Abstract: One embodiment of the present invention provides a system that performs content screening on a message that is protected by end-to-end encryption. The system operates by receiving an encrypted message and an encrypted message key at a content screener from a firewall, the firewall having previously received the encrypted message and the encrypted message key from a source outside the firewall. The content screener decrypts the encrypted message key to restore the message key, and decrypts the encrypted message with the message key to restore the message. Next, the content screener screens the message to determine whether the message satisfies a screening criterion. If so, the system forwards the message to a destination within the firewall in a secure manner. In one embodiment of the present invention, the system decrypts the encrypted message key by sending the encrypted message key to the destination.

Abstract: One embodiment of the present invention provides a system that performs, content screening on a message that is protected by end-to-end encryption. The system operates by receiving an encrypted message at a firewall from a source outside of the firewall, the encrypted message having been formed by encrypting the message with a message key. In order to restore the message, the system procures the message key and decrypts the encrypted message with the message key. Next, the system screens the message within the firewall to determine whether the message satisfies a screening criterion. If so, the system allows a destination within the firewall to process the message. In one embodiment of the present invention, procuring the message key includes allowing the source and the destination to negotiate the message key, which is then sent to the firewall.

Abstract: A system and method for calculating a deadlock-free set of paths in a network which generates an ordered set of deadlock-free sub-topologies, referred to as “layers.”The ordered set of layers is used to determine a deadlock-free set of paths through the network. The resulting paths allow data to be efficiently routed through the network without causing traffic to be disproportionately routed through any subset of links. Each of the deadlock-free layers may be any type of deadlock-free sub-topology. The generated ordering may be any arbitrary ordering of the layers. A shortest-path route calculation is performed with the following constraint: starting at any given layer, for each node, proceed to calculate a shortest path to every other node in the graph where at any node being utilized to assess a given minimum path, the path may move to any higher-ordered layer, but may never return to a lower ordered layer. In this way, within each layer, a path moves through a tree and thus avoids deadlock.

Abstract: A method and apparatus that constructs a “router database” and then uses the database to determine a longest match between a piece of target data, such as an address in a packet to be routed, and the database. The database contains a comparison table having a plurality of entries. In a first embodiment, each entry has up to k values, where 2<=k<=N, where N is a number of comparison values in the database. In a second embodiment, each entry has up to k−1 values. During operation, various ones of the comparison table entries are loaded and compared to the address to determine a longest matching prefix in the router database. The comparison can be done in parallel.

Abstract: A method of detecting congestion in a computer network uses a receiving station which determines a first number of messages missing in a first acknowledgment window. The station then determines a second number of messages missing in a subsequent acknowledgement window. The station then measures congestion on the network in response to an increase in the number of missing messages as indicated by the first number of missing messages in the first acknowledgement window and the second number of missing messages in the second acknowledgement window.

Abstract: A method and system for providing limited access privileges with an untrusted terminal allows a user to perform privileged operations between the untrusted terminal and a remote terminal in a controlled manner. The user can establish a secure communications channel between the untrusted terminal and a credentials server to receive credentials therefrom. Once the user receives the credentials, the secure communications channel is closed. The user can then use the credentials to perform privileged operations on a remote terminal through the untrusted terminal. The remote terminal knows to grant the user limited privileges based on information included in the credentials. The effects of malicious actions by the untrusted terminal are limited and controlled.

Abstract: Receiver stations located close together in a computer network dynamically form a multicast repair tree by a plurality of receiver stations choosing a repair head station from among the closely located receiver stations. A receiver station calculates its distance from a repair head station by subtracting the decremented TTL value read from the IP header from the initial value of the TTL parameter carried in field TTL SCOPE of HELLO messages, transmitted by repair head stations. Using a criteria that a closer repair head station is a more optimum repair head station, receiver stations listen to each received HELLO message, calculate the distance to the repair head station, and reaffiliate with the closest repair head station.

Abstract: A multicast repair tree is established, the repair tree having one sender station and a plurality of repair head stations. A repair head station has an affiliated group of member stations. A repair head station retransmits a lost message to its affiliated group of member stations upon receipt from a member station of a NACK message indicating that the selected message was not received. Acknowledgment windows (ACK windows) are established in a member station for transmission of ACK or NACK message by the member station. A number of messages transmitted by the sender station during a transmission window is established. Also a same size of ACK window is established in the receiving stations, with a slot in the ACK window corresponding to each message transmitted by the repair head station. Each receiving station is assigned a slot in the ACK window during which time that receiving station transmits its ACK or NACK messages.

Abstract: A method and apparatus for securely communicating ephemeral information from a first node to a second node. In a first embodiment, the first node encodes and transmits an ephemeral message encrypted at least in part with an ephemeral key, from the first node to the second node. Only the second node has available to it the information that is needed to achieve decryption by an ephemeral key server of a decryption key that is needed to decrypt certain encrypted payload information contained within the message communicated from the first node to the second node. In a second embodiment the first node transmits to the second node an ephemeral message that is encrypted at least in part with an ephemeral key. The ephemeral message includes enough information to permit the second node to communicate at least a portion of the message to an ephemeral key server and for the ephemeral key server to verify that the second node is an authorized decryption agent for the message.

Abstract: A network includes routers which route message packets among devices, thereby to facilitate transfer of information thereamong. Each router node makes use of routing information that identifies, inter alia, addresses and address ranges for which other router nodes are responsible, that the respective router node uses in routing a message packet that it receives. Each router node, through a negotiation operation with other router nodes, attempts to aggregate addresses for which it is responsible into one or more address ranges which do not overlap with addresses for which the other router nodes are responsible, and provides the address range(s), along with addresses for which it is responsible which could not be so aggregated, to the other router nodes for use as their routing information. Several methodologies are described for use in connection with the negotiation operations.

Abstract: One embodiment of the present invention provides a system that facilitates instant failover during packet routing by employing a flooding protocol to send packets between a source and a destination. Upon receiving a packet containing data at an intermediate node located between the source and the destination, the system determines whether the packet has been seen before at the intermediate node. If not, the system forwards the packet to neighboring nodes of the intermediate node. In one embodiment of the present invention, forwarding the packet to neighboring needs involves forwarding the packet to all neighboring nodes except the node from which the packet was received. In one embodiment of the present invention, determining whether the packet has been seen before involves examining a sequence number, SR, contained within the packet to determine whether the sequence number has been seen before.

Abstract: A system and method for shortening a certificate chain to form a collapsed certificate. The certificate chain comprises a plurality of linked certificates issued by a corresponding plurality of entities. The certificate chain extends from a first entity, through at least one intermediate entity, to a target entity associated with certain predetermined information. The plurality of linked certificates in the certificate chain is converted by the first entity into a collapsed certificate that is signed by the first entity and includes the predetermined information and an identification of the at least one intermediate entity. By utilizing the collapsed certificate in place of the plurality of linked certificates in the certificate chain, bandwidth utilization within a network and certificate processing overhead are reduced.

Abstract: A method and system for evaluating a set of credentials that includes at least one group credential and that may include one or more additional credentials. A trust rating is provided in association with the at least one group credential within the set of credentials and trust ratings may also be provided in other credentials within the set of credentials. Each trust rating provides an indication of the level of confidence in the information being certified in the respective credential. In response to a request for access to a resource or service, an evaluation of the group credentials is performed by an access control program to determine whether access to the requested resource or service should be provided. In one embodiment, within any given certification path a composite trust rating for the respective path is determined. An overall trust rating for the set of credentials is determined based upon the composite trust ratings.

Abstract: In automatically configuring network-layer addresses for network nodes in a network region, a specified router on each link generates link number request messages for the link. An address-assigning node assigns a region-wise unique link number to each link identified in a request message, and returns link number assignment messages containing the assigned link numbers. Each specified router assigns the link number from a received link number assignment message to a field of the network-layer addresses of the nodes on the associated link. According to a variation of the method, each specified router self-selects a link number and communicates with the other specified routers to avoid conflicts. Each specified router receives messages from the other specified routers containing numbers selected as region-wise unique link numbers for other links. Each specified router stores the received link numbers in association with the respective links in a local database.

Abstract: A method and system for revoking a certificate issued by a certification authority (CA). An identifier associated with a registration authority (RA) that requested issuance of a certificate on behalf of a principal is included within the certificate that is issued by the CA. Additionally, a time stamp indicating when the respective RA requested the certificate may be included in the certificate. In response to a request from a principal to a server for access to a resource, the server verifies the request using a decryption key contained in the certificate. Additionally, in a first embodiment a determination is made whether the RA identifier contained within the certificate is present on a certificate revocation list (CRL) maintained by a revocation server. If the RA identifier is present on the CRL, an indication is provided to the server that the certificate has been revoked and access to the requested resource may be denied.

Abstract: A network device dynamically switches between layer 2 (data link) operation and layer 3 (network) operation. When enabled, bridging logic functions as a data link bridge, receiving data link messages from communications links forming part of a single network-layer segment and forwarding the messages to another communications link using layer-2 addresses in the messages. When enabled, routing logic functions as a network router, receiving network layer messages from different network-layer segments and forwarding the messages to other links based on a routing algorithm and the network layer addresses. Selection logic dynamically selects the desired function under different operating conditions. For a transition from router to bridge, multiple network-layer segments are merged into a single bridged network-layer segment, freeing up link numbers for use in configuring addresses for other segments.

Abstract: To ensure uniqueness of a router identifier in routing protocol messages (RPMs), a router determines whether an identifier IDR in received RPMs is the same as an identifier IDS in RPMs originated by the router. For RPMs having the same identifier, sequence information such as a sequence number is compared with sequence information in the RPM most recently originated by the router, the comparison indicating whether the received RPM appears to have been originated more recently. The rate at which such RPMs are being received is monitored. If the rate is above a predetermined threshold rate, the router infers that another router is using the same identifier, and selects a different identifier for subsequent use. The sequence information preferably includes a checksum calculated over contents of the message including a random number, to ensure proper flooding of each message to other routers that may be using a duplicate identifier.

Abstract: A method and apparatus for filtering packets uses digital signatures to filter packets in a network. A filter point, such as a router or firewall to an intranet, receives a packet including a header, detects the existence of a signature in the header, tests the validity of the signature using a public key, and forwards the packet in accordance with the validity of the signature. A sender uses a private key obtained from an owner to generate the signature, which is created by encrypting a fingerprint which corresponds to the data in the packet. Public keys are created by an owner which installs them in a domain name system or a certification server. Private keys are also created by the owner but are disseminated only to authorized senders. A method and apparatus for sending packets stores a private key in a memory of the data processor, generates a signature using the private key, installs the signature into a header of a packet; and sends the packet.

Abstract: A system and method for a user to encrypt data in a way that ensures the data cannot be decrypted after a finite period. A number of ephemeral encryption keys are established by a first party, each of which will be destroyed at an associated time in the future (the “expiration time”). A second party selects or requests one of the ephemeral encryption keys for encrypting a message. The first party provides an ephemeral encryption key to the second party. Subsequently, the first party decrypts at least a portion of the message, using an ephemeral decryption key associated with the ephemeral encryption key provided to the second party. At the expiration time, the first party destroys all copies of at least the ephemeral decryption key, thus rendering any messages encrypted using the ephemeral encryption key permanently undecipherable. In an alternative embodiment, a number of ephemeral key servers provide a respective number of ephemeral encryption keys having associated expiration times.

Abstract: To authenticate and authorize prospective members in a reliable multicast data distribution setup, the prospective members contact a central authority to obtain a “participation certificate” for the multicast session. The central authority authenticates each node and issues a digitally signed certificate to the node. Each certificate contains information specifying the manner in which the respective node is authorized to participate in the multicast session in addition to the respective node's public key. The nodes exchange their participation certificates with each other during session-establishment dialog to prove their identities and their authorization to participate. Each node verifies the rights of other nodes based on authorization information contained in the participation certificate received from the other node. Thus, a node is allowed to participate as a repair node only if it presents a participation certificate authorizing it to do so.