Abstract: A system and method for providing security to a graph of interconnected nodes includes a grouping multiplexing layer configured to monitor calls to the system, a graphing dynamic link layer configured to transmit and receive data to and from the graph, and a group security manager coupled to the grouping multiplexing layer and coupled to the graphing dynamic link layer; the group security manager is configured to perform security-related acts via interacting with a group database to propagate security-related information to members of a group within the graph. The group security manager is configured to provide role-based authorization on publication of one or more records and provide membership control for admission to a graph of interconnected nodes. The group security manager provides membership control by providing credentials to potential members of the graph to enable a connection and by providing a governed system for renewal and revocation of members.

Abstract: A novel system and method provide a compact representation of revocation information for conserving network bandwidth and member resources in a peer-to-peer network. Group membership certificates are assigned integer serial numbers in a range from a lowest number to a highest number. A certificate revocation list (CRL) is composed of an offset value and a bit vector. The offset value generally describes the lowest currently outstanding serial number, corresponding to the first position in the bit vector. The remaining bit positions of the bit vector represent in order of increasing value the remaining issued certificate serial numbers. The bit corresponding to the serial number of each certificate is set to reflect either a state of “not revoked,” or a state of “revoked.

Abstract: A security infrastructure and methods are presented that inhibit the ability of a malicious node from disrupting the normal operations of a peer-to-peer network. The methods of the invention allow both secure and insecure identities to be used by nodes by making them self-verifying. When necessary or opportunistic, ID ownership is validated by piggybacking the validation on existing messages. The probability of connecting initially to a malicious node is reduced by randomly selecting to which node to connect. Further, information from malicious nodes is identified and can be disregarded by maintaining information about prior communications that will require a future response. Denial of service attacks are inhibited by allowing the node to disregard requests when its resource utilization exceeds a predetermined limit. The ability for a malicious node to remove a valid node is reduced by requiring that revocation certificates be signed by the node to be removed.

Abstract: A method and system are disclosed for efficiently matching incoming packets to previously forwarded outgoing packets within a network node to ensure a response received by a network node corresponds to a previously forwarded request. The network node receives an outgoing packet including state information and computes a mapping (e.g., hash) function value based upon the state information. Thereafter, the network node sets and entry within a bitmap at a position corresponding to the mapping function value. The network node also receives an incoming packet purportedly responsive to an earlier outgoing packet and includes state information of a type corresponding to the state information of an outgoing packet. The network node computes a mapping function value based upon the state information in the incoming packet. The network node then tests an entry corresponding to the mapping function value within one or more bitmaps including bits set at positions corresponding to previously forwarded outgoing packets.

Abstract: Disclosed are methods for an invitee to gain admittance to a group. An inviter already in the group and the invitee share a secret password. The inviter uses the password to create an invitation and then issues the invitation to the invitee and to an authenticator. The authenticator creates a challenge key and challenge value and sends the challenge value to the invitee. Using the password and information from the invitation, the invitee recreates the challenge key, uses the challenge key to derive a response value from the challenge value, and sends the response value to the authenticator. The authenticator compares the response value with an expected value and, if they match, knows that the invitee must have been able to recreate the challenge key. The authenticator trusts that this invitee must be the one for which the inviter issued the invitation and admits the invitee to the group.