Abstract: A method and system for evaluating a set of credentials that includes at least one group credential and that may include one or more additional credentials. A trust rating is provided in association with the at least one group credential within the set of credentials and trust ratings may also be provided in other credentials within the set of credentials. Each trust rating provides an indication of the level of confidence in the information being certified in the respective credential. In response to a request for access to a resource or service, an evaluation of the group credentials is performed by an access control program to determine whether access to the requested resource or service should be provided. In one embodiment, within any given certification path a composite trust rating for the respective path is determined. An overall trust rating for the set of credentials is determined based upon the composite trust ratings.

Abstract: In automatically configuring network-layer addresses for network nodes in a network region, a specified router on each link generates link number request messages for the link. An address-assigning node assigns a region-wise unique link number to each link identified in a request message, and returns link number assignment messages containing the assigned link numbers. Each specified router assigns the link number from a received link number assignment message to a field of the network-layer addresses of the nodes on the associated link. According to a variation of the method, each specified router self-selects a link number and communicates with the other specified routers to avoid conflicts. Each specified router receives messages from the other specified routers containing numbers selected as region-wise unique link numbers for other links. Each specified router stores the received link numbers in association with the respective links in a local database.

Abstract: A method and system for revoking a certificate issued by a certification authority (CA). An identifier associated with a registration authority (RA) that requested issuance of a certificate on behalf of a principal is included within the certificate that is issued by the CA. Additionally, a time stamp indicating when the respective RA requested the certificate may be included in the certificate. In response to a request from a principal to a server for access to a resource, the server verifies the request using a decryption key contained in the certificate. Additionally, in a first embodiment a determination is made whether the RA identifier contained within the certificate is present on a certificate revocation list (CRL) maintained by a revocation server. If the RA identifier is present on the CRL, an indication is provided to the server that the certificate has been revoked and access to the requested resource may be denied.

Abstract: A network device dynamically switches between layer 2 (data link) operation and layer 3 (network) operation. When enabled, bridging logic functions as a data link bridge, receiving data link messages from communications links forming part of a single network-layer segment and forwarding the messages to another communications link using layer-2 addresses in the messages. When enabled, routing logic functions as a network router, receiving network layer messages from different network-layer segments and forwarding the messages to other links based on a routing algorithm and the network layer addresses. Selection logic dynamically selects the desired function under different operating conditions. For a transition from router to bridge, multiple network-layer segments are merged into a single bridged network-layer segment, freeing up link numbers for use in configuring addresses for other segments.

Abstract: To ensure uniqueness of a router identifier in routing protocol messages (RPMs), a router determines whether an identifier IDR in received RPMs is the same as an identifier IDS in RPMs originated by the router. For RPMs having the same identifier, sequence information such as a sequence number is compared with sequence information in the RPM most recently originated by the router, the comparison indicating whether the received RPM appears to have been originated more recently. The rate at which such RPMs are being received is monitored. If the rate is above a predetermined threshold rate, the router infers that another router is using the same identifier, and selects a different identifier for subsequent use. The sequence information preferably includes a checksum calculated over contents of the message including a random number, to ensure proper flooding of each message to other routers that may be using a duplicate identifier.

Abstract: A method and apparatus for filtering packets uses digital signatures to filter packets in a network. A filter point, such as a router or firewall to an intranet, receives a packet including a header, detects the existence of a signature in the header, tests the validity of the signature using a public key, and forwards the packet in accordance with the validity of the signature. A sender uses a private key obtained from an owner to generate the signature, which is created by encrypting a fingerprint which corresponds to the data in the packet. Public keys are created by an owner which installs them in a domain name system or a certification server. Private keys are also created by the owner but are disseminated only to authorized senders. A method and apparatus for sending packets stores a private key in a memory of the data processor, generates a signature using the private key, installs the signature into a header of a packet; and sends the packet.

Abstract: A system and method for a user to encrypt data in a way that ensures the data cannot be decrypted after a finite period. A number of ephemeral encryption keys are established by a first party, each of which will be destroyed at an associated time in the future (the “expiration time”). A second party selects or requests one of the ephemeral encryption keys for encrypting a message. The first party provides an ephemeral encryption key to the second party. Subsequently, the first party decrypts at least a portion of the message, using an ephemeral decryption key associated with the ephemeral encryption key provided to the second party. At the expiration time, the first party destroys all copies of at least the ephemeral decryption key, thus rendering any messages encrypted using the ephemeral encryption key permanently undecipherable. In an alternative embodiment, a number of ephemeral key servers provide a respective number of ephemeral encryption keys having associated expiration times.

Abstract: To authenticate and authorize prospective members in a reliable multicast data distribution setup, the prospective members contact a central authority to obtain a “participation certificate” for the multicast session. The central authority authenticates each node and issues a digitally signed certificate to the node. Each certificate contains information specifying the manner in which the respective node is authorized to participate in the multicast session in addition to the respective node's public key. The nodes exchange their participation certificates with each other during session-establishment dialog to prove their identities and their authorization to participate. Each node verifies the rights of other nodes based on authorization information contained in the participation certificate received from the other node. Thus, a node is allowed to participate as a repair node only if it presents a participation certificate authorizing it to do so.

Abstract: A method and apparatus for identifying an applicant as a member of a group without explicitly listing all possible applicants. A test is defined which specifies the criteria for group membership. The test definition and an optional group identifier code are supplied to a criterion generator. The criterion generator generates an authenticated message based, at least in part, upon said test definition. The authenticated message is delivered to one or more criterion evaluators that verify the authenticated message. In one embodiment, once the authenticated message has been verified, the applicant for access to a resource presents a credential to the criterion evaluator. If the credential satisfies the test definition, the applicant is granted access to the specified resource and denied access if the credential does not satisfy the test definition.

Abstract: An embodiment consistent with the present invention includes a method and apparatus for forming a multicast repair tree. The method may be performed by a data processor and comprises the steps of determining, for each of a plurality of potential heads in a multicast group, a ranking value associated with the potential head; advertising, by the potential heads to a plurality of potential receivers; prioritizing, by a potential receiver, the ranking values from the potential heads; and binding, by a potential receiver to the head having the highest ranking value, thereby forming a group of which the potential receiver is a member and the potential head is the head. The head may also be the sender. There may be a plurality of heads. The ranking values may include “able”, “unable”, “willing”, and “reluctant.” The ranking value of a potential head may be determined in accordance with a static or a dynamic configuration.

Abstract: A method and system for establishing a shared secret between a plurality of devices using an authentication token. An authentication token is used to establish a shared secret between a local device and a remote device to provide user authentication, data encryption, and integrity protection. The authentication token may be used in a variety of ways to authenticate a user. First, a time-synchronized authentication token can generate a first character string that is communicated to a workstation. The workstation can manipulate the first character string to generate a second character string and send the second character string to a server. The server then compares the second character string with a plurality of possible matching character string values and determines the first character string. In another implementation, a challenge from a server can be received and processed by a challenge-response authentication token to generate a character string.

Abstract: In a digital data network, a plurality of devices interconnected by a communication link organize themselves into a tree structure. Each of the devices has an associated suitability value that generally relates to the device's suitability for becoming a node in the tree structure. The devices organize themselves into a tree structure in one or more iterations, each iteration comprising two general steps, namely, a node election step and a tree establishment step. In the node election step, the devices whose suitability values are such that they can become nodes in the tree broadcast over the communication link node election messages including their respective suitability values. These devices also receive the node election messages that are broadcast by other devices. Each device determines whether it is elected a node in the tree structure in connection with a comparison between its suitability value and suitability values of node election messages received thereby.

Abstract: A computer sends a message to each of a number of recipient computers of a computer network by sending the message as a multicast message to near ones of the recipient computers and sending the message as unicast messages to far ones of the recipient computers. The sending computer determines the circumstances under which a combination of multicast and unicast messages are efficient by determining that many recipient computers are near the sending computer and that few recipient computers are far. The sending computer makes such a determination by determining no more than a predetermined number of recipient computers are at least a predetermined distance further from the sending computer than are the others of the recipient messages. The sending computer can also determine that the burden imposed upon the computer network by a multicast message is justified by the need to deliver the message to its intended recipients.

Abstract: Determination of a Time To Live ("TTL") hop count for repair data units transmitted from a repair head to a standard destination device in a communications network is facilitated for multicast transmission. The repair head destination device monitors the path between the repair head destination device and the standard destination devices by exchanging messages with the respective standard destination devices. The repair head transmits control messages to each destination device including a dispatched TTL value and an Internet Protocol ("IP") TTL value. If the control message fails to reach one of the standard destination devices, that standard destination device transmits a transmission failure indication to the repair head destination device. In response to the transmission failure indication the TTL value employed for the control message is increased.

Abstract: An improved network addressing arrangement expands both the format of a network layer header and the address spaces of nodes coupled to computer networks in a manner that efficiently enhances routing among nodes of different domains of the networks. Specifically, the novel arrangement provides new elements to a conventional hierarchical network layer address and modifies existing elements, i.e., destination network and socket numbers, of that address to effectively create an improved network layer header.

Abstract: A secure communications arrangement is disclosed including a source device and a destination device interconnected by a network. The source device generates message packets for transfer to the destination device, each message packet including information in ciphertext form. The source device generates the ciphertext from plaintext in accordance with the cipher block chaining mode, using an initialization vector that is generated using a hash function selected so that small changes in an input result in large changes in the initialization vector. As a result values such as sequence numbers or time stamps can be used in generating the initialization vector, while still providing for cryptographic security for the ciphertext as against cryptanalytic attack. The destination device receives the message packet and decrypts the ciphertext to generate plaintext in accordance with the cipher block chaining mode, using an initialization vector that is generated using the corresponding hash function.

Abstract: An arrangement efficiently renders forwarding decisions for a packet using a forwarding database dictionary of an intermediate node configured to optimize space consumed by addresses stored therein as well as to reduce time required to search those addresses. The arrangement generally includes a lookup mechanism comprising a search engine coupled to a set of registers and to the dictionary. The register set, in turn, comprises a number of registers operating in parallel to compare values specified by a number of bits with a predetermined starting point of an input string. The specified values are preferably representative of address prefixes stored in the dictionary and the input string is a destination address of the packet.

Abstract: A method for connecting a first communication system with a third communications system, by passing through a second communications system, is disclosed. A first frame is received from the first communications system, where the first frame has a multicast address as a destination address. The multicast address requires the frame to be transmitted onto the second multicast address is translated into a functional address. The functional address is written into a second frame, and the second frame is transmitted onto the second communications system. A station receiving the second frame translates the functional address into a multicast address and writes the multicast address into the destination address field of a third frame, and transmits the third frame onto the third communications system.

Abstract: A key escrow technique reliably notifies an encrypting principal about escrow authorities requiring access to a secret key used to encrypt information and, further, about how much of that key is required by the authorities. The technique comprises a mechanism for storing escrow instructions pertaining to the authorities' keys in a designated location accessible by the encrypting principal. For example, the designated location may comprise a licensing string of a hardware or software add-on module needed to activate a cryptographic system of a data processing system. The escrow instructions may be further stored in an escrow formation field of a certificate. Here, the certificate may be the encrypting principal's certificate, a recipient principal's certificate and/or any certificate authority's certificate needed for the encrypting principal to verify the recipient principal's certificate.

Abstract: The present invention is an address mapping gateway, used in an internetwork link, that associates all nodes in a domain with a single network number (referred to as a domain network address), and provides gateway-mapped node addresses that are unique within the domain. The address mapping gateway dynamically substitutes the "globally-unique" domain network address and the "domain-unique" gateway-mapped node address for a network number and node address, respectively, of a network layer address of a packet header received from a source node in the domain. Conversely, when a packet is received for a destination node in the domain, the address mapping gateway substitutes the originally-assigned network number and node address for the domain network address and gateway-mapped node address, respectively, prior to forwarding the packet to the node.