`
`t
`
`
`iii}! Zr£31
`ii
`Lil. it'll ii?" iii}; ”-51% 1It! ‘132313 0-0..
`MODIHED PTO/SB/05 (03 (i
`Approved for use through 10/31/2002 OMB 0651-(,’
`U S Patent and Trademark Office US DEPARTMENT OF COMMEF.
`Under the Papenivork Reduction Act of 1995, no persons are required to respond to a collection of information unless it displays a valid OMB control numbi
`000479 00082
`
`.
`UTILITY
`PATENT APPLICATION
`
`y
`
`,
`Edmond Colby Munger
`
`TRANSMITTAL
`
`(Only for new nonprowswna/ applications under 37 C F R 1 53(b))
`
`IMPROVEMENTS TO AN AGILE NETWORK PROTOCOL FOR
`SECURE COMMUNICATIONS WITH ASSURED SYSTEM
`AVAILABILITY
`Express Mail Label No
`
`APPLICATION ELEMENTS
`See MPEP chapter 600 concerning utility patent application contents
`
`ADDRESS TO:
`
`Assistant Commissmner for Patents
`Box Patent Application
`Washington, DC 20231
`
`
`
`20/00/60
`
`: L
`
`= N
`E :
`=— s
`5:
`= m
`3.;
`
`: '
`“ "U
`.4
`= o
`'
`
`‘
`
`'
`
`Fee Transmittal Form (e g , PTO/SB/17)
`(Submit an original and a duplicate for fee processing)
`Applicant claims small entity status
`See 37 CFR 1.27
`[Total Pages [£1 ]
`Specification
`(preferred arrangement set forth below)
`» Descriptive title of the Invention
`- Cross Reference to Related Applications
`, Statement Regarding Fed sponsored R 8. D
`_ Reference to sequence “5mg! 3 table,
`Or a computer program listlng appendix
`- Background ofthe Invention
`- Brief Summary of the Invention
`-
`etailed Description
`- grief Description of the Drawmgs (if filed)
`_ Claim(s)
`'AbStraCt Of the D'Sdosure
`4. IX]
`Drawmg(s) (35 U S C 113)
`a
`IX Formal, or
`b D Informal
`5. Oath or Declaration
`
`7 I: CD-ROM or CD-R In duplicate, large table or
`Computer Program (Appendix)
`8. Nucleotide and/or Amino Acid Sequence Submissmn
`(if applicable, all necessary)
`a 1:] Computer Readable Form (CRF)
`b Specification Sequence Listing on
`i. [:1 CD-ROM or CD-R (2 copies), or
`ii E] paper
`.
`.
`.
`[j
`Statements van in- identit of above c0ies
`ACCOMPANYING APPLICATIONS PARTS
`
`c
`
`9. |:]
`10. :i
`
`
`
`Assugnment Papers (cover sheet & document(s))
`37 C F R §3.73(b) Statement D Power of
`(when there is an assignee)
`Attorney
`11 3 English Translation Document (if applicable)
`12. E Information Disclosure
`El Copies of IDS
`Statement (IDS)/PTO—1449
`Citations
`.
`.
`RPrelimirliaary Amendment M E
`turn
`eceipt Postcard ( P P 5
`e
`.
`.
`(Should be speCifically itemized)
`Certified Copy of Priority Document(s)
`(if foreign priority IS claimed)
`Nonpublication Request under 35 U S C 122
`(b)(2)(B)(l) Applicant must attach form PTO/SB/35
`or 'ts equwalent
`Other _
`
`03
`
`)
`
`1
`
`
`
`[Total Sheets- ]
`
`Total Pa es
`g
`
`12
`
`[
`a D Newly executed (0“9'”a' or COPY)‘ or
`b
`IE Copy from a prior application (37 CFR 1 63 (d))
`(fora continuation/divisional with Box 18 completed)
`i D DELET‘ON OF INVENTOR(S)
`Signed statement attached deleting inventor(s)
`named in the prior application, see 37 CFR
`1 63(d)(2) and 1 33(b)
`
`6. IE Application Data Sheet. See 37 CFR 1.76
`
`18. If a CONTINUING APPLICATION, check appropriate box, and supply the requi5ite information below and in a preliminary amendment,
`or in an Application Data Sheet under 37 CFR 1 76
`of prior application No. @l 504 783
`El Continuation
`IE Divi5ional
`El Continuation»in-part (CIP)
`Group / Art Unit 2153
`Prior application information
`Examiner Krisna LIm
`For CONTINUATION or DIVISIONAL APPS only: The entire disclosure of the prior application, from which an oath or declaration is supplied
`under Box 5b, is considered a part of the disclosure of the accompanying or divisional application and is hereby Incorporated by reference.
`The incorporation can only be relied upon when a portion has been inadvertently omitted from the submitted application parts.
`17. CORRESPONDENCE ADDRESS
`22907
`
`E Customer Number or Bar Code Label
`
`(Insert Customer No or Attach bar code label here)
`
`‘
`
`or E]
`
`Correspondence address below
`
`
`
`Address
`
`
`City
`Country
`
`1 State
`Telephone
`
`Name (Print/Type)
`
`Ross A Dannenberg
`
`Registration No (Attorney/Agent)
`
`49,024
`
`
`Signature
`
`September 30, 2002
`
`Burden Hour Statement This form is estimated to take 0 2 hours to complete Time Will vary depending upon the needs of the indIVIdual case Any
`comments on the amount of time you are required to complete this form should be sent to the Chief Information Officer, US. Patent and Trademark
`Office, Washington, DC 20231. DO NOT SEND FEES OR COMPLETED FORMS TO THIS ADDRESS. SEND TO: Assistant Commissioner for
`Patents, Box Patent Application, Washington, DC 20231.
`
`Petitioner Apple - EX. 1002, p. 1
`
`Petitioner Apple - Ex. 1002, p. 1
`
`
`
`um;
`a ”1-
`1"“: 5“
`'
`“'1
`'
`t:"““ - I"
`
`
`
`11-131 sluleuflIfiV‘fl-IJL
`ill
`23:” 1L}; “'11 111'?) “"1"
`i.
`Approved for use through 10/31/2002 0MB 0651-003.
`U S Patent and Trademark Office U S DEPARTMENT OF COMMERCE
`Under the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless it displays a valid OMB control number
`Complete If Known
`Appleton Number
`TBA
`
`Filing Date
`September 30, 2002
`
`First Named Inventor
`Edmond Colby Munger
`Examiner Name
`TBA
`
`
` TOTAL AMOUNT OF PAYMENT
`
`El Applicant claims small entity status. See 37 CFR 1.27
`
`Group [Ari Unit
`
`2153
`
`($)
`
`Attorne Docket No
`
`000479 00082
`
`F E E TRAN S M |TTAL
`for FY 2002
`Patent fees are sublect to annual rewsmn
`
` 3. ADDITIONAL FEES
`
`DCheck
`El Credit card El Money El Other E] None
`Small Entit
`
` Order
`
`
`
`IE Deposn Account
`Fee
`Fee
`
` ($)Code Fee paid Fee Descrlptlon
`
`
`
`
`Deposit
`
`
`Account
`19.0733
`205
`65
`Surcharge ~ late filing fee or oath
`
`
` 25227 Surcharge - late prowsmnal filing fee
`
`
`Number
`
`or cover sheet
`
`
`
`DepOSIt
`139
`130
`NoneEnglish specification
`
`
`
`Account
`Banner 3‘ WI‘W“. “‘1
`147
`2,520
`For filing a request for reexamination
`
`Name
`
`
`
`112
`920'
`Requesting publication of SIR prior to
`
`Examiner action
`
`
`The Commissioner is authorized to: (check all that apply)
`
`1,840‘ Requesting publication of SIR after
`E Charge fee(s) indicated below IE Credit any overpayments
`Examiner action
`
`
`
`
`E] Charge any additional fee(s) during the pendency of this application
`
`El Charge fee(s) indicated below, except for the filing fee
`55
`215
`Extension for reply Within first month
`
`
`
`
`to the above'ldem'fied de'os't account
`216
`200
`Extensmn for reply Within second
`FEE CALCULATION
`month
`
`
`
`
` 217
`460
`Extension for reply Within third month
` BASIC FILING FEE
`
`218
`720
`Ex1en5ion for reply Within fourth
`
`
`month
`
` Fee Descrlptlon
`
`980
`228
`Extensmn for reply Within fifth month
`219
`160
`Notice of Appeal
`Utility filing fee
`
`
`
`220
`160
`Filing a brief in support of an appeal
`De5ign filing fee
`
`
`
`221
`140
`Request for oral hearing
`
`Plant flllng fee _
`
`
`
`Reissue filing fee
`13B
`1 510
`Petition to institute a public use
`,
`'
`proceeding
`
`
`
`Provwional filling fee
`240
`55
`Petition to reVIve — unaVOIdable
`
`
`
`Petition to revwe — unintentional
` SUBTOTAL (1)
`
`242 640
`
`Utility issue fee (or reissue)
`
`2. EXTRA CLAIM FEES
`243
` 230
`DeSign issue fee
`
`Plant issue fee
`
`
`Petitions to the Commisswner
`otal Claims
`20 "
`
`
`
`
`
`Independent
`1213
`50
`Processmg fee under 37 CFR1 17 (q)
`
`126
`180
`Claims - *3 “
`Submissmn of Information Disclosure
`
`Stmt
`
`
`
`
`
`Recording each patent aSSIQnment
`ggugzem
`
`581
`40
`p
`per property (times number of
`
`
`Lar e Entlt
`properties)
`
`
`146
`740
`Filing a submission afterfinal rejection
`Fee
`
`
`
`Code
`(s)
`Fee Desc" “°"
`(37 CFR § 1 129(a))
`
`203
`9
`Claims in excess of 20
`149
`740
`For each additional invention to be
`
`
`
`
`examined (37 CFR § 1 129(b))
`202
`42
`Independent claims in excess of3
`
`
`
`179
`740
`279
`370 Request for Continued Examination (ROE)
`204
`140
`Multiple dependent claim, If not paid
`
`
`
`
`
`
`209
`42
`"' Reissue independent claims over
`
`
`
`169
`900
`169
`900
`Request I0i expedited examination
`orlglnal patent
`
`of a de5ign application
`..
`
`
`
`
`210
`9
`Reissue claims in excess of 20 and
`over original patent
`
`Other fee (speCify)
`
`
`
`'Reduced by BaSIC Filing Fee Paid
`SUBTOTAL (3)
`($) 0
`
`
`113
`
`581
`
`246
`
`249
`
`40
`
`370
`
`370
`
`“or number previously paid, ifgreater, For Reissues, see above
`
`
`
`
`
`SUBMITTED BY
`Comrlete (Ifapplicable)
`,
`September 30, 2002
`I 49,024I Registration No Attorney/Agent)RossA Dannenberg (202) 508-9153 Telephone
`Name (Print/Type)
`
`Signature
`Date
`
`
`
`
`
`
`,
`
`Informatlon on thls form may become publlct Credit card Information should not be
`WARNING:
`Included on thls form. Provide credlt card Informatlon and authorlzatlon on PTO-2038.
`Burden Hour Statement This form is estimated to take 0 2 hours to complete Time WIII vary depending upon the needs of the indIVIdual case Any comments on the
`amount of time you are reqUIred to complete this form should be sent to the Chief Information Officer, U S Patent and Trademark Office, Washington, DC 20231
`DO NOT SEND FEES 0R COMPLETED FORMS TO THIS ADDRESS SEND TO A55istant Commissmner for Patents, Washington. DC 20231
`
`Petitioner Apple - EX. 1002, p. 2
`
`Petitioner Apple - Ex. 1002, p. 2
`
`
`
`I m.
`I
`,231.,ii:il .1115!) 133:3} ”€321
`
`liti‘l‘tfii Ml
`
`it}! Ei1233! 3???? illiil It?! 35:?
`
`Application Data Sheet
`
`Application Information
`
`Application number:
`
`Filing Date:
`
`Application Type:
`
`Subject Matter:
`
`Suggested classification:
`
`Suggested Group Art Unit:
`
`Regular
`
`Utility
`
`CD-ROM or CD-R?:
`
`None
`
`Number of CD disks:
`
`Number of copies of CDs:
`
`Sequence submission?::
`
`Computer Readable Form (CRF)?::
`
`Number of copies of CRF:
`
`Title:
`
`IMPROVEMENTS TO AN AGILE NETWORK
`
`PROTOCOL FOR SECURE COMMUNICATIONS
`
`WITH ASSURED SYSTEM AVAILABILITY
`
`Attorney Docket Number:
`
`00047900082
`
`Request for Early Publication?::
`
`Request for Non-Publication?::
`
`Suggested Drawing Figure:
`
`Total Drawing Sheets:
`
`Small Entity?:
`
`Latin name:
`
`Variety denomination name:
`
`Petition included?::
`
`Petition Type:
`
`Licensed US Govt. Agency:
`
`Contract or Grant Numbers:
`
`NO
`
`NO
`
`35
`
`NO
`
`NO
`
`1
`
`Initial 09/30/02
`
`Petitioner Apple - EX. 1002, p. 3
`
`Petitioner Apple - Ex. 1002, p. 3
`
`
`
`fl
`5
`11., 31.31 35:53 33:3: ““15 “Xingu-ll “at!"
`‘
`
`1r“.
`4:.
`in MI "71‘ .4613, Mi Mi 13:11:.
`
`Secrecy Order in Parent App|.?:
`
`NO
`
`Applicant Information
`
`Applicant Authority Type:
`
`Primary Citizenship Country:
`
`Status:
`
`Given Name:
`
`Middle Name:
`
`Family Name:
`
`Name Suffix:
`
`City of Residence:
`
`State or Province of Residence:
`
`Country of Residence:
`
`Inventor
`
`USA
`
`Full Capacity
`
`Edward
`
`Colby
`
`Munger
`
`Crownsville
`
`MD
`
`USA
`
`Street of mailing address::
`
`1101 Opaca Court
`
`City of mailing address::
`
`Crownsville
`
`State or Province of mailing address::
`
`Country of mailing address::
`
`Postal or Zip Code of mailing address::
`
`Applicant Authority Type:
`
`Primary Citizenship Country:
`
`Status:
`
`Given Name:
`
`Middle Name:
`
`Family Name:
`
`Name Suffix:
`
`MD
`
`USA
`
`21032
`
`Inventor
`
`USA
`
`Full Capacity
`
`Douglas
`
`Charles
`
`Schmidt
`
`City of Residence:
`
`Severna Park
`
`State or Province of Residence:
`
`Country of Residence:
`
`Street of mailing address::
`
`MD
`
`USA
`
`230 Oak Court
`
`2
`
`Initial 09/30/02
`
`Petitioner Apple - EX. 1002, p. 4
`
`Petitioner Apple - Ex. 1002, p. 4
`
`
`
`ill“ lifll 3353’? 3531?:
`
`“2211‘ all: {5:131 Min
`
`ii}: ”323% 2311:2111}!
`
`liliil £33315
`
`City of mailing address:
`
`Serverna Park
`
`State or Province of mailing address:
`
`Country of mailing address:
`
`Postal or Zip Code of mailing address:
`
`Applicant Authority Type:
`
`Primary Citizenship Country:
`
`Status:
`
`Given Name:
`
`Middle Name:
`
`Family Name:
`
`Name Suffix:
`
`City of Residence:
`
`State or Province of Residence:
`
`Country of Residence:
`
`Street of mailing address:
`
`MD
`
`USA
`
`21146
`
`Inventor
`
`USA
`
`Full Capacity
`
`Robert
`
`Dunham
`
`Shon
`
`Ill
`
`Leesburg
`
`VA
`
`USA
`
`38710 Goose Creek Lane
`
`City of mailing address:
`
`Leesburg
`
`State or Province of mailing address:
`
`Country of mailing address:
`
`Postal or Zip Code of mailing address:
`
`VA
`
`USA
`
`20175
`
`Applicant Authority Type:
`
`Primary Citizenship Country:
`
`Status:
`
`Given Name:
`
`Middle Name:
`
`Family Name:
`
`Name Suffix:
`
`City of Residence:
`
`Inventor
`
`USA
`
`Full Capacity
`
`Victor
`
`Larson
`
`Fairfax
`
`State or Province of Residence:
`
`VA
`
`Initial 09/30/02
`
`Petitioner Apple - EX. 1002, p. 5
`
`Petitioner Apple - Ex. 1002, p. 5
`
`
`
`.:.li..
`
`lit-Iii 3E}? i522}; “Ell it’ll-WI all--
`
`n.
`
`lliiil ‘13??? 1233331 lift! Stilt i823?
`
`Country of Residence:
`
`Street of mailing address::
`
`City of mailing address::
`
`State or Province of mailing address::
`
`Country of mailing address::
`
`Postal or Zip Code of mailing address::
`
`Applicant Authority Type:
`
`Primary Citizenship Country:
`
`Status:
`
`Given Name::
`
`Middle Name::
`
`Family Name::
`
`Name Suffix:
`
`USA
`
`12026 Lisa Marie Court
`
`Fairfax
`
`VA
`
`USA
`
`22033
`
`Inventor
`
`USA
`
`Full Capacity
`
`Michael
`
`Williamson
`
`City of Residence:
`
`South Riding
`
`State or Province of Residence:
`
`Country of Residence:
`
`Street of mailing address::
`
`VA
`
`USA
`
`26203 Ocala Circle
`
`City of mailing address::
`
`South Riding
`
`State or Province of mailing address::
`
`Country of mailing address::
`
`Postal or Zip Code of mailing address::
`
`VA
`
`USA
`
`20152
`
`Correspondence Information
`
`Correspondence Customer Number:
`
`22907
`
`Representative Information
`
`Representative Customer Number:
`
`22907
`
`Initial 09/30/02
`
`Petitioner Apple - EX. 1002, p. 6
`
`Petitioner Apple - Ex. 1002, p. 6
`
`
`
`ii? :i are"
`
`122:; “nil-3‘15? iii:
`
`1:3: ”21:14 Iii fl :2231 52‘“
`
`Domestic Priority Information
`
`Parent Filing Date:: Application:: Continuity Type:: Parent Application::
`
`
`
`
`
`
`
`
`
`This Application 02/15/00 Division of 09/504,783
`
`
`
`
`
` i
`
`Foreign Priority Information
`
`
`Country::
`A lication numberzz
`Filing Date::
`Priority Claimedz:
`
`
`
`
`
`
`Assignee Information
`
`Assignee namezz
`
`Science Applications International Corporation
`
`Street of mailing address::
`
`10260 Campus Point Drive
`
`City of mailing address::
`
`San Diego
`
`State or Province of mailing address::
`
`CA
`
`Country of mailing address::
`
`USA
`
`Postal or Zip Code of mailing address::
`
`92121
`
`5
`
`initial 09/30/02
`
`Petitioner Apple - EX. 1002, p. 7
`
`Petitioner Apple - Ex. 1002, p. 7
`
`
`
`00047900082
`
`Iii- 11.33 iii???1.351%"???ail-”“331423’3
`
`a.
`
`512.}! $334 :21};
`
`illfii 212.31 £1533
`
`IMPROVEMENTS TO AN AGILE NETWORK PROTOCOL
`FOR SECURE COMMUNICATIONS
`WITH ASSURED SYSTEM AVAILABILITY
`
`CROSS-REFERENCE TO RELATED APPLICATIONS
`
`This application is a divisional application of 09/504,783 (filed February 15, 2000),
`[01]
`which claims priority from and is a continuation-in-part of previously filed US. application
`serial number 09/429,643 (filed October 29, 1999). The subject matter of that application, which
`is bodily incorporated herein, derives from provisional U.S. application numbers 60/ 106,261
`(filed October 30, 1998) and 60/137,704 (filed June 7, 1999).
`
`BACKGROUND OF THE INVENTION
`
`A tremendous variety of methods have been proposed and implemented to provide
`[02]
`security and anonymity for communications over the Internet. The variety stems, in part, from
`the different needs of different Internet users. A basic heuristic framework to aid in discussing
`these different security techniques is illustrated in FIG. 1. Two terminals, an originating terminal
`100 and a destination terminal 110 are in communication over the Internet. It is desired for the
`
`communications to be secure, that is, immune to eavesdropping. For example, terminal 100 may
`transmit secret information to terminal 110 over the Internet 107. Also, it may be desired to
`
`prevent an eavesdropper from discovering that terminal 100 is in communication with terminal
`
`110. For example, if terminal 100 is a user and terminal 110 hosts a web site, terminal 100’s user
`
`may not want anyone in the intervening networks to know what web sites he is "visiting."
`Anonymity would thus be an issue, for example, for companies that want to keep their market
`research interests private and thus would prefer to prevent outsiders from knowing which web-
`sites or other Internet resources they are “visiting.” These two security issues may be called data
`
`security and anonymity, respectively.
`
`Data security is usually tackled using some form of data encryption. An encryption key
`[03]
`48 is known at both the originating and terminating terminals 100 and 110. The keys may be
`private and public at the originating and destination terminals 100 and 1 10, respectively or they
`may be symmetrical keys (the same key is used by both parties to encrypt and decrypt). Many
`encryption methods are known and usable in this context.
`
`Petitioner Apple - EX. 1002, p. 8
`
`Petitioner Apple - Ex. 1002, p. 8
`
`
`
`000479.00082
`
`73L. 51.?! ii??? iii} "32“]
`
`il l “iii! “41!"
`
`£31 till $1.3le3:333}???
`
`To hide traffic from a local administrator or ISP, a user can employ a local proxy server
`[04]
`in communicating over an encrypted channel with an outside proxy such that
`the local
`
`administrator or ISP only sees the encrypted traffic. Proxy servers prevent destination servers
`
`from determining the identities of the originating clients. This system employs an intermediate
`
`server interposed between client and destination server. The destination server sees only the
`Internet Protocol (IP) address of the proxy server and not the originating client. The target server
`only sees the address of the outside proxy. This scheme relies on a trusted outside proxy server.
`Also, proxy schemes are vulnerable to traffic analysis methods of determining identities of
`
`transmitters and receivers. Another important limitation of proxy servers is that the server knows
`
`the identities of both calling and called parties. In many instances, an originating terminal, such
`
`as terminal A, would prefer to keep its identity concealed from the proxy, for example, if the
`
`proxy server is provided by an Internet service provider (ISP).
`
`[05]
`
`To defeat traffic analysis, a scheme called Chaum’s mixes employs a proxy server that
`
`transmits and receives fixed length messages, including dummy messages. Multiple originating
`terminals are connected through a mix (a server) to multiple target servers. It is difficult to tell
`
`which of the originating terminals are communicating to which of the connected target servers,
`and the dummy messages confuse eavesdroppers’ efforts to detect communicating pairs by
`analyzing traffic. A drawback is that there is a risk that the mix server could be compromised.
`
`One way to deal with this risk is to spread the trust among multiple mixes. If one mix is
`
`compromised, the identities of the originating and target terminals may remain concealed. This
`
`strategy requires a number of alternative mixes so that the intermediate servers interposed
`between the originating and target terminals are not determinable except by compromising more
`than one mix. The strategy wraps the message with multiple layers of encrypted addresses. The
`
`first mix in a sequence can decrypt only the outer layer of the message to reveal the next
`
`destination mix in sequence. The second mix can decrypt the message to reveal the next mix and
`
`so on. The target server receives the message and, optionally, a multi—layer encrypted payload
`
`containing return information to send data back in the same fashion. The only way to defeat such
`
`a mix scheme is to collude among mixes. If the packets are all fixed-length and intermixed with
`
`dummy packets, there is no way to do any kind of traffic analysis.
`
`Petitioner Apple - Ex. 1002, p. 9
`
`Petitioner Apple - Ex. 1002, p. 9
`
`
`
`00047900082
`
`.
`.u
`.
`a
`.131. $113} in? 937-3; 11-73? 21%;- “Eli “-13
`
`8 "ll ”3??! 1:32? 6:35 3331 in???
`
`Still another anonymity technique, called ‘crowds,’ protects the identity of the originating
`[06]
`terminal from the intermediate proxies by providing that originating terminals belong to groups
`of proxies called crowds. The crowd proxies are interposed between originating and target
`terminals. Each proxy through which the message is sent is randomly chosen by an upstream
`
`proxy. Each intermediate proxy can send the message either to another randomly chosen proxy
`in the “crowd” or to the destination. Thus, even crowd members cannot determine if a preceding
`proxy is the originator of the message or if it was simply passed from another proxy.
`
`ZKS (Zero-Knowledge Systems) Anonymous IP Protocol allows users to select up to any
`[07]
`of five different pseudonyms, while desktop software encrypts outgoing traffic and wraps it in
`User Datagram Protocol (UDP) packets. The first server in a 2+-hop system gets the UDP
`
`packets, strips off one layer of encryption to add another, then sends the traffic to the next server,
`
`which strips off yet another layer of encryption and adds a new one. The user is permitted to
`
`control the number of hops. At the final server, traffic is decrypted with an untraceable IP
`
`address. The technique is called onion-routing. This method can be defeated using traffic
`
`analysis. For a simple example, bursts of packets from a user during low-duty periods can reveal
`the identities of sender and receiver.
`
`[08]
`
`Firewalls attempt to protect LANs from unauthorized access and hostile exploitation or
`
`damage to computers connected to the LAN. Firewalls provide a server through which all access
`
`to the LAN must pass. Firewalls are centralized systems that require administrative overhead to
`
`maintain. They can be compromised by virtual-machine applications (“applets”). They instill a
`
`false sense of security that leads to security breaches for example by users sending sensitive
`information to servers outside the firewall or encouraging use of modems to sidestep the firewall
`
`security. Firewalls are not useful for distributed systems such as business travelers, extranets,
`small teams, etc.
`
`SUMMARY OF THE INVENTION
`
`[09]
`
`A secure mechanism for communicating over the intemet, including a protocol referred
`
`to as the Tunneled Agile Routing Protocol (TARP), uses a unique two-layer encryption format
`
`and special TARP routers. TARP routers are similar in function to regular IP routers. Each
`
`TARP router has one or more IP addresses and uses normal IP protocol to send IP packet
`
`Petitioner Apple - Ex. 1002, p. 10
`
`Petitioner Apple - Ex. 1002, p. 10
`
`
`
`000479.00082
`
`.221. iii}! if??? ES} ”'53? ""3 3’32?“ W:
`
`3K?! “3??? iii}; iiiiéiélfiil if???
`
`messages (“‘packets” or “datagrams”). The IP packets exchanged between TARP terminals via
`
`TARP routers are actually encrypted packets whose true destination address is concealed except
`
`to TARP routers and servers. The normal or “clear” or “outside” IP header attached to TARP IP
`
`packets contains only the address of a next hop router or destination server. That is, instead of
`
`indicating a final destination in the destination field of the IP header, the TARP packet’s IP
`
`header always points to a next-hop in a series of TARP router hops, or to the final destination.
`
`This means there is no overt indication from an intercepted TARP packet of the true destination
`
`of the TARP packet since the destination could always be next-hop TARP router as well as the
`final destination.
`
`[10]
`
`Each TARP packet’s true destination is concealed behind a layer of encryption generated
`
`using a link key. The link key is the encryption key used for encrypted communication between
`
`the hops intervening between an originating TARP terminal and a destination TARP terminal.
`
`Each TARP router can remove the outer layer of encryption to reveal the destination router for
`
`each TARP packet. To identify the link key needed to decrypt the outer layer of encryption of a
`
`TARP packet, a receiving TARP or routing terminal may identify the transmitting terminal by
`the sender/receiver IP numbers in the cleartext IP header.
`
`[11]
`
`Once the outer layer of encryption is removed, the TARP router determines the final
`
`destination. Each TARP packet 140 undergoes a minimum number of hops to help foil traffic
`
`analysis. The hops may be chosen at random or by a fixed value. As a result, each TARP packet
`
`may make random trips among a number of geographically disparate routers before reaching its
`
`destination. Each trip is highly likely to be different for each packet composing a given message
`
`because each trip is independently randomly determined. This feature is called agile routing. The
`
`fact that different packets take different routes provides distinct advantages by making it difficult
`
`for an interloper to obtain all the packets forming an entire multi—packet message. The associated
`
`advantages have to do with the inner layer of encryption discussed below. Agile routing is
`
`combined with another feature that furthers this purpose; a feature that ensures that any message
`
`is broken into multiple packets.
`
`[12]
`
`The IP address of a TARP router can be changed, a feature called IP agility. Each TARP
`
`router, independently or under direction from another TARP terminal or router, can change its IP
`
`Petitioner Apple - Ex. 1002, p. 11
`
`Petitioner Apple - Ex. 1002, p. 11
`
`
`
`000479.00082
`
`533.. 32.}?!
`
`ii??? iii»? “7:113 “(Eli-3‘33! ill--
`
`till “‘33“ 2:3}; it}! 4213! iii?!
`
`address. A separate, unchangeable identifier or address is also defined. This address, called the
`
`TARP address, is known only to TARP routers and terminals and may be correlated at any time
`
`by a TARP router or a TARP terminal using a Lookup Table (LUT). When a TARP router or
`
`terminal changes its IP address, it updates the other TARP routers and terminals which in turn
`
`update their respective LUTs.
`
`[13]
`
`The message payload is hidden behind an inner layer of encryption in the TARP packet
`
`that can only be unlocked using a session key. The session key is not available to any of the
`
`intervening TARP routers. The session key is used to decrypt the payloads of the TARP packets
`
`permitting the data stream to be reconstructed.
`
`[14]
`
`Communication may be made private using link and session keys, which in turn may be
`
`shared and used according to any desired method. For example, public/private keys or symmetric
`
`keys may be used.
`
`[15]
`
`To transmit a data stream, a TARP originating terminal constructs a series of TARP
`
`packets from a series of IP packets generated by a network (IP) layer process. (Note that the
`
`terms “network layer,” “data link layer,” “application layer,” etc. used in this specification
`
`correspond to the Open Systems Interconnection (OSI) network terminology.) The payloads of
`
`these packets are assembled into a block and chain-block encrypted using the session key. This
`
`assumes, of course, that all the IP packets are destined for the same TARP terminal. The block is
`
`then interleaved and the interleaved encrypted block is broken into a series of payloads, one for
`
`each TARP packet to be generated. Special TARP headers IPT are then added to each payload
`
`using the IP headers from the data stream packets. The TARP headers can be identical to normal
`
`IP headers or customized in some way. They should contain a formula or data for deinterleaving
`
`the data at the destination TARP terminal, a time—to-live (TTL) parameter to indicate the number
`
`of hops still to be executed, a data type identifier which indicates whether the payload contains,
`
`for example, TCP or UDP data, the sender’s TARP address, the destination TARP address, and
`
`an indicator as to whether the packet contains real or decoy data or a formula for filtering out
`
`decoy data if decoy data is spread in some way through the TARP payload data.
`
`Petitioner Apple - Ex. 1002, p. 12
`
`Petitioner Apple - Ex. 1002, p. 12
`
`
`
`00047900082
`
`.2: :3: :3: :2: 1:: :,,:;,,:;;. u:
`
`:3: :2: :3:; :3: :3: :3::
`
`[16] Note that although chain-block encryption is discussed here with reference to the session
`
`key, any encryption method may be used. Preferably, as in chain block encryption, a method
`
`should be used that makes unauthorized decryption difficult without an entire result of the
`
`encryption process. Thus, by separating the encrypted block among multiple packets and making
`
`it difficult for an interloper to obtain access to all of such packets,
`
`the contents of the
`
`communications are provided an extra layer of security.
`
`[17] Decoy or dummy data can be added to a stream to help foil traffic analysis by reducing
`
`the peak-to-average network load. It may be desirable to provide the TARP process with an
`
`ability to respond to the time of day or other criteria to generate more decoy data during low
`
`traffic periods so that communication bursts at one point in the Internet cannot be tied to
`
`communication bursts at another point to reveal the communicating endpoints.
`
`[18] Dummy data also helps to break the data into a larger number of inconspicuously—sized
`packets permitting the interleave window size to be increased while maintaining a reasonable
`
`size for each packet. (The packet size can be a single standard size or selected from a fixed range
`
`of sizes.) One primary reason for desiring for each message to be broken into multiple packets is
`
`apparent if a chain block encryption scheme is used to form the first encryption layer prior to
`
`interleaving. A single block encryption may be applied to portion, or entirety, of a message, and
`
`that portion or entirety then interleaved into a number of separate packets. Considering the agile
`
`IP routing of the packets, and the attendant difficulty of reconstructing an entire sequence of
`
`packets to form a single block-encrypted message element, decoy packets can significantly
`
`increase the difficulty of reconstructing an entire data stream.
`
`[19]
`
`The above scheme may be implemented entirely by processes operating between the data
`
`link layer and the network layer of each server or terminal participating in the TARP system.
`
`Because the encryption system described above is insertable between the data link and network
`
`layers, the processes involved in supporting the encrypted communication may be completely
`
`transparent to processes at the IP (network) layer and above. The TARP processes may also be
`
`completely transparent to the data link layer processes as well. Thus, no operations at or above
`
`the Network layer, or at or below the data link layer, are affected by the insertion of the TARP
`
`stack. This provides additional security to all processes at or above the network layer, since the
`
`Petitioner Apple - EX. 1002, p. 13
`
`Petitioner Apple - Ex. 1002, p. 13
`
`
`
`000479.00082
`
`.Ziil. ii}? ii? iii} “1}???
`
`i153)!" “2511* ”Ill"
`
`..
`
`5213} ”{5}? 35}??? £33 33:??? iii???
`
`difficulty of unauthorized penetration of the network layer (by, for example, a hacker) is
`
`increased substantially. Even newly developed servers running at the session layer leave all
`
`processes below the session layer vulnerable to attack. Note that in this architecture, security is
`distributed. That is, notebook computers used by executives on the road, for example, can
`
`communicate over the Internet without any compromise in security.
`
`[20]
`
`IP address changes made by TARP terminals and routers can be done at regular intervals,
`
`at random intervals, or upon detection of “attacks.” The variation of IP addresses hinders traffic
`
`analysis that might reveal which computers are communicating, and also provides a degree of
`
`immunity from attack. The level of immunity from attack is roughly proportional to the rate at
`
`which the IP address of the host is changing.
`
`[21]
`
`As mentioned, IP addresses may be changed in response to attacks. An attack may be
`
`revealed, for example, by a regular series of messages indicating that a router is being probed in
`
`some way. Upon detection of an attack, the TARP layer process may respond to this event by
`
`changing its IP address. In addition, it may create a subprocess that maintains the original IP
`
`address and continues interacting with the attacker in some manner.
`
`[22] Decoy packets may be generated by each TARP terminal on some basis determined by an
`
`algorithm. For example, the algorithm may be a random one which calls for the generation of a
`
`packet on a random basis when the terminal
`
`is idle. Alternatively,
`
`the algorithm may be
`
`responsive to time of day or detection of low traffic to generate more decoy packets during low
`
`traffic times. Note that packets are preferably generated in groups, rather than one by one, the
`
`groups being sized to simulate real messages. In addition, so that decoy packets may be inserted
`
`in normal TARP message streams, the background loop may have a latch that makes it more
`
`likely to insert decoy packets when a message stream is being received. Alternatively, if a large
`
`number of decoy packets is received along with regular TARP packets, the algorithm may
`
`increase the rate of dropping of decoy packets rather than forwarding them. The result of
`
`dropping and generating decoy packets in this way is to make the apparent incoming message
`
`size different from the apparent outgoing message size to help foil traffic analysis.
`
`Petitioner Apple - Ex. 1002, p. 14
`
`Petitioner Apple - Ex. 1002, p. 14
`
`
`
`000479.00082
`
`
`
`[23]
`
`In various other embodiments of the