this one-time- pad, in order to be later used to decrypt the received (latency sensitive payload) data that will be sent using (bitwise, bit by bit, XOR, with) the common established one-time-pad. Once the destination has the one-time-pad, the sender performs a bitwise (bit by bit) XOR operation between the payload data and the random bit string (to obtain encryption of the payload data) and sends the resulting bits of encrypted payload data over a single channel (just as it was originally transmitted, with no splitting). Then, the payload data, encrj'pted by the shared produced one-time-pad, is sent over a single path to the destination, with no additional latency problems. This technique can be used for securely sending movies as well, since no extra latency or reliability problems are introduced, while sending the data from side to side over a single path. The shared one time pad can be also regarded as a shared key when one wants to turn to using computational based schemes.
Example 2- managed network
In another embodiment, the method proposed by the present invention suggests using secret sharing in combination with a managed network, such as an SDN, to enable the secret sharing scheme to be managed by the SDN controller. The general idea of the proposed solution is to use SDN to enable the creation of several tunnels between each pair of datacenters that intercommunicate. The source uses a secret sharing technique to encrypt its data and create n shares. In order to reconstruct the data, the destination must have at least k shares out of the n shares that were sent by the sender. The present invention proposes a method for creating these tunnels with the constraint that only less than k shares of the same information can reach a single router. This way, a private and secure interconnection between the datacenters is obtained. In order to ensure this privacy, n_k secret sharing is used to encrypt the data. The source creates n shares of its data and sends them to the network. The SDN controller manages the paths such that no k or more shares pass the same router. This way, the interconnection between the datacenters is information theoretically secured, i.e. unless two or more routers share their data, the encrypted data can never be revealed.
According to the proposed scheme, the problem of finding these paths can be reduced to the maximum flow problem by expanding the original graph. By having a centralized controller or network management tools at the sender, it is possible to compute the flow on the network and determine a bound on the ratio n/k, which is the number of unique paths that are required to apply the n-k secret sharing scheme on the network. Once the flow and the values of n and k are obtained, the sender creates n shares of each packet such that each flow is expanded to n flows where the flow ID is the flow data along with the share index. This way, the controller, which gets the first packet of each flow (corresponding to the new definition of flow), routes the shares to the corresponding paths and the private channel between the datacenters/endpoints is established.
The SDN controller defines the route of each flow that occurs in the data plane. The controller calculates a rotite for each flow, and adds an entry for that flow in each of the routers along the path. With all complex functions subsumed by the controller, routers simply manage flow tables whose entries can be populated only by the controller. Communication between the controller and the routers uses a standardized protocol and API. Most commonly, this interface is the OpenFlow specification ("OpenFlow^ Enabling innovation in campus networks", SIGCOMM Comput. Commun. Rev., 38(2):69-74, March 2008). In an SDN architecture, each router forwards the first packet of a flow to the SDN controller, thereby enabling the controller to decide whether the flow should be added to the router flow table. When a packet of a known flow is encountered, the router forwards it out the appropriate port based on the flow table. The flow table may include some additional information dictated by the controller. With the decoupling of the control and data planes, SDN enables applications and services to deal with a single abstracted network device without concern for the details of how the device operates. Network services see a single API to the controller. Thus, it is possible to quickly create and deploy new applications to coordinate network traffic flow to meet specific enterprise requirements for performance or security.
After creating the n shares, the sender adds an index i, 1 < i < n to each share, this index becomes a part of the flow id and thus for each original flow, the controller handles n "first" packets of these n initiated flows. Furthermore, each router may have more than one entry but up to k - 1 entries for each flow, where k is the threshold of the secret sharing scheme. This index can be added either by adding this field into the matching fields structure in the SDN controller platform which causes a change also at the routers, or to use vendor extensions which allow different kinds of matching. By creating the paths based on the maximum flow algorithm, it is possible to program the controller to route the shares such that no router intercepts k or more shares. In the current example, if vi,i in Fig. 2b gets the first 4 shares then the forwarding table of vs,2 may contain the entries at Table I.
TABLE I: Forwarding Table of V5,2.
Figure imgf000024_0001
There is no limit on the number of packets that go through a single router as long as it does not see k or more packets of the same flow.
A secret-sharing scheme is a method by which a dealer distributes n shares to parties such that only authorized subsets of at least k parties can reconstruct the secret. In this case, when one datacenter intends to communicate with another datacenter, it creates n shares of its message and distributes these shares over the network. The SDN controller routes these shares to the target datacenter in a way that no router on the way intercepts k or more shares. This way, a private channel between the datacenters is established. In this case, k can be equal to n if it is assumed that the channels are reliable and nodes do not omit or corrupt shares. Since only k shares are needed no reconstruct the secret, when n > k, approach similar to forward erasure correcting or error correcting, such as the Berlekamp Welch technique (presented in USP 4,633,470 where n is greater than k+2e to withstand e corruptions), can be used to overcome erasures and even corruptions of at most n - k shares. Example 3: data separation using main and backup channels
Almost any enterprise has a main channel and a backup channel to exchange data, these two channels are totally independent and separated (otherwise the backup channel will not be able to be a real replacement in case the main channel fails). In this case, since there is no mutual segment along each path from source to destination, no node intercepts k or more shares.
Data Separation Problem
The problem of data separation between tunnels is examined as graph theory problem. A graph G = (V, E) is given, with a source node s (which has only outgoing flow) and a sink node t (which has only incoming flow). Each node v e V has a determined non-negative capacity Cv. The goal is to push as much flow as possible from s to t in the graph. Each path ; has a flow fpi , the rule is that the sum of the flows of all paths that each node intercepts cannot exceed its capacity, formally, for each node v,
∑Pi I vEpifpi < Cv.
Reduction to the Maximum Flow Problem
The problem can be reduced to the known maximum network flow problem where each edge e in E has an associated non-negative capacity Ce, where for all non- edges it is implicitly assumed that the capacity is 0. In this problem, the goal is to push as much flow as possible from s to t in G, such that no edge can have flow exceeding its capacity, and for any vertex except s and t, the flow into the vertex must be equal to the flow out from the vertex.
The original graph, G, does not have to be directed. In order to reduce the problem to the maximum flow problem, each vertex v in G is expanded to a directed edge (v1 ; v2). The expansion process is presented at Algorithm l: Algorithm l: The expansion process
Input : G = (V, E), s, t, k— 1
for all u E V \ u j= $. t do
V = V ¥{u}
V = V u {t4i i }
E = E u {(ΜΙ , ΜΖ)}
Figure imgf000026_0001
for all e = (s, v)€ E do
E = E ¥{e}
E = E {(s, v] )}
C(srvi) = k— 1
for ail e = (u. t ) e E do
E = E ¥{e}
E = E v {(u2, t)} for all e = (u, v) e E | j
E = E ¥{e}
E = E {(u2, )}
Figure imgf000026_0002
Fig. 2a illustrates an original undirected graph G. Fig. 2b illustrates its corresponding expanded graph. The input of the algorithm is the original undirected graph G, the source s and sink t and the threshold k of the secret sharing scheme. At the first step, a directed edge G?£1 , vl2) is added for each vertex v in G (except for s and t), for example, (νι,ι, νχ, ) in Fig. 2b. The capacity of this new edge is the capacity Cv; of the vertex vj. Then each edge (s, Vj) from the source is replaced by the directed edge (s, Vj , i) i.e., edges (s, v1 ? i) and (s, v2 , i) in v5,2,). Each edge directed to the sink (vj, t) is replaced by (vj,2, t), i.e., (v5,2, t) and (v6,z, t) in Fig. 2b, respectively. Then in case G is undirected, for each other edge (vj, Vj) in G, two directed edges, (vi,2, Vj,i) and (vj,2, Vi,i) are added, for example, (vi,2, V2,i) and ( 2,2, via). In order to eliminate the possibility that edge sniffers will reveal the secret, the capacity of these edges is set to be k - 1.
Since the capacity of the nodes in the original graph also represents k - 1 edges, all the capacities of all edges are equal. If I V | is the number of vertices and | E | is the number of edges in G, the resulted directed graph, Gt is a graph with ( I V I— 2) x 2 + 2 vertices and up to ( | E | - 2) x 2 + 2 edges. The expanded graph Gt is directed to force the paths to include the edges of the expanded vertexes but the input graph can be either directed or undirected. In case of a directed graph, a directed edge (vi, V2) is still added for each vertex v, but for each other directed edge (vi, Vj ), only the edge (vi,2, Vj, i) is added (and not (vj,2, vi, i) as was done for an undirected G).
Firstly, the maximum flow problem will be defined. One of the most efficient solutions for that problem has been proposed by "Dinitz' Algorithm · The Original Version and Even's Version", (Theoretical computer science", pages 218—240, Sp ringer- Verlag, Berlin, Heidelberg, 2006). Dinitz's algorithm was selected since it is strongly polynomial. The algorithm uses shortest augmenting paths and its complexity is 0(V2E), under a common assumption is that there are more links than routers. Alternatively, any of the plurality of known maximum flow algorithms can be used, as well.
If G = (V, E) be a network with s, t ε V being the source and the sink of G, respectively. The capacity of an edge is a mapping c'-E→ R+, denoted by c(u, v). It represents the maximum amount of flow that can pass through an edge.
A flow is a mapping f · E→ R+ , denoted by f (u, v), subject to the following two constraints ·
) f (u, v) < c(u, v), for each (u, v) ε E (capacity constraint: the flow of an edge cannot exceed its capacity).
) ∑u:(u,v)eE f (u, v) =∑u:(v,u)eE f (v, u), for each v eV \ {s, t} (conservation of flows: the sum of the flows entering a node must equal the sum of the flows exiting a node, except for the source and the sink nodes).
The value of flow is defined by | f | =∑v:(s,v)eE f (s, v), where s is the source of G. It represents the amount of flow passing from the source to the sink. The maximum flow problem is to maximize I f I , that is, to route as much flow as possible from s to t.
Dinitz uses few definitions in his solution. The first is the residual capacity, which is computed as Cf (u, v) = c(u, v) - f(u, v) and Cf (v, u)= f (u, v) for each (u, v) e E; The residual graph is the graph Gf = ((V, E f ), cf I Ef , s, t), where Ef = {(u, v) ε V xV : cf (u, v) > 0}. The level graph id defined by GL = (V, EL, cf I EL , s, t), where EL = {(u, v) e Ef : dist(v) = dist(u)+ l}. The last definition is dist(v), which is the length of the shortest path from s to v in Gf . By using these definitions, Dinitz shows that the maximum flow problem can be solved in Θ(ν2Ε). Dinitz approach is used to create the flow. This resulting flow defines the paths over which the shares will be sent.
The maximum flow problem is related to the minimum-cut problem. The problem of s-t minimum cut in a flow network is finding the minimum number of edges in the cut-set that creates a cut where the source and the sink are in different subsets. The cut-set only consists of edges going from the source's side to the sink's side. In other words, if the edges in the cut-set are removed, then flow form the source to the sink is completely cut off. The cut- set value is the sum of the flow capacities in the source- to-sink direction over all of the edges in the cut-set. The minimum cut problem is to find the cut-set that has the minimum cut value over all possible cuts in the network. For any network, having a single source and a single sink, the maximum possible flow from source to sink is equal to the minimum cut value for all cuts in the network. The proof stems from the fact that the maximum flow through a series of linked pipes equals the maximum flow in the smallest pipe in the series, i.e., the flow is limited by the bottleneck pipe.
Fig. 3a illustrates an original directed graph G of a flow example. In order to determine the minimum value of k, the s_t minimum cut is calculated on the expanded graph. If the minimum cut-set contains t edges, then n/k has to be less than t. As seen, the cut-set in this example consists of two edges, (v4,i, v4,2) and (v5,i , V5,2). This implies that in this graph, n/2 must be lower than k. In this example, n = 10 and k = 7 were choose, i.e., each router can see at most 6 shares and therefore this is the capacity on the (ul, u2) edges. Fig. 3b illustrates the resulting flow and the paths of the different shares on its corresponding expanded graph.
The method proposed by the present invention considers the network overhead, as well. Each packet that is sent between the source and the destination is split into n shares. Assuming that each share is sent within a packet, n packets are sent for a single packet of data.
If m packets of data should be sent from the source to the destination, n x m packets are sent. This might be considered impractical and a high volume of data is sent in the network in general and in particular between the two nodes. Therefore, if this is the case, the proposed scheme can be used for exchanging keys for the use of standard VPNs. This way, the privacy of the keys is information theoretically secured and man-in-the-middle attacks are eliminated.
By using the (n, k) secret sharing scheme, it is possible evaluate a polynomial of degree k - 1 at n points. This polynomial can be expressed as multiple linear operations and it requires O(n) multiplications. In order to recover the packet, the destination uses Lagrange interpolation polynomial with complexity of 0(k2).
The controller operates maximum once for each flow to construct the maximum flow algorithm on the network topology. In practice, it will compute the algorithm only a few times for each couple of source and destination since the network is typically undergo only limited and infrequent dynamic changes. The computational complexity of the controller depends on the network size and it is 0(V2E). In the realistic case where several controllers manage the network where each controller has its own part of the network, this computation can be done in parallel, thus V and E are nodes and edges at each part of the network.
The basic assumptions are that the nodes in the paths do not share their data and that the network is reliably managed by the controller, i.e., the controller can be trusted. If this is not the case, either by a malicious controller or by an adversary that controls the controller, the controller can simply forward all shares to a single router to reveal the secret. In addition to the controller, it is also assumed that, the routers (the nodes in the graph notations) behave according to the controller routes. If there is a coalition of two or more nodes, the current solution might fail. Assume that, with probability p, nodes v4 and v5 in Fig. 3a share their data, in that case, they should be considered as one node and therefore the cut-set of the corresponding expanded graph contains only one edge, hence, there is no solution for any n or k. Thus, the probability that there is no solution for private channel is p. On the other hand, if, with probability p, nodes v2 and v3 share their data, then after merging these two nodes, the cut-set contains two edges, which implies that there are two paths from the source to the sink, i.e., the n shares are now sent through two paths.
In the general case, if before merging two nodes in a coalition, the cut-set contains 1 edges, first the number of possibilities to distribute the n shares over the 1 paths with the constraint that each edge in the cut-set intercepts at most k - 1 shares should be calculated. This set of possibilities is called Λ. This is equivalent to distributing n balls in £ cells such that no cell contains more than k - 1 balls, or by rephrasing, all the possibilities to distribute n balls to the 1 cells minus the possibilities that any of the cells contains k or more balls. The number of possibilities in Λ is:
Figure imgf000031_0001
For simplicity, it is assumed that there are no cases in which two or more cells contain k - 1 balls, i.e., n < 2k - 2; this assumption is reasonable since at the end of this analysis, in order to maximize the probability for a private interconnection, the best value for k is n and certainly k > n/2 + 1. Out of the possibilities in Λ, those that fulfill the constraint that the merged nodes see at most k - 1 shares, or with the balls notations, the sum of balls in the two merged cells is less than or equal to k— 1 should be found. If it is the sum of balls in the merged cells, then there are 1 - 2 more cells that each of which can contain up to k - 1 balls, thus, the lower bound tib of t is
Max{n - (£ - 2)(k - l), 0}, (2)
For each possible value of t, the number of possibilities of distributing t balls in the two merged cells times the number of possibilities to distribute the other n - t balls in the other £ - 2 cells must be calculated. Formally
(3)
Figure imgf000031_0002
Therefore the probability for a private interconnect in the general case is given by:
Figure imgf000031_0003
(4) By choosing n = k and large n, this probability tends to 1. For example, if n = k = 10 and 1 = 3, then tu> = 1 and the probability to get a private interconnection is give by:
Figure imgf000032_0001
p x ~ ~ 63 + (i - p) =
p x 54/66 + (1 - p) =
l - 0.182p
For n = k = 20, the probability becomes 1 - 0.0833p. If the sender knows about the possibility of a specific coalition and the probability to find a flow given that coalition is positive, it can first merge the nodes of the coalition and then find a flow that fulfills the sharing scheme constraints. The above analysis was done for a single coalition of two nodes, in case there are more nodes in the coalition or another coalition, the same process can be done recursively.
At mentioned above, the time computation of the secret sharing scheme depends on n and k. Therefore, when there is full trust on the routers, n and k should be relatively low. In order to increase the probability of a private channel, in case there is some positive probability for a coalition in the network, the source may choose larger n and k, even in the price of compromising the algorithm efficiency.
Implementation on OSI layers
According to another embodiment, the proposed secret sharing scheme may be implemented on different layers of the Open Systems Interconnection (OSI) model. This allows a system to communicate over different communication layer that perfectly secure the data in transit over a communication link.
Implementation on the Application Layer (which handles the communication with the user):
In this implementation, the data to be shared are the application layer packets, before splitting the data into packets. The proposed secret sharing process on the source receives the data before it gets into the networking stack implementation. At the first step, the process applies the secret- sharing algorithm on the entire data. At the next step, it establishes a connection for each route and sends the shares on the different sockets (endpoints in a communication flow). In this case, the process can use either Transmission Control Protocol (TCP) or User Datagram Protocol (UDP- a communications protocol that offers a limited amount of service when messages are exchanged between computers in a network that uses the Internet Protocol), depending on the required service. The receiver should maintain several sockets to get different shares, this time after the networking stack is done with the packets. The process reconstructs the original data at the application.
When the packets traverse the network, there is no way to identify that the payload contains split data. This process is transparent to the Data Link layer, the Network layer and the Transport layer implementation on both the sender and the receiver sides.
Implementation on the Transport Layer (which handles the data exchange between parties and reliability):
In this implementation, the data to be shared is only the payload, while keeping the headers of the Transport layer public. First, the process on the source gets the packet before it leaves. Then, it applies the secret- sharing algorithm on the payload, while creating n packets with the same headers of all layers (Data Link layer, the Network layer and the Transport layer). Since the routers on the way of the packets traversing the network do not process the payload at any time, the proposed secret sharing process is transparent to them.
The proposed secret sharing process on the destination gets the packets when they enter the local network (before they reach the destination on the Transport Layer implementation), first the secret sharing process buffers k out of n shares and applies the secret- sharing algorithm, to reconstruct the original data. Then the secret sharing process adds the headers of the Transport Layer and sends a single packet (out of the k shares) to the Transport Layer implementation of the destination. This secret sharing process is also transparent to the Transport layer implementation on both the sender and the receiver sides. The implementation on the Transport Layer does not interfere with any device that inspects the packet headers at all levels, such as a firewall or a conventional VPN. In case where a device such as an Intrusion Detection System (IDS) is part of the route (that examines the packet payload), the IDS should be located before splitting into shares on the sender side and after it, on the receiver side (again, in the same place where a VPN is located).
Implementation on the Network Layer (which handles routing and data transfer between sides):
In this implementation, the data to be shared is the packets of the Transport Layer, i.e., the payload and the headers of the Transport Layer, while keeping the headers of the Network Layer public. The proposed secret sharing process on the source gets the packet before it leaves, and applies the secret-sharing algorithm on the payload and the headers of the Transport Layer. The process creates n packets with the same headers of Data Link and the Network Layers.
When the packets traverse the network, since the routers on the way do not process the headers of the Transport Layer, the process is transparent to them. The process on the destination gets the packets when they enter the local network (again, before they reach the destination in the Transport Layer implementation). It buffers k out of n shares and applies the secret -sharing algorithm, to construct the original data. Here, the data already contains the headers of the Transport Layer. Then it sends a single packet (out of the k shares) to the Transport Layer implementation of the destination. The proposed secret sharing process is also transparent to the Transport Layer implementation, both at the sender and the receiver sides.
The implementation on the Network Layer is made right after the OS finishes the implementation of the Network layer and on the transport layer, and also interferes devices that inspect the headers of the transport layer, such as a firewall. In this case, the splitting process should be after the firewall or it should bypass the firewall, exactly as it happens today when a VPN and a firewall listen to the same port.
Implementation on the Data Link layer (which handles point to point data transfer in spite of noise and distortions):
In this implementation, the data to be shared is the Network Layer's packets, i.e., the payload and the headers of the Network Layer and Transport Layer, while keeping the headers of the Data Link layer public.
There are two architectures to implement the proposed secret sharing process on the Data Link laye · The first architecture is on the LAN, and the other is on a Virtual LAN (VLAN).
When implemented on the LAN, the network should be in a graph structure, rather than tree structure, namely, there are two or more paths for connecting between host A and host B. In order to find the multiple paths, it is possible to execute the proposed flow algorithm in the LAN. Then, after splitting the data, the source sends the shares through more than one switch to the destination.
When implemented on a VLAN, there is a protocol that encapsulates the headers of the Network Layer, for example Multiprotocol Label Switching (MPLS- a mechanism that directs data from one network node to the next node, based on short path labels rather than long network addresses). The routing in the VLAN is done through several switches by the Data Link layer protocol (sometimes is considered as layer 2.5). This protocol creates tunnels in the Network Layer, so using the Network Layer, the source and destination in the VLAN are in the same LAN. The proposed secret sharing process can be applied by creating multiple tunnels between the source and the destination.
Implementation on the Physical Layer (which handles signal transmission, voltages and connections)
In this implementation, the data to be shared is the Data Link packets, i.e., the payload and the headers of the Data Link Layer, Network Layer and Transport Layer, while keeping all headers private. This can be done by separating the physical bandwidth, for example, by splitting light waves and sending the shares at the different waves.
In additionally to the above constraints, it is possible to implement the proposed secret sharing process anywhere at the source and the destination with the following additional limitations :
At the sender side, for each level, the earliest point where the process can be implemented is after the implementation of the above layer in the networking stack. For example, the Network Layer implementation can be implemented right after the OS completes the implementation of the transmission layer in the networking stack. In any case, it can be right before the packet leaves the network. With the same constraints for the receiver, it can be the first step when the packets enter the network or just before the above layer implementation, in the above example, it should be right before the implementation of the transmission layer in the networking stack.
In case there are devices such as VPN, Intrusion Detection System (IDS - a device or application that analyzes whole packets, both header and payload, looking for known events) or a firewall, the Application Layer and Transport Layer layers implementation does not interfere any device that examines the packet headers at all levels such as firewall or VPN. In case a device such as IDS (that examines the packet's payload) is on the way, the IDS should be before the split into shares at the sender side and after it, at the receiver side (again, at the same place where a VPN is located).
The Physical layer, Data Link layer and Network Layer implementation includes also devices that examine Transport Layer and Network Layer headers, such as a firewall. In this case, the splitting process should be after the firewall or it should bypass the firewall, exactly as happens today when the VPN and the firewall are installed on the same port.
According to another embodiment, it is possible to employ the proposed secret sharing scheme, or a random string sharing scheme, to perform identification between a client and a server, without the need to use a key that is certified by a third party. Today, identification (to authenticate two parties) is done by having a public key certified by a Certification Authority (CA). Each entity has two keys, a public key and a private key. The public key is used to decrypt data by the other party and the private key is used to decrypt it. For authentication purposes, data that was encrypted by a private key, can be decrypted by a public key. The conventional process for obtaining a certification from a CA on a public key is illustrated in Fig. 1. At the first step, the CA 10 receives from one party a public key 11 along with the party's identifying data 12. The CA 10 signs the public key 11 using its private key 13 and issues a certificate 14 for that public key 11. The browser or the other party already possesses the public key of the CA and consequently can verify the signature, trust the certificate and the public key in it. Since the first partj^ uses a public key that the CA certifies, a fake first party can only use the same public key. Since the fake first party does not know the corresponding private key, it cannot create the signature needed to verify its authenticity.
For example, if a server requires that a client will send some private data (e.g., a password), it needs to authenticate itself to the client. Normally, the server does that by using a service of one of the CAs (such as Verisign, Reston, Virginia, U.S.A.). The CA identifies the server and uses its private key to sign the server's identification and public key. By having the public key certified by a CA, the server is authenticated to the client. The client uses the public key of the CA to reveal the server public key. There are two main problems with this authentication process, one is the need to trust a CA and the other is the strength of the encryption. Today, anyone (benign or possibly malicious entity) can establish a CA and in practice, this is the situation in many cases. The browser does alert the client if it gets a certification from unknown CA but the typical client would simply press the "OK" button to continue. This is a major vulnerability that can be solved using the proposed secret sharing scheme. Furthermore, in many cases the strength of the identification depends on some password that the client chooses. As was proven many times, in many of the cases, these passwords are easy to guess.
By using the secret sharing scheme proposed by the present invention, such a guessing will become much harder. The new identification process proposed by the present invention does not require using any certificates or certificate authorities. Instead, it creates several separated channels (tunnels) between communicating parties, along with some of the public information of entities in the Internet. In addition, in order to identify using the secret sharing scheme of the present invention, a user must have at least two (logical or preferably also actual) networking paths (and/or applications) where the user can get data in, for example, email, Facebook, Linkedln, SMS, etc. (this collection is sometimes called a "public trust", where publicly available identity information is used for authentication, as a redundancy for a trusted authority). The main idea of the new identification process is that one side sends some data through these (at least logically) separated channels to the other side and by having all (or some threshold of) the pieces of the data, the other side can construct the data, find the details on the entity that proposes the connection and verify it.
The new identification process proposed by the present invention can have one side authentication or both sides authentication.
One Side Authentication
If it is only required to authenticate a server to a client, the one side authentication process will include the following steps (which are illustrated in Fig. 5a):
At the first step, the client takes the following actions to send some message or/and nonce (a random number generated for a specific use, such as session authentication) together with own identification information via multiple channels to the server according to the listing of the server in several (self-verifiable) public directories (e.g., a phone directory, email, Facebook, Twitter Linkedln searches, government agencies, newspaper, IP address, etc.). A self-verifiable public directory is a public directory which essentially can withstand identity-theft attempts. Each entity in a self-verifiable public directory can verify its own details, so as to make sure that the data representing these details is up-to-date and has not corrupted by a 3rd party. Otherwise, the self-verifiable public directory will notify the public directory's moderator that the data is not up-to-date. The data is secret shared by the client. Next step the client received the server's data from the addresses mentioned in public directory and sends the shares over different separated channels, such that each channel gets a share of the data and only by having all (or a threshold of the) shares, the data can be reconstructed. The data may include all the found listing information so that the server may identify its own wrong listing in some of the directories, as a result of non-updated listing or phishing. At the next step, the server gets the required number of shares and reconstructs the client's nonce. At that step the server receives the message of the client, and the client has succeeded sending the message to the server in a secure fashion, in this "one-way authenticated" version the server does not send the identifier of the client over multiple channels.
Double Sides Authentication
If it is required that both sides will authenticate themselves, the client side will perform the steps described before (for one side authentication). In turn, the double side authentication process will further include the following steps (which are illustrated in Fig. 5b):
At the first step, the client sends its ID and some nonce (a number generated for a specific use, such as session authentication) via multiple public accounts of the server over multiple channels, such that each channel gets a share of the data and only by having all (or a threshold of the) shares, the data can be reconstructed. The data may include all the found listing information so that the server may identify its own wrong listing in some of the directories, as a result of non-updated listing or phishing. Again, each channel gets a share of the data, so that, only by having all (or a threshold of the) shares, the data can be reconstructed. The server creates shares from the nonce received, possibly augmenting the nonce with a new nonce, and its own ID information, searches the client data in the public directories and sends the shares over different channels. . At the next step, the client verifies the nonce and gets the server information. At the next step, the client sends an acknowledgement through the different channels to multiple addresses of the server along with the nonce (or with a combination, such as bitwise XOR of the two nonce, when the server replies with a new nonce) to the server. At the next step, the server finalizes the authentication by reconstructing the acknowledgement, and, in case also confidentiality is required, starts a session using multiple channels (using the agreed IP addresses that are part of the identification information), possibly using the nonce as a (first) common shared secret or a seed for creating sequence numbers for the shares. One/two/three way handshake procedures based on using public directories and secret shares sent by multi-path communication are essentially the core of the proposed authentication schemes.
It should be indicated that using a public trust may be sometimes vulnerable to phishing and identity stealing attempts. Such vulnerabilities may be overcome by using a self-authentication process, during which an entity (e.g., a bank) periodically performs self- searches of its own public contact details in all public directories (in the same way that other entities search these public directories), to ensure that there is no identity theft (by comparing the search results to its authentic public contact details). Once an identity detects a mismatch in a public directory (i.e., a stolen or fake identity), it issues an alert to that public directory to block access to it. The frequency of performing these self-searches is normally increased if the risk level increases.
The secret sharing scheme proposed by the present invention can overcome some levels of identity theft, by using error correction algorithms. In this case, even if an intruder cracked one of the public directories (e.g., Linkedln) and sends fake identity data, it will be still possible to reconstruct the nonce by using error correction algorithms, such as the Berlekamp Welch technique. This may be done by finding a polynomial in which one or more points (up to a threshold e) are incorrect, but is still revocable by the redundancy implied by n>k.
According to another embodiment, instead of using a secret sharing the proposed solution may use other data separation schemes. For example, it is possible to select a sequence of bits (a coding sequence) with the same length as of the data sequence and decode and encode the data sequence by performing a logic operation (such as XOR) between the two sequences. Then, the resulting (encoded) bit sequence and the coding sequence are sent to the destination via separate tunnels. This way, only the destination (which receives the full sequences will be able to decode the data sequence and reveal the data by performing another XOR operation. Such a solution also keeps the size of the sent packets the same as the original packet's size. According to another example, it is possible to encode the data sequence using Reed- Solomon code and send segments of the coded sequence via to the destination via separate tunnels. This way, only the destination (which receives the full sequences will be able to decode the data sequence and reveal the data by decoding it with the same Reed-Solomon code.
The solution proposed by the present invention may be used to protect selected systems in an enterprise, such as emails or other types of data, rather than protecting the entire data traffic that is sent from, or received by, the enterprise.
The above examples and description have of course been provided only for the purpose of illustration, and are not intended to limit the invention in any way. As will be appreciated by the skilled person, the invention can be carried out in a great variety of ways, employing more than one technique from those described above, all without exceeding the scope of the invention.

Claims

Claims
1. A method for establishing a fully private, information theoretically secure interconnection between a source and a destination over an unmanaged data network having at least a portion of a public infrastructure, comprising:
a) at said source, creating n shares of the source data according to a predetermined secret sharing scheme and sending said shares to said data network, while encrypting the sent data using (n,k) secret sharing;
b) deploying a plurality of intermediating nodes in different locations over said network, thereby creating a plurality of fully and/or partially independent paths in different directions on the path from said source to said destination, and with sufficient data separation; and
c) sending said shares over said plurality of fully and/or partially independent paths while forcing shares' carrying packets to pass through selected intermediate nodes, such that no router at any intermediating nodes intercepts k or more shares.
2. A method according to claim 1, wherein the intermediating nodes include one or more of the following:
- Points of Presence (PoPs);
- Computational clouds having a dedicated for forcing shares' carrying packets to pass through selected intermediate nodes, according to a desired routing scheme!
- Backup channels and paths.
3. A method according to claim 1, wherein the portion of the public infrastructure includes alternative paths supplied by the same/different network/Internet providers.
4. A method according to claim 1, wherein the_separation between tunnels belonging to fully and/or partially independent paths is made by encapsulation of the shares' packets according to a routing scheme that creates at least partially independent routing paths from source to destination, such that no node along a tunnel intercepts k or more shares.
5. A method according to claim 4, wherein during encapsulation, the headers of each share-carrying packet is changed to a modified header, for forcing the shares' carrying packets to pass through selected nodes.
6. A method according to claim 5, wherein each packet is forced to pass a possible different subset of selected nodes.
7. A method according to claim 1, further comprising using public clouds deployed over the network as nodes, by embedding a dedicated agent into a plurality of them, such that the modified header will determine the next intermediate destination which will be the node that has been elected while creating each modified header.
8. A method according to claim 7, wherein the modified header is a part of the payload.
9. A method according to claim 1, wherein whenever the data network has a known topology, the flow is tested offline, to obtain the distribution of data through different nodes and deploy the dedicated agents accordingly, to create the optimal routing paths.
10. A method according to claim 1, wherein whenever the data network has unknown topology a path/topology recovery tools are used to obtain the expected distribution of data through different nodes and verify, before sending the share carrying packets.
11. A method according to claim 10, wherein the path/topology recovery tools are selected from the group of HP-OpenView;
Freenats;
Traceroute;
TraceMAC;
Batctl.
12. A method according to claim 1, wherein sufficient data separation is obtained by dynamically allocating nodes, through which the share carrying packets will pass.
13. A method according to claim 1, wherein the inherent additional header of IPv6 is used for creating tunnels between IPv6 nodes, where data between nodes is sent over IPv4 protocol links.
14. A method according to claim 1, further comprising encrypting the destination IP address, along with the payload data, by-'
creating n shares from the IP address of the destination;
sending said shares via several different paths between pairs of neighboring intermediate nodes, such that the header data is decrypted at each intermediate nodes only by having at least k shares, and any subset of less than k shares cannot be used to decrypt the header data.
15. A method according to claim 1, further comprising creating secret shared packets of different length by padding the after secret shared packets with random string of varying lengths, to avoid correlation of packets by a coalition of eavesdroppers.
16. A method according to claim 1, further comprising delaying some of the secret shared packets to avoid time correlation.
17. A method according to claim 1, further comprising encrypting data packets with long payloads by 4δ
creating a one-time-pad in the background at the sender side;
sending the created a one-time-pad to the destination over several paths;
performing a bitwise XOR operation between the payload data and the bit string of said common one-time-pad; and
sending the resulting bits of encrypted payload data over possibly a single channel.
18. A method for establishing a fully private, information theoretically secure interconnection between a source and a destination over a managed data network having at least a portion of a public infrastructure, comprising:
a) at said source, creating n shares of the source data according to a predetermined secret sharing scheme and sending said shares to said data network, while encrypting the sent data using (n,k) secret sharing;
b) using a centralized network controller or network management tools at the sender for dynamically managing a pluralit}' of partially independent paths, over which said shares are routed from said source to said destination, such that the number of shares that pass the router at each node along each path does not exceed a threshold of k-1 shares,
wherein optimal paths are dynamically determined by said network controller/sender, according to said threshold and to the load/current- eavesdropping-coalition-risks on each router in said data network.
19. A method according to claim 15, wherein the problem of finding paths is reduced to the maximum flow problem by expanding the original graph representing the data network.
20. A method according to claim 15, wherein the network controller is a controller for managing an SDN.
21. A method according to claim 15, wherein the number of unique paths that are required to apply the (n,k) secret sharing scheme on the network, is varied by the controller in response to a coalition of two or more routers.
22. A method according to claim 16, wherein the original graph is directed or undirected.
23. A method according to claim 16, wherein the maximum flow problem is solved using the Dinitz's algorithm, or one of a plurality of other existing maximum flow algorithms.
24. A method according to claim 17, wherein whenever a coalition of routers is detected/suspected, the sender or the controller is adapted to merge the nodes of the coalition and to find a flow that fulfills the sharing scheme constraints.
25. A method according to claim 15, wherein the secret sharing scheme is implemented on the network's Application Layer by:
a) receiving the data before it gets into the networking stack;
b) applying secret-sharing on the entire data;
c) establishing a connection for each route and sending the shares on different sockets using TCP or UDP, depending on the required service.
26. A method according to claim 15, wherein the secret sharing scheme is implemented on the network's Transport Layer by:
a) at the source, applying secret-sharing only on the packet's payload, while keeping the headers of the Transport Layer public, while allowing some minor changes, like the length and the checksum; b) at the source, creating n packets with the same headers of all layers!
c) at the destination, buffering k out of n shares and applying the secret-sharing algorithm, to reconstruct the original data;
d) reconstructing the header of the Transport Layer and sends a single packet (out of the k shares) to the Transport Layer implementation of the destination.
27. A method according to claim 1, wherein the secret sharing scheme is implemented on the_Network Layer by:
a) at the source, applying secret -sharing on the payload and the headers of the Transport Layer, while keeping the headers of the Network Layer public, thereby creating n packets with the same headers of the Data Link and the Network Layers while allowing some minor changes, like length, checksum and CRC).
b) at the destination, buffering k out of n shares and applying secret -sharing algorithm to construct the original data;
c) sending a single packet (out of the k shares) to the Transport Layer implementation of the destination.
28. A method according to claim 1, wherein the secret sharing scheme is implemented on the Data Link layer by applying secret-sharing on the payload and the headers of the Network Layer and Transport Layer, while keeping the headers of the Data Link layer public on the LAN or on a Virtual LAN (VLAN), while allowing some minor changes, like length and CRC).
29. A method according to claim 1, wherein the secret sharing scheme is implemented on the Physical Layer by applying secret-sharing on the payload and the headers of the Data Link Layer, Network Layer and Transport Layer, while keeping all headers private.
30. A method according to claim 1, wherein the secret sharing scheme is implemented to perform one side identification between a client and a server, without the need to use a key that is certified by a third party, by:
a) allowing the client to send a nonce via multiple channels to the server according to the listing of the server in several self-verifiable public directories! b) applying secret-sharing by the client;
c) the client receives the server's data from the addresses mentioned in public directory and sends the shares over different separated channels, such that each channel gets a share of the data and only by having all shares or a threshold of the shares, the data can be reconstructed;
d) the server gets the required number of shares and reconstructs the sent data.
31. A method according to claim 1, wherein the secret sharing scheme is implemented to perform double side identification between a client and a server, without the need to use a key that is certified by a third party using one/two/three handshake protocols, by:
a) allowing the client to send its ID and a nonce, while each channel gets a share of the data, so that, only by having all or a threshold of the shares, the data can be reconstructed;
b) the server creates shares from the nonce, receives the client address data from the public directory and sends the shares over different channels;
c) the server sends its own information with the nonce it got from the client through multiple channels to the client, such that each channel gets only a share of the data!
d) the client verifies the nonce and gets the server information;
e) the client verifies the nonce and sends an acknowledgement through the different channels to multiple addresses of the server along with the nonce to the server;
f) the server finalizes the authentication by reconstructing the acknowledgement, and starts a session using one or more of the channels.
32. A method for establishing a fully private, information theoretically secure interconnection between a source and a destination over a managed data network having at least a portion of a public infrastructure, comprising:
a) at said source, creating n shares of the source data according to a predetermined secret sharing scheme and sending said shares to said data network, while encrypting the sent data using n-k secret sharing;
b) using a centralized network controller for dynamically managing a plurality of partially independent paths, over which said shares are routed from said source to said destination, such that the number of shares that pass the router at each node along each path does not exceed a threshold of k-1 shares, wherein optimal paths are dynamically determined by said network controller, according to said threshold and to the load on each router in said data network.
33. A method according to claim 1, wherein the secret sharing scheme is hierarchical secret sharing, where at least one secret share is further secret shared by an intermediate network component, and gathered by one of the next components or by the destination.
PCT/IL2015/050528 2014-05-20 2015-05-18 A method for establishing a secure private interconnection over a multipath network WO2015177789A1 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
EP15796374.5A EP3146668A4 (en) 2014-05-20 2015-05-18 A method for establishing a secure private interconnection over a multipath network
US15/311,911 US10356054B2 (en) 2014-05-20 2015-05-18 Method for establishing a secure private interconnection over a multipath network
CN201580039555.XA CN107078898A (en) 2014-05-20 2015-05-18 A kind of method that the private interconnection of safety is set up on multi-path network
US16/381,055 US11595359B2 (en) 2014-05-20 2019-04-11 Method for establishing a secure private interconnection over a multipath network

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US201462000558P 2014-05-20 2014-05-20
US62/000,558 2014-05-20
US201462058678P 2014-10-02 2014-10-02
US62/058,678 2014-10-02

Related Child Applications (2)

Application Number Title Priority Date Filing Date
US15/311,911 A-371-Of-International US10356054B2 (en) 2014-05-20 2015-05-18 Method for establishing a secure private interconnection over a multipath network
US16/381,055 Continuation US11595359B2 (en) 2014-05-20 2019-04-11 Method for establishing a secure private interconnection over a multipath network

Publications (2)

Publication Number Publication Date
WO2015177789A1 true WO2015177789A1 (en) 2015-11-26
WO2015177789A8 WO2015177789A8 (en) 2016-01-14

Family

ID=54553514

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL2015/050528 WO2015177789A1 (en) 2014-05-20 2015-05-18 A method for establishing a secure private interconnection over a multipath network

Country Status (4)

Country Link
US (1) US11595359B2 (en)
EP (1) EP3146668A4 (en)
CN (1) CN107078898A (en)
WO (1) WO2015177789A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016135726A1 (en) * 2015-02-25 2016-09-01 Secret Double Octopus Ltd. Method and system for authenticating and preserving the integrity of communication, secured by secret sharing
WO2019072470A1 (en) 2017-10-10 2019-04-18 Commissariat A L'energie Atomique Et Aux Energies Alternatives Device and method for data transmission

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109087204B (en) * 2018-07-27 2023-04-14 杭州复杂美科技有限公司 Cross-chain transaction verification method, device and storage medium
CN109257360B (en) * 2018-10-08 2020-08-28 江苏大学 Hidden information sending and analyzing method based on transmission path in SDN network
WO2020085014A1 (en) * 2018-10-25 2020-04-30 ソニー株式会社 Communication device, communication method, and data structure
JP2021128261A (en) * 2020-02-14 2021-09-02 株式会社野村総合研究所 Device for multi-party calculation of secret dispersion base
US20220271933A1 (en) * 2021-02-19 2022-08-25 Samsung Electronics Co., Ltd. System and method for device to device secret backup and recovery
US20220303280A1 (en) * 2021-03-19 2022-09-22 Seagate Technology Llc Monitoring trust levels of nodes in a computer network
CN113411296B (en) * 2021-05-07 2022-08-26 上海纽盾科技股份有限公司 Situation awareness virtual link defense method, device and system
JP2023042903A (en) * 2021-09-15 2023-03-28 株式会社東芝 Communication apparatus, communication method and communication system
CN114079562B (en) * 2021-11-18 2023-11-24 北京京航计算通讯研究所 Software defined network data safety transmission method based on threshold secret sharing
CN114124799B (en) * 2021-11-18 2023-04-18 北京京航计算通讯研究所 Safe transmission system for dynamically adjusting forwarding path
GB2617168B (en) * 2022-03-31 2024-07-31 British Telecomm Data Transmission
CN117914935B (en) * 2024-03-05 2024-05-28 北京长亭科技有限公司 Concealed communication method and system based on rerouting technology

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000041357A1 (en) * 1999-01-08 2000-07-13 Nortel Networks Limited Exchanging a secret over an unreliable network
US20040025018A1 (en) * 2002-01-23 2004-02-05 Haas Zygmunt J. Secure end-to-end communication in mobile ad hoc networks
US20120163592A1 (en) * 2006-11-07 2012-06-28 Security First Corp. Systems and methods for distributing and securing data
US20130042105A1 (en) * 2009-11-25 2013-02-14 Security First Corp. Systems and methods for securing data in motion

Family Cites Families (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4633470A (en) 1983-09-27 1986-12-30 Cyclotomics, Inc. Error correction for algebraic block codes
EP1350188A2 (en) * 2000-12-14 2003-10-08 Appilog Logview Ltd. System for collecting, correlating, querying and viewing topology information
US20020085565A1 (en) * 2000-12-28 2002-07-04 Maple Optical Systems, Inc. Technique for time division multiplex forwarding of data streams
US6850515B2 (en) * 2001-01-30 2005-02-01 The Regents Of The University Of California Optical layer multicasting using a single sub-carrier header and a multicast switch with active header insertion via light circulation
US7068790B1 (en) * 2001-08-31 2006-06-27 Bbn Technologies Corp. Systems and methods for path set-up in a quantum key distribution network
US20030149869A1 (en) * 2002-02-01 2003-08-07 Paul Gleichauf Method and system for securely storing and trasmitting data by applying a one-time pad
CA2393547A1 (en) * 2002-07-15 2004-01-15 Hexago Inc. Method and apparatus for connecting ipv6 devices through an ipv4 network using a tunneling protocol
WO2006130725A2 (en) * 2005-05-31 2006-12-07 Interdigital Technology Corporation Authentication and encryption methods using shared secret randomness in a joint channel
JP4699099B2 (en) * 2005-06-14 2011-06-08 富士通株式会社 Communication control device and communication control method
US20080144836A1 (en) * 2006-12-13 2008-06-19 Barry Sanders Distributed encryption authentication methods and systems
JP4304215B2 (en) * 2007-03-23 2009-07-29 株式会社東芝 Secret sharing apparatus, method and program
JP4334582B2 (en) * 2007-06-26 2009-09-30 株式会社東芝 Secret sharing apparatus, method and program
US8918537B1 (en) * 2007-06-28 2014-12-23 Emc Corporation Storage array network path analysis server for enhanced path selection in a host-based I/O multi-path system
US8111627B2 (en) * 2007-06-29 2012-02-07 Cisco Technology, Inc. Discovering configured tunnels between nodes on a path in a data communications network
US8077713B2 (en) * 2007-09-11 2011-12-13 Cisco Technology, Inc. Dynamic update of a multicast tree
US8316367B2 (en) * 2009-01-14 2012-11-20 Alcatel Lucent System and method for optimizing batch resource allocation
US9185166B2 (en) * 2012-02-28 2015-11-10 International Business Machines Corporation Disjoint multi-pathing for a data center network
US9419887B1 (en) * 2013-06-19 2016-08-16 Google Inc. Minimum latency routing
WO2015103338A1 (en) * 2013-12-31 2015-07-09 Lookout, Inc. Cloud-based network security
US9419889B2 (en) * 2014-03-07 2016-08-16 Nicira, Inc. Method and system for discovering a path of network traffic
US9998434B2 (en) * 2015-01-26 2018-06-12 Listat Ltd. Secure dynamic communication network and protocol
US10437525B2 (en) * 2015-05-27 2019-10-08 California Institute Of Technology Communication efficient secret sharing
RU2649290C1 (en) * 2017-04-28 2018-03-30 Акционерное общество "Лаборатория Касперского" SYSTEM AND METHOD OF TRAFFIC FILTRATION AT DDoS-ATTACK DETECTION

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000041357A1 (en) * 1999-01-08 2000-07-13 Nortel Networks Limited Exchanging a secret over an unreliable network
US20040025018A1 (en) * 2002-01-23 2004-02-05 Haas Zygmunt J. Secure end-to-end communication in mobile ad hoc networks
US20120163592A1 (en) * 2006-11-07 2012-06-28 Security First Corp. Systems and methods for distributing and securing data
US20130042105A1 (en) * 2009-11-25 2013-02-14 Security First Corp. Systems and methods for securing data in motion

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
AIACHE, H ET AL.: "Improving security and performance of an ad hoc network through a multipath routing strategy.", JOURNAL IN COMPUTER VIROLOGY, vol. 4, no. 4, 31 December 2008 (2008-12-31), pages 267 - 278, XP055238081, ISSN: 1772-9890, Retrieved from the Internet <URL:http://ced.tavernier.free.fr/index_fichiers/Articles/NET_ART.pdf> [retrieved on 20150309] *
See also references of EP3146668A4 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016135726A1 (en) * 2015-02-25 2016-09-01 Secret Double Octopus Ltd. Method and system for authenticating and preserving the integrity of communication, secured by secret sharing
US10536269B2 (en) 2015-02-25 2020-01-14 Secret Double Octopus Ltd Method and system for authentication and preserving the integrity of communication, secured by secret sharing
WO2019072470A1 (en) 2017-10-10 2019-04-18 Commissariat A L'energie Atomique Et Aux Energies Alternatives Device and method for data transmission
US11665143B2 (en) 2017-10-10 2023-05-30 Commissariat A L'energie Atomique Et Aux Energies Alternatives Method, device and medium for transmission of fragmented IP addresses and data packets through a network

Also Published As

Publication number Publication date
CN107078898A (en) 2017-08-18
EP3146668A1 (en) 2017-03-29
WO2015177789A8 (en) 2016-01-14
US20190306131A1 (en) 2019-10-03
EP3146668A4 (en) 2018-02-14
US11595359B2 (en) 2023-02-28

Similar Documents

Publication Publication Date Title
US10356054B2 (en) Method for establishing a secure private interconnection over a multipath network
US11595359B2 (en) Method for establishing a secure private interconnection over a multipath network
Chen et al. HORNET: High-speed onion routing at the network layer
Chen et al. TARANET: Traffic-analysis resistant anonymity at the network layer
US8452956B1 (en) Methods and apparatus for network communications via a transparent security proxy
US7590245B1 (en) Anonymous communicating over interconnected networks
US20080104692A1 (en) Virtual security interface
CN111194541B (en) Apparatus and method for data transmission
Sengupta et al. Privacy-preserving network path validation
Wang et al. Programmable in-network obfuscation of DNS traffic
Gilad et al. Plug-and-play ip security: Anonymity infrastructure instead of pki
Tennekoon et al. Prototype implementation of fast and secure traceability service over public networks
Kwon et al. SVLAN: Secure & scalable network virtualization
Liyanage et al. Secure hierarchical VPLS architecture for provider provisioned networks
Liyanage et al. Secure hierarchical virtual private LAN services for provider provisioned networks
Mahmmod et al. IPsec cryptography for data packets security within vpn tunneling networks communications
Walker Internet security
Kwon et al. Mondrian: Comprehensive Inter-domain Network Zoning Architecture.
Tennekoon et al. On the effectiveness of IP-routable entire-packet encryption service over public networks (november 2018)
CN116489638B (en) Jumping type routing method for anonymous communication of mobile ad hoc network
US20210014054A1 (en) Cryptography system and method
Ming-Hao The security analysis and attacks detection of OSPF routing protocol
Schatz et al. Virtual Private Networks in the Quantum Era: A Security in Depth Approach.
Pohly et al. MICSS: A realistic multichannel secrecy protocol
Wang et al. Programmable in-network obfuscation of dns traffic (work-in-progress)

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15796374

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 15311911

Country of ref document: US

NENP Non-entry into the national phase

Ref country code: DE

REEP Request for entry into the european phase

Ref document number: 2015796374

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 2015796374

Country of ref document: EP