USOO7490151B2
`
`(12) United States Patent
`US 7,490,151 B2
`(10) Patent N0.:
`(45) Date of Patent:
`Feb. 10, 2009
`Munger et al.
`
`(54)
`
`ESTABLISHMENT OF A SECURE
`COMMUNICATION LINK BASED ON A
`
`DOMAIN NAME SERVICE (DNS) REQUEST
`
`(75)
`
`Inventors: Edward Colby Munger, Crownsville,
`MD (US); Robert Dunham Short, III,
`Leesburg, VA (US); Victor Larson,
`Fairfax, VA (US); Michael Williamson,
`South Riding, VA (US)
`
`(73)
`
`Assignee: Virnetx lnc., Scotts Valley Drive, CA
`(US)
`
`(*l
`
`Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 818 days.
`
`(21)
`
`Appl. N0.: 10/259,494
`
`(22)
`
`Filed:
`
`Sep. 30, 2002
`
`(65)
`
`(60)
`
`(60)
`
`(51)
`
`(52)
`(58)
`
`Prior Publication Data
`
`US 2003/0037142 A1
`
`Feb. 20, 2003
`
`Related US. Application Data
`
`Division of application No. 09/504,783, filed on Feb.
`15, 2000, now Pat. No. 6,502,135, which is a continu—
`ation-in—part of application No. 09/429,643, filed on
`Oct. 29, 1999, now Pat. No. 7,010,604.
`
`Provisional application No. 60/137,704, filed on Jun.
`7, 1999, provisional application No. 60/106,261, filed
`011 Oct. 30, 1998.
`
`Int. Cl.
`(2006.01)
`0an 15/173
`U.S. Cl.
`....................................... 709/225; 709/229
`Field of Classification Search ......... 709/2177225,
`709/229; 713/201
`See application file for complete search history.
`
`(56)
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`4,933,846 A
`
`6/1990 Humphrey et a1.
`
`(Continued)
`FOREIGN PATENT DOCUMENTS
`
`DE
`
`199 24 575
`
`12/1999
`
`(Continued)
`OTHER PUBLICATIONS
`
`Search Report (dated Aug. 23, 2002), International Application No.
`PCTflJSOl/13260.
`
`(Continued)
`
`Primary ExamineriKr‘isna I ,im
`(74) Attorney, Agent, or FirmiMcDermott Will & Emery
`
`(57)
`
`ABSTRACT
`
`A plurality of computer nodes communicate using seemingly
`random Internet Protocol source and destination addresses.
`Data packets matching criteria defined by a moving window
`of valid addresses are accepted for further processing, while
`those that do not meet the criteria are quickly rejected.
`Improvements to the basic design include (1) a load balancer
`that distributes packets across different transmission paths
`according to transmission path quality; (2) a DNS proxy
`server that transparently creates a virtual private network in
`response to a domain name inquiry; (3) a large-to-small link
`bandwidth management feature that prevents denial-of—ser-
`vice attacks at system chokepoints; (4) a traffic limiter that
`regulates incoming packets by limiting the rate at which a
`transmitter can be synchronized with a receiver; and (5) a
`signaling synchronizer that allows a large number ofnodes to
`communicate with a central node by partitioning the commu-
`nication function between two separate entities.
`
`16 Claims, 35 Drawing Sheets
`
`ORIGINATING
`
`
`TERMINAL
`
`
`
`WI
`
`ENCRYPTION KEY
`
`
`
`
`110
`DESTINATION
`TBTMINAL
`
`New Bay Capital, LLC-EX.1001
`
`New Bay Capital, LLC-EX.1001
`
`

`

`US 7,490,151 132
`
`PageZ
`
`U.S. PATENT DOCUMENTS
`
`.............. 709/225
`
`6,502,135 B1* 12/2 02 Mungel'et a1.
`6,505,232 B1
`1/2 03 Mighdolletal.
`6,510,154 B1
`1/2 03 Mayesetal.
`6,549,516 B1
`4/2 03 Albert etal.
`6,557,037 B1
`4/2 03 ProVino
`6,571,296 B1
`5/2 03 Dillon
`6,571,338 B1
`5/2 03 Shaio etal.
`6,581,166 B1
`6/2 03 Hirstetal.
`6,606,708 B1*
`8/2 03 Devine etal.
`6,618,761 B2
`9/2 03 Mungeretal.
`6,671,702 B2
`12/2 03 Kruglikov etal.
`6,687,551 B2
`2/2 04 Steindl
`6,714,970 B1
`3/2 04 Fiveash et a1.
`5,717,949 B1
`4/2 04 Boden etal.
`6,751,738 B2*
`6/2 04 Wesinger et a1.
`6,760,766 B1
`7/2 04 Sahlqvist
`6,826,616 B2
`11/2 04 Larson etal.
`6,839,759 132
`1/2 05 Larson ct a1.
`7,010,604 B1
`3/2 06 Mungeretal.
`7,133,930 B2
`“/2 06 Munger et a1.
`7,188,180 B2
`3/2 07 Larson etal.
`7,197,563 B2
`3/2 07 Sheymov et a1.
`2002/0004898 A1
`1/2 02 Droge
`2003/0196122 A1* 10/2 03 Wesingeretal.
`2005/0055306 A1
`3/2 05 Miller et al.
`2006/0059337 A1*
`3/2 06 Poyhonen eta].
`
`
`
`............... 713/201
`
`............ 713/201
`
`............ 713/201
`
`........... 713/165
`
`....... 370/401
`
`.............. 726/15
`
`1/1991 Warrior
`4,988,990 A
`........................ 380/273
`5,164,986 A * 11/1992 Bright
`5,276,735 A
`1/1994 Boebert et a1.
`5,311,593 A
`50994 Carmi
`5,329,521 A
`7/1994 Walsh etal.
`5,341,426 A
`8/1994 Barneyetal
`5367.643 A
`ll/l994 Chang etal
`5,559,883 A
`9/1996 Williams
`5,561,669 A
`10/1996 Lenney et a1.
`5,588,060 A
`12/1996 Aziz
`5,625,626 A
`4/1997 Umekita
`5,654,695 A
`8/1997 Olnowich etal.
`5,682,480 A
`10/1997 Nakagawa
`5689566 A
`11/1997 Nguyen
`5,740,375 A
`4/1998 Dunn6 et a1.
`5,774,660 A
`6/1998 Brendelet all
`5,787,172 A
`7/1998 Arnolgl
`5,790,548 A *
`8/1998 Slsmnlzadeh et a1.
`5.796942 A
`8/1998 Esbensen
`5,805,801 A
`9/1998 Holloway etal
`5,842,040 A
`11/1998 Hughes et al.
`5,845,091 A
`12/1998 Dunne et a1.
`5,867,650 A
`2/1999 Osterman
`5,870,610 A
`2/1999 Beyda etal
`5,878,231 A
`3/1999 Baehr etal.
`5,892,903 A
`4/1999 Klaus
`5,898,830 A *
`4/1999 W'esingeretal.
`5,905,859 A
`5/1999 Holloway oral,
`5,918,019 A
`6/1999 Valencia
`5,996,016 A
`11/1999 Thalheimer etal.
`6,006,259 A
`12/1999 Adelman etal.
`6,006,272 A
`12/1999 Aravamudan et a1.
`6,016,318 A
`1/2000 'l'omoike
`6,016,512 A
`1/2000 Huitema
`6,041,342 A
`3/2000 Yamaguchi
`6,052,788 A
`4/2000 Wesinger, Jr. et a1.
`6,055,574 A
`4/2000 Smorodinsky etal.
`6.061.736 A
`5/2000 Rochberger etal.
`6,079,020 A *
`6/2000 Liu ............................ 713/201
`6,092,200 A
`7/2000 Muniyappa eta].
`6,101,182 A *
`8/2000 Sismnizadeh et a1.
`6,119,171 A
`9/2000 Alkhatib
`6,119,234 A *
`9/2000 Aziz etal.
`6,147,976 A
`11/2000 Shand etal.
`6,157,957 A
`12/2000 Berthaud
`6,158,011 A
`12/2000 Chen et a1.
`6,168,409 B1
`1/2001 Fare
`6,175,867 B1
`1/2001 Taghadoss
`6,178,409 B1
`1/2001 Weber etal.
`6.178.505 Bl
`[/2001 Schneider et 31
`651795102 Bl
`1/2001 WCbCT OWL
`62225842 B1
`4/2001 Sasyan et a1.
`6,226,751 B1
`5/2001 Arrowetal.
`62331618 Bl
`5/2001 Shannon
`6,243,360 B1
`6/2001 Basilico
`6,243,749 B1
`6/2001 Sitaraman et 31~
`62435754 B1
`6/2001 Guerin et aL
`6,256,671 131 *
`7/2001 StrentZSCh 61 a1.
`6,263,445 B1
`7/2001 Blumenau
`6,236,047 Bl
`9/2001 Ramanathan et a1.
`6,301,223 B1
`10/2001 Hrastar et 31'
`6,308,274 B1
`10/2001 Swift
`6311207 Bl
`10/2001 Mlghd0110t31~
`63245161 B1
`“/2001 KlTCh
`6,330,562 B1
`12/2001 Boden etal.
`6,332,158 B1 * 12/2001 RiSIBY et 31~
`6,353,614 B1
`3/2002 Borella etal.
`6,425,003 B1 *
`7/2002 HGI'ZOg 6t 31'
`6,430,155 B1
`8/2002 Davie etal.
`6,430,610 B1
`8/2002 Carter
`6,487,598 B1
`11/2002 Valencia
`
`....... 370/352
`
`.................. 713/201
`
`~~~~~~~~~~ 709/27-7
`
`~~~~~~~~~~~~~~~~ 709/219
`
`............... 709/27-3
`
`FOREIGN PATENT DOCUMENTS
`_
`,
`0 814 389
`1231997
`0814 ’89 A
`12,1997
`0 838 930
`49998
`0838 930 A
`411998
`836306 A1
`49998
`0858189
`811998
`2317 792
`“998
`2317 792 A
`49998
`2334181 A
`811999
`2334181 A
`89999
`, 98277553 A
`6,1993
`W0 98/277“
`631998
`W0 9827783 A
`9,1998
`W0 98 55950
`12,1998
`W0 98 594/0
`12,1998
`WO9938081
`711999
`W0 99 48393
`961999
`W0 00/177/5
`312000
`WO 00/70458
`“/9000
`W00150638
`”001
`
`EP
`EP
`EP
`EP
`EP
`EP
`GB
`GB
`GB
`GB
`W9
`W0
`W0
`W0
`W0
`W0
`W0
`W0
`W0
`W0
`
`OTHER PUBLICATIONS
`Donald E. Eastlake, 3“, “Domain Name System Security Exten-
`sions”, Internet Draft, Apr. 1998, pp. 1-51.
`D. B. Chapman eta1., “Building Internet Firewalls”. Nov. 1995, pp.
`273.375,
`P. Srisuresh etal., “DNA extensions to Network address Translators
`(DNLAtGy’. Internet Draft, Jul. 1998, pp. 127.
`James E. Bellaire, “New Statement of RulesiNarning Internet
`Domains”, Internet Newsgroup, Jul. 30, 1995, 1 page.
`D. Clark, “US Calls for Private Domain-Name System“, Computer
`Society, Aug. 1, 1998,1311 22.25
`AugustBequai,“BalancingLegal ConcernsOVerCrimeandSecurity
`in Cyberspace”, Computer & Security, vol. 17, No. 4, 1998, pp.
`293.298,
`Rich Winkel, “CAQ: Networking With Spooks: The NET & The
`Control Of Information”, Internet Newsgroup, Jun. 21, 1997, 4
`pages,
`Search Report (dated Jun. 18, 2002), International Application No.
`PCTMSOl/l3260.
`Search Report (dated Jun. 28, 2002), International Application No.
`PCTflISOl/13261.
`Donald E. Eastlake, “Domain Name System Security Extensions”,
`DNS Security Working Group, Apr. 1998, 51 pages.
`
`New Bay Capital, LLC-EX.1001
`
`New Bay Capital, LLC-EX.1001
`
`

`

`US 7,490,151 132
`Page 3
`
`D. B. Chapman et al., “Building Internet Firewalls”, Nov. 1995, pp.
`278-297 and pp. 351-375.
`P. Srisuresh eta1., “DNS extensions to Network Address Translators”.
`Jul. 1998. 27 pages.
`Laurie Wells. “Security Icon", Oct. 19, 1998, 1 page.
`W. Stallings, “Cryptography And Network Security”, 2nd Edition.
`Chapter 13, IP Security, Jun. 8, 1998, pp. 399-440.
`W. Stallings, “New Cryptography and Network Security Book", Jun.
`8, 1998, 3 pages.
`Search Report (dated Aug. 20, 2002), International Application No.
`PCT/US01/04340.
`Shree Murthy et al., “Congestion-Oriented Shortest Multipath Rout-
`ing”. Proceedings of IEEE Infocom. 1996. pp. 1028-1036.
`Jim Jones et al., “Distributed Denial of Service Attacks: Defenses”.
`Global Integrity Corporation, 2000, pp. 1-14.
`Fasbender, Kesdogan, and Kubitz: “Variable and Scalable Security:
`Protection of Location Information in Mobile IP”, IEEE publication.
`1996, pp. 963-967.
`Laurie Wells (Lancasterbibelmail MSN COM); “Subject: Security
`Icon” Usenet Newsgroup, Oct. 19, 1998, XP002200606.
`Davila J et al. “Implementation of Virtual Private Networks at the
`Transport Layer”, Information Security. Second International Work-
`shop, ISW ’99. Proceedings (Lecture Springer-Verlag Berlin, Ger-
`many,
`[Online] 1999, pp. 85-102, XP002399276, ISBN 3-540-
`66695-B, retrieved from the Internet: URL: http://wwwspringerlink.
`com/content/4uac0tb0heccma89/fu11text.pdf> (Abstract).
`Alan 0. Frier et al., “The SSL Protocol Version 3.0”, Nov. 18, 1996.
`printed from http://www.netscapecom/eng/ssl13/ draft302txt on
`Feb. 4, 2002, 56 pages.
`Davila J et al, “Implementation of Virtual Private Networks at the
`Transport Layer”. Information Security, Second International Work-
`shop, ISVV’99. Proceedings (Lecture Springer-Verlag Berlin, Ger-
`
`[Online] 1999, pp. 85-102, XP002399276, ISBN 3-540-
`many,
`66695-B, retrieved fromthe Internet: URL: http://VWWV. springerlink.
`com/content/4uac0tb0hecoma89/fulltext.pdf>.
`Dolev, Shlomi and Ostrovsky, Rafil, Efficient Anonymous Multicast
`and Reception (Extended Abstract), 16 pages.
`F. Halsall, “Data Communications, Computer Networks and Open
`Systems”, Chapter 4, Protocol Basics, 1996, pp. 198-203.
`Glossary for the Linux FreeS/WAN project, printed from http://
`liberty.freeswan .org/freeswanitrees/freeswan- 1 .3/
`doc/glo ssary.
`htrnl on Feb. 21, 2002, 25 pages.
`J. Gilmore, “Swan: Securing the Internet against W'iretapping”,
`printed from http://liberty.freeswan.org/freeswan trees/freeswan-l .
`3.doc/rationale.html on Feb. 21, 2002. 4 pages.
`Linux FreeS/WAN Index File. printed from http://libertyfreewan.
`org/freeswan Lrees/freeswan-l.3/doc/ on Feb. 21, 2002, 3 pages.
`Reiter. Michael K. and Rubin, Aviel D. (AT&T LabsiResearch),
`Crowds: Anonymity for Web Transactions, pp. 1-23.
`RFC 2401-Security Architecture for the Internet Protocol (RTP).
`RFC 2543-SIP: Session Initiation Protocol (SIP or SIPS).
`Rubin, Aviel D., Geer. Daniel, and Ranum, Marcus J. (Wiley Corn-
`puter Publishing), “Web Security Sourcebook”, pp. 82-94.
`Search Report, IPER (dataed Nov. 13, 2002), International Applica-
`tion No. PCT/US01/04340.
`Search Report. IPER (dated Feb. 6. 2002). International Application
`No. PCT/US01/13261.
`Search Report, IPER (dated Jan. 14, 2003), InternationalApplication
`No. PCT/US01/13260.
`Shankar, A.U. “A verified sliding window protocol with variable flow
`control”. Proceedings of ACM SIGCOMM conference on Commu-
`nications architectures & protocols. pp. 84-91, ACM Press, NY,NY
`1986.
`
`
`
`* cited by examiner
`
`New Bay Capital, LLC-EX.1001
`
`New Bay Capital, LLC-EX.1001
`
`

`

`US. Patent
`
`Feb. 10, 2009
`
`Sheet 1 of 35
`
`US 7,490,151 B2
`
`100
`
`ORlGlNATING
`TERMINAL
`
`40
`
`107
`
`
`
`IP
`
`IP
`
`ROUTER
`
`ROUTER
`25
`INTERNET
`
`29
`
`
`
`P PACKET
`
` 28
`
`
`
`IP
`ROUTER
`
`IP
`ROUTER
`
`IP
`ROUTER
`
`110
`
`ENORYPTTON KEY
`
`TERMlNAL
`
`FIG. 1
`
`New Bay Capital, LLC-EX.1001
`
`New Bay Capital, LLC-EX.1001
`
`

`

`US. Patent
`
`Feb. 10, 2009
`
`Sheet 2 of 35
`
`US 7,490,151 B2
`
`100
`
`TERMINAL
`
`A 140
`
`TARP PACKET
`
`146
`
`107
`
`131
`
`h
`LINK KEY
`
`
`
`TARP
`ROUTER
`
`‘29
`
`IP
`
`TARP
`
`127
`
`122
`
`TARP
`ROUTER
`
`
`
`123 3.11
`LINK KEY
`
`
`IP
`ROUTER
`a.“
`LINK KEY
`
`130
`
`
`|P
`
`
`ROUTER
`125
`INTERNET
`
`LINK KEY
`
`124
`
`
`
`128
`
`ROUTER
`
`TARP
`ROUTER
`132
`
`|P
`ROUTER
`
`126
`
`TARP
`
`RINK Pm
`
`LINK KEY
`
`148
`
`0.11
`
`LINK KEY
`
`11o
`TARP PACKET
`
`TARP
`
`
`
`0" '
`SESSION KEY
`
`
`
`
`
`
`
`FIG. 2
`
`New Bay Capital, LLC-EX.1001
`
`New Bay Capital, LLC-EX.1001
`
`

`

`U.S. Patent
`
`Feb. 10,2009
`
`Sheet 3 0f 35
`
`US 7,490,151 B2
`
`
`
`
`DATA STREAM 3_DD
`
`INTERLEAVED
`PAYLOAD DATA
`32_0
`
`
`
`
`
`SESSION-KEY—ENCRYPTED
`PAYLOAD DATA fl
`
`TARP PACKET WITH
`ENCRYPTED PAYLOADS 3_4_Q
`
`LlNK-KEY-ENCRYPTED
`TARP PACKETS 359
`
`.
`
`
`
`
`IP PACKETS W/ENCRYPTED
`TARP PACKETS AS
`PAYLOADQQ
`
`
`
`.OUTER1
` .ARP
`
`
`
`
`
`.ARPROU-ER4
`
`
`
`
`TARP
`ROUTER 2
`
`
`
`TARP
`ROUTER
`
`TARP
`ROUTER3
`
`
`
`TARP
`ROUTER 5
`
`TARP
`ROUTER 6
`
`TARP
`
`FlG. 3A
`
`New Bay Capital, LLC-EX.1001
`
`New Bay Capital, LLC-EX.1001
`
`

`

`U.S. Patent
`
`Feb. 10, 2009
`
`Sheet 4 0f 35
`
`US 7,490,151 B2
`
`
`
`
`
`80200£2
`
`<55mo@503>223
`
`
`E.29000000032020.v_0...,000
`
`
`OINw,mQZmDOmm23?;
`
`Ola5200555r‘...£8£8£8£8
`
`
`
`
`
`00020x0300050/0020
`
`
`
`
`
`mwlmumm><flmm2mo<o._><mo._.z_
`
`$35550.5BEEQZM
`
`
`
`NINA.“023?.02
`
`
`
`a>>OD2§>m><m._mm._.z_
`
`00020x030BEEZM
`
`
`«Mafia;0200?.02
`
`
`
`
`TE;05050%
`
`
`
`am020300053020
`
`
`
`New Bay Capital, LLC-EX.1001
`
`New Bay Capital, LLC-EX.1001
`
`
`
`
`
`

`

`U.S. Patent
`
`Feb. 10, 2009
`
`Sheet 5 0f 35
`
`US 7,490,151 B2
`
`mzazoo9m>:.<zmm_5<mzo
`
`wz_mmm_oomn_mas.
`
`memmmoommg90_.:._>>
`
`gammzmomzézmé
`
`mafia:EéoEmz
`
`585%v2:Ea
`
`mammal/E;
`
`v.OE
`
`30%
`
`025809:
`
`inmzazoo2mazzmmsémao
`
`685%.3Es
`
`9:897:EB:qu
`
`New Bay Capital, LLC-EX.1001
`
`New Bay Capital, LLC-EX.1001
`
`
`
`

`

`US. Patent
`
`Feb. 10, 2009
`
`Sheet 6 of 35
`
`US 7,490,151 B2
`
`
`
`BACKGROUND LOOP-DECOY
`GENERATION
`
`AUTHENTICATE TARP PACKET
`
`OUTER LAYER DECRYPTION OF
`TARP PACKET USING LINK KEY
`
`Sfi
`
`DUMP DECOY
`
`
`
`
`CHECK FOR DECOY AND
`INCREMENT PERISHABLE DECOY
`COUNTER AS APPROPRIATE
`
`TRANSMIT DECOY?
`
`YES
`
`SQ
`
`DECREMENT
`TI'L TI'L > 0?
`
`
`
`
`
`DETERMINE DESTINATION TARP
`GENERATE NEXT-HOP TARP
`ADDRESS AND STORE LINK KEY
`ADDRESS AND STORE LINK KEY
`AND IP ADDRESS
`AND IF ADDRESS
`
`GENERATE NEXT-HOP TARP
`ADDRESS AND STORE LINK KEY
`AND IF ADDRESS
`
`GENERATE IP HEADER
`AND TRANSMIT
`
`FIG. 5
`
`SO
`
`SZ
`
`S3
`
`S4
`
`S5
`
`ST
`
`S8
`
`810
`
`311
`
`New Bay Capital, LLC-EX.1001
`
`New Bay Capital, LLC-EX.1001
`
`

`

`US. Patent
`
`Feb. 10, 2009
`
`Sheet 7 of 35
`
`US 7,490,151 B2
`
`BACKGROUND LOOP-DECOY
`GENERATION
`
`320
`
`GROUP RECEIVED IP PACKETS
`INTO INTERLEAVE WINDOW
`
`821
`
`DETERMINE DESTINATION TARP
`ADDRESS, INITIALIZE TTL, STORE
`IN TARP HEADER
`
`RECORD WINDOW SEQ. NOS. AND
`INTERLEAVE SEQ. NOS IN TARP
`HEADERS
`
`CHOOSE FIRST HOP TARP
`ROUTER. LOOK UP IP ADDRESS
`AND STORE IN CLEAR IP HEADER,
`
`OUTER LAYER ENCRYPT
`
`822
`
`323
`
`324
`
`INSTALL CLEAR IP HEADER
`AND TRANSMIT
`
`325
`
`FIG. 6
`
`New Bay Capital, LLC-EX.1001
`
`New Bay Capital, LLC-EX.1001
`
`

`

`US. Patent
`
`Feb. 10, 2009
`
`Sheet 8 of 35
`
`US 7,490,151 B2
`
`840
`
`BACKGROUND LOOP-DECOY
`GENERATION
`
`S42
`
`AUTHENTICATE TARP PACKET
`RECEIVED
`
`S49
`
`DIVIDE BLOCK INTO PACKETS S43
`
`DECRYPT OUTER LAYER
`
`ENCRYPTION WITH LINK KEY
`
`USING WINDOW SEQUENCE DATA,
`ADD CLEAR IP HEADERS
`
`GENER’I‘HJEEQMTARP
`
`350
`
`HAN?OCHQ%EEE§$§£§§ETS
`
`INCREMENTPERISHABLE
`
`COUNTER IF DECOY
`
`S44
`
`S45
`
`THROW AWAY DECOY OR KEEP
`IN RESPONSE TO ALGORITHM
`
`S46
`
`CACHE TARP PACKETS UNTIL
`WINDOW IS ASSEMBLED
`
`S47
`
`S48
`
`DEINTERLEAYE PACKETS
`FORMING WINDOW
`
`DECRYPT BLOCK
`
`New Bay Capital, LLC-EX.1001
`
`New Bay Capital, LLC-EX.1001
`
`

`

`U.S. Patent
`
`Sheet 9 0f 35
`
`US 7,490,151 B2
`
`$58I22wWhasMasaixz:m,355525%mQED/aimaw
`
`ézgmmtzma
`
`
`
`
`
`aé292E;zgwmmmmmamm1‘
`
`
`
`mlmmxo<zo:<_.:z_293%#585
`
`m.OE
`
`New Bay Capital, LLC-EX.1001
`
`New Bay Capital, LLC-EX.1001
`
`
`

`

`U.S. Patent
`
`Feb. 10, 2009
`
`Sheet 10 0f 35
`
`US 7,490,151 B2
`
`nag
`
`
` 2250m:28
`
`sum\\\|I/rI
`
`
`
`
`252522252E222
`
`
`
`
`
`
`
`82.2.5_22.2.5A52.2.5_22.25
`
`
`
`32.2.5_22.2.552.2.5.22.2.5
`
`
`
`
`
`52.2.5_52.2.552.2.5.52.2.5
`
`
`
`52.2.5_52.2.522.2.5.52.2.5
`
`
`
`
`
`232E222“lg2522
`
`
`
`
`
`
`
`
`
`22.2.5.52.2.522.2.5.52.2.5
`
`
`
`22.2.5_22.2.522.2.5.22.2.5
`
`
`
`52.2.5_2.2.2.552.2.5.22.2.5
`
`
`
`
`
`52.2.5.22.2.522.2.5.22.2.5
`
`
`
`..m.o_u_..
`
`New Bay Capital, LLC-EX.1001
`
`New Bay Capital, LLC-EX.1001
`
`
`

`

`U.S. Patent
`
`m.
`
`m
`
`m
`
`1%mm19
`%$52as
`
`:o_
`
`<m2
`
`mm¢H
`
`awhaom
`
`22
`
`FNOF
`
`NNOF
`
`mmor
`
`or.9“.
`
`Hzmzo
`
`‘
`
`Paar
`
`New Bay Capital, LLC-EX.1001
`
`New Bay Capital, LLC-EX.1001
`
`
`
`

`

`U.S. Patent
`
`Feb. 10, 2009
`
`Sheet 12 0f 35
`
`US 7,490,151 B2
`
`mn:
`
`we:
`
`mzémEzmmIE
`
`mmofix
`
`
`
`mm”mmmmona>>I.omw
`
`
`
`mm”wwmmog>>I.53
`
`Eva/En__
`
`«mew:
`
`ziowa3”wwmmogg5%E”mmmmogn:momDOw
`3”ad:
`
`r8:
`
`flo<o._><n_
`
`2:£233
`
`:GE
`
`NE
`
`$232;
`
`IvEa:
`
`mmD<WI
`
`<8:
`
`Exam
`
`
`02:eEm:2285
`mg:2mama:5%E2”mamas:
`
`New Bay Capital, LLC-EX.1001
`
`2:
`
`
`03:0g:Famzzgwa
`
`
`
`No:ermwmgoiaomsow<$93: mg:mg::umwmmgiagi<3:
`
`Ea:
`
`
`
`“mm”mumwmmgiiomwmg:mm”3mg“:>>_._5%<3:
`
`
`
`mzémEzmmIE
`
`mmofix
`
`New Bay Capital, LLC-EX.1001
`
`
`
`
`
`
`
`

`

`U.S. Patent
`
`Feb
`
`. 10, 2009
`
`Sheet 13 0f 35
`
`US 7,490,151 B2
`
`SE
`
`CE
`
`23
`
`£2£2
`
`BE82
`
`mom?
`
`xfimr
`
`1mm:
`
`zo_._.<o:nE<
`
`8am<8:
`
`8awE
`
`mmw:
`
`23.53%?
`
`8aw8amEE
`
`SS 82
`
`<NF.OE
`
`8282
`
`New Bay Capital, LLC-EX.1001
`
`New Bay Capital, LLC-EX.1001
`
`

`

`U.S. Patent
`
`Feb. 10
`
`9
`
`2009
`
`Sheet 14 0f 35
`
`US 7,490,151 B2
`
`
`
`3m:mozzfiiowa
`
`mm3<>
`
`83%mmz<o
`
`02$2_
`
`83%mmz<o
`
`oz>m2_
`
`83%mm25
`
`02$2_
`
`moo:
`
`mmwmmmogn__
`
`82%mm25
`
`02$2_
`
`EE<>mm25
`
`2%z_
`
`om_m<>mm25
`
`02$2_
`
`mx<>>om<x
`
`wmmmmxoo<
`
`
`
`mmooz._._<moim2<m
`
`>._m_._.m._n_Eoomo
`
`282%
`
`2%10%moiBx:
`
`BE<>mm25
`
`02%z_
`
`
`
`mm?.OE
`
`mo
`
`._.2m_2_oom_2m
`
`msoamfiomm.F
`
`
`
`msozomiomm.N
`
`2n_>mm;
`
`
`
`mm<>>om<I.m
`
`szmoI
`
`New Bay Capital, LLC-EX.1001
`
`New Bay Capital, LLC-EX.1001
`
`

`

`U.S. Patent
`
`Feb. 10, 2009
`
`Sheet 15 0f 35
`
`US 7,490,151 B2
`
`3282
`
`No.2
`
`<._.2m__._o 52
`
`Ezmjo
`
`mmmoomm
`
`5x05
`
`mm;
`
`:2
`
`magma
`
`55$
`
`025825200
`
`
`
`6.202m
`
`REED
`
`
`
`mmmmoqqmomDOmn:
`
`
`
`mmmmagEmman:
`
`was,025
`
`
`
`205803%“:
`
`mi;02%
`
`
`
`295852%;
`
`5x22:
`
`omEEozm
`
`232m
`
`82
`
`82
`
`2.0E
`
`New Bay Capital, LLC-EX.1001
`
`New Bay Capital, LLC-EX.1001
`
`
`
`
`

`

`U.S. Patent
`
`Feb. 10, 2009
`
`Sheet 16 0f 35
`
`US 7,490,151 B2
`
`Nm_<n_n__
`
`u26oz;A:I
`
`Fm_<n_n__
`
`Nm_<n_n:
`
`mmt_§mz§._.
`
`FEEn__-{-7m_<n_n__Hzmmmso
`m_<n_n:Hzmmmao.26oz?
`12mPZMEGmmmgmmmozmm
`
`mm._.._.__>_mz<E
`
`5%3%
`
`3%A......
`
`
`
`
`
`A........................VmmN_zom_._oz>m._.2m__n__om_mo._.mmozmwmo;0252_Fax
`
`
`
`A|I|||Il|||ll|¥mmN_zomIoz>mmmozmmo._.Hzmaammmo;0252_5%
`
`
`
`
`
`3.GE
`
`New Bay Capital, LLC-EX.1001
`
`New Bay Capital, LLC-EX.1001
`
`

`

`U.S. Patent
`
`Feb. 10, 2009
`
`Sheet 17 0f 35
`
`US 7,490,151 B2
`
`”imamz_cEUEg5385
`EzEémzmo.
`
`ma;gHzamémxo
`
`mmtgmzé2:30
`x202%:zsz.
`
`_EU12%:
`
`2‘.GE
`
`55%me5202%
`$2;8m02%E1?
`"$3:0.258;TE;
`
`aoozfizons.;aEUmmsmomm
`52Hémzmo.
`
`8x023©295286232%;@
`
`Emzémmv:5220%
`
`n:25%anmmtgmzé
`
`30:233.559%;
`$22memmzmfimEz
`
`NEE/mo92c5.0mi
`
`02382.5;35%
`
`32025:am02%
`
`hE29:85
`
`v202$2%:
`
`mmtswzéz_5%mgn__55%?
`
`n.1%"fies:
`E2Esmzmo
`
`New Bay Capital, LLC-EX.1001
`
`New Bay Capital, LLC-EX.1001
`
`

`

`U.S. Patent
`
`Feb. 10, 2009
`
`Sheet 18 0f 35
`
`US 7,490,151 B2
`
`FIG.16
`
`New Bay Capital, LLC-EX.1001
`
`4095
`
`0 4
`
`095
`
`0
`
`4095
`
`0 4
`
`095
`
`20
`
`0
`
`20
`
`
`
`
`
`(ETHERNETLAN-TWOAADDRESSBLOCKS}
`
`New Bay Capital, LLC-EX.1001
`
`

`

`US. Patent
`
`Feb. 10, 2009
`
`Sheet 19 of 35
`
`US 7,490,151 B2
`
`000
`
`
`
`7/I/I/I/I/I/I/I/I/I/I/IA
`
`°
`
`I INACTIVE
`% ACTIVE
`USED
`
`NDOW_SZE WW
`
`
`
`WI/I/I/I/I/I/I/I/I/I/I
`7/I/l/l/I/I/I/l/I/I/I/J
`
`WI/I/I/I/I/I/m
`
`WI/I/I/I/I/I/I/I/IA
`
`WI
`
`I
`
`W|NDOW_SIZE
`
`
`
`
`
`
`
`
`
`Vl/I/I/I/I/I/I/I/I/I/I/A
`
`V/I/I/I/I/I/I/I’l/I/Il/IA
`ll/l/I/l/I/l/I/I/I/l/IA
`
`
`VII/Ill/I/l/l/l/l/l/Illl,
`
`FIG. 17
`
`New Bay Capital, LLC-EX.1001
`
`New Bay Capital, LLC-EX.1001
`
`

`

`US. Patent
`
`Feb. 10, 2009
`
`Sheet 20 of 35
`
`US 7,490,151 B2
`
`000
`
`Vl/l/l/l/l/l/l/l/l/l/l/A
`
`WINDOW_SIZE
`
`WINDOW SIZE
`‘ WI/I/I/I/I/I/I/I/I/I/A
`Vl/I/I/I’l/I’l/I/Il/I/I/IA
`WI/I/I/I/I/I/I/I/I/l/ll.
`VIII/l/Illlll/l/l/Illfl
`Ill/Ill/Illlllllllllfl
`
`
`I INACTIVE
`
`
`FIG. 18
`
`New Bay Capital, LLC-EX.1001
`
`New Bay Capital, LLC-EX.1001
`
`

`

`US. Patent
`
`Feb. 10, 2009
`
`Sheet 21 of 35
`
`US 7,490,151 B2
`
`
`
`'l/[l/I/[I/I/I/I/I/Ill'l/A
`
`WI/I/I/I/I/I/I/I/[l/A
`Vl/I/I/I/I/I/I/I/I/I/I/A
`W/I'l/I/I/I/l/I/l/I/I/A
`
`
`
`
`
`
`000
`
`WINDOW_SIZE
`
`
`
`
`
`I INACTIVE
`% ACTIVE
`I USED
`
`
`
`
`'
`.
`7/l/l/l/l/I/l/l/I/I/l/IA
`
`WV
`
`
`
`
`/I/I/I/I/I/I/I/I/m
`f/I/I/I/I/I/I/I/I/I/I/fl
`
`
`r/l/l/l/I/l/l/I/I/Im
`
`
`WINDOW_SIZE
`
`
`
`
`
`000
`
`.r_,
`
`’1 I
`
`7/l/l/l/l/l/l/l/l/l/l/A
`
`FIG. 19
`
`New Bay Capital, LLC-EX.1001
`
`New Bay Capital, LLC-EX.1001
`
`

`

`U.S. Patent
`
`Feb. 10, 2009
`
`Sheet 22 0f 35
`
`US 7,490,151 B2
`
`
`
`COMPUTER #2
`
`2002
`
`2008
`
`2005
`
`
`
`2011
`
`FIG.20
`
`
`
`
`
`COMPUTER #1
`
`
`
`2001
`
`New Bay Capital, LLC-EX.1001
`
`New Bay Capital, LLC-EX.1001
`
`

`

`US. Patent
`
`Feb. 10, 2009
`
`Sheet 23 of 35
`
`US 7,490,151 B2
`
`
`
`
`
`
`
`2100 /
`
`2.
`LINK DOWN V
`
`AD TABLE
`
`1P1
`
`|P3
`
`1P2
`
`|P4
`
`AE TABLE
`
`AF TABLE
`
`BD TABLE
`
`BE TABLE
`
`CD TABLE
`
`CE TABLE
`
`CF TABLE
`
`FIG. 21
`
`
`
`
`
`
`
`
`2101
`
`2102
`
`2103
`
`2104
`
`2105
`
`2106
`
`2107
`
`2108
`
`2109
`
`New Bay Capital, LLC-EX.1001
`
`New Bay Capital, LLC-EX.1001
`
`

`

`US. Patent
`
`Feb. 10, 2009
`
`Sheet 24 of 35
`
`US 7,490,151 B2
`
`MEASURE
`
`QUALITY OF
`TRANSMISSION
`
`PATH X
`
`
`
`
`
`
`
`MORE
`
`THAN ONE
`
`TRANSMITTER
`
`TURNED
`
`ON?
`
`
`
`2209
`
`SET WEIGHT
`TO MIN. VALUE
`
`
`
`
`
`
`
`
`PATH X
`
`
`QUALITY <
`
`THRESHOLD?
`
`
`
`
`
`PATH X
`WEIGHT LESS
`DECREASE
`
`THAN STEADY
`WEIGHT FOR
`STATE
`PATH X
`VALUE?
`
`
`
`
`
`
`INCREASE WEIGHT
`FOR PATH X
`TOWARD STEADY
`
`STATE VALUE
`
`ADJUST WEIGHTS
`FOR REMAINING
`PATHS SO THAT
`
`WEIGHTS EQUAL ONE
`
`
`
`FIG. 22A
`
`New Bay Capital, LLC-EX.1001
`
`New Bay Capital, LLC-EX.1001
`
`

`

`US. Patent
`
`Feb. 10, 2009
`
`Sheet 25 of 35
`
`US 7,490,151 B2
`
`
`
`TURNS OFF
`
`(EVENT) TRANSMITTER
`FOR PATH x
`
`
`
`AT LEAST
`
`
`
`DROP ALL PACKETS
`ONE TRANSMITTER
`UNTILA TRANSMITTER
`
`
`TURNED ON?
`TURNS ON
`
`
`
`
`
`2210
`
`2211
`
`2212
`
`2213
`
`2214
`
`SET WEIGHT
`
`TO ZERO
`
`
`
`ADJUST WEIGHTS
`FOR REMAINING
`PATHS so THAT
`WEIGHTS EQUAL ONE
`
`FIG. 228
`
`New Bay Capital, LLC-EX.1001
`
`New Bay Capital, LLC-EX.1001
`
`

`

`U.S. Patent
`
`Feb. 10, 2009
`
`Sheet 26 0f 35
`
`US 7,490,151 B2
`
`FxI._.<n_
`
`8mm
`
`mx:2;
`
` vxI._.<n_
`
`55$
`
`mmtimz<E
`
`HESm>_momm
`
`._om‘
`
`82
`
`EOEmmm
`
`8mm\mmzmommmflflfl
`
`mm.OE
`
`
`
`20:02:;20:02:;
`
`
`
`pzmfikmsfio<Hzmzmm2m<m2
`
`>Fz<ao¥zz
`
`New Bay Capital, LLC-EX.1001
`
`New Bay Capital, LLC-EX.1001
`
`
`
`
`
`

`

`U.S. Patent
`
`Feb. 10, 2009
`
`Sheet 27 0f 35
`
`US 7,490,151 B2
`
`mEEzou
`
`mmhsmzoo
`
`vm.GE
`
`New Bay Capital, LLC-EX.1001
`
`New Bay Capital, LLC-EX.1001
`
`

`

`U.S. Patent
`
`F
`
`7SU
`
`m,
`
`m.E:mmfl
`
`New
`
`mEamm;fixmm:mmomsm8mmeg
`m18mmzo
`mm;
`
`xmmEOmm
`
`New Bay Capital, LLC-EX.1001
`
`New Bay Capital, LLC-EX.1001
`
`

`

`U.S. Patent
`
`Feb. 10, 2009
`
`Sheet 29 0f 35
`
`US 7,490,151 B2
`
`
`
`ggEmmmmfimamm
`
`:8mmzomaz:
`
`HE59x5
`
`om.GE
`
`88
`
`mmmmmgNEG
`
`E02%:
`
`mug
`
`mmmgomm
`
`New Bay Capital, LLC-EX.1001
`
`New Bay Capital, LLC-EX.1001
`
`
`
`
`

`

`US. Patent
`
`Feb. 10, 2009
`
`Sheet 30 of 35
`
`US 7,490,151 B2
`
`2701
`
`RECEIVE DNS
`REQUEST FOR
`
`TARGET SITE
`
`2702
`
`2704
`
`
`
`
`ACCESS TO
`SECURE SITE
`REQUESTED?
`
`YES
`
`2703
`
`
`
`PASS THRU
`REQUEST TO
`DNS SERVER
`
`2705
`
`
`
`
`
`RETURN
`"HOST UNKNOWN"
`ERROR
`
`USER
`AUTHORIZED TO
`CONNECT?
`
`YES
`
`2706
`
`ESTABLISH
`VPN WITH
`
`TARGET SITE
`
`FIG. 27
`
`New Bay Capital, LLC-EX.1001
`
`New Bay Capital, LLC-EX.1001
`
`

`

`U.S. Patent
`
`m.
`
`m7SU
`
`8mm
`
`Noam
`
`58.50:
`
`mmSom£$5128
`
`.50:
`
`%$5128
`
`mma:
`
`New Bay Capital, LLC-EX.1001
`
`New Bay Capital, LLC-EX.1001
`
`
`

`

`U.S. Patent
`
`Feb. 10, 2009
`
`Sheet 32 0f 35
`
`US 7,490,151 B2
`
`RE:2:
`
`88
`
`Bow
`
`8mm8282
`
`838XEn:
`
`T
`
`
`
`a“$5128.50:
`
`8%
`
`25ES
`
`$8
`
`E58
`
`3mm
`
`
`
`E$5158.50:
`
`Im
`
`
`
`1535.8Eva/E
`
`8mm
`
`8%
`
`New Bay Capital, LLC-EX.1001
`
`New Bay Capital, LLC-EX.1001
`
`
`
`
`
`

`

`U.S. Patent
`
`mF
`
`m
`
`9AW7SU
`
`2B
`
`22.0%
`
`
`
`-m2.55am07%BEEm,369:Emmzmo
`
`a.M,52cmGE
`M8208mmE”Emismemes
`mm>_m0mm
`
`mmEEmZ<E
`
`gamma
`
`ammuoz>m
`
`Eémzwo
`
`215%
`
`8%
`
`New Bay Capital, LLC-EX.1001
`
`New Bay Capital, LLC-EX.1001
`
`

`

`U.S. Patent
`
`Feb. 10, 2009
`
`Sheet 34 0f 35
`
`US 7,490,151 B2
`
`0')
`O‘—
`0')
`
`3105
`
`3104
`
`CLIENT#2
`
`FIG.31
`
`
`
`
`TX/RXTX/RXTX/RX
`
`‘—
`or-
`(‘0
`
`3102
`
`New Bay Capital, LLC-EX.1001
`
`New Bay Capital, LLC-EX.1001
`
`

`

`US. Patent
`
`Feb. 10, 2009
`
`Sheet 35 of 35
`
`US 7,490,151 B2
`
`CLIENT
`
`SERVER
`
`SEND DATA PACKET
`USING CKPT_N
`CKPT_O=CKPT_N
`GENERATE NEW CKPT_N
`START TIMER, SHUT
`TRANSMITTER OFF
`
`IF CKPT_O IN SYNC_ACK
`MATCHES TRANSMITTER'S
`CKPT_O
`UPDATE RECEIVER'S
`CKPT_R
`KILL TIMER, TURN
`TRANSMITTER ON
`
`SEND DATA PACKET
`USING CKPT_N
`CKPT_O=CKPT_N
`GENERATE NEW CKPT_N
`START TIMER, SHUT
`TRANSMITTER OFF
`
`WHEN TIMER EXPIRES
`TRANSMIT SYNC_REQ
`USING TRANSMITTERS
`CKPT_O, START TIMER
`
`IF CKPT_O IN SYNC_ACK
`MATCHES TRANSMITTER'S
`CKPT_O
`UPDATE RECEIVER'S
`CKPT_R
`KILL TIMER, TURN
`TRANSMITTER ON
`
`SYNC_REQ
`
`FIG. 32
`
`PASS DATA UP STACK
`CKPT_O=CKPT_N
`GENERATE NEW CKPT_N
`GENERATE NEW CKPT_R
`FOR TRANSMITTER SIDE
`TRANSMIT SYNC_ACK
`CONTAINING CKPT_O
`
`CKPT_O=CKPT_N
`GENERATE NEW CKPT_N
`GENERATE NEW CKPT_R
`FOR TRANSMITTER SIDE
`TRANSMIT SYNC_ACK
`CONTAINING CKPT_O
`
`New Bay Capital, LLC-EX.1001
`
`New Bay Capital, LLC-EX.1001
`
`

`

`US 7,490,151 B2
`
`1
`ESTABLISIIMENT OFA SECURE
`COMDIUNICATION LINK BASED ON A
`DOMAIN NAME SERVICE (DNS) REQUEST
`
`CROSS-REFERENCE TO RELATED
`APPLICATIONS
`
`This application is a divisional application of 09/504,783
`(filed Feb. 15, 2000), now U.S. Pat. No. 6,502,135, issued
`Dec. 31, 2002, which claims priority from and is a continua—
`tion-in-part of previously filed US. application Ser. No.
`09/429,643 (filed Oct. 29, 1999) now U.S. Pat. No. 7,010,604.
`The subject matter of the ’643 application, which is bodily
`incorporated herein, derives from provisional U.S. applica—
`tion No. 60/106,261 (filed Oct. 30, 1998) and 60/137,704
`(filed Jun. 7, 1999).
`
`GOVERNMENT CONTRACT RIGHTS
`
`This invention was made with Government support under
`Contract No. 360000-1999-000000-QC-000-000 awarded by
`the Central Intelligence Agency. The Government has certain
`rights in the invention.
`
`
`
` BACKGROUND OF THE INVENTION
`
`A tremendous variety of methods have been proposed and
`implemented to provide security and anonymity for commu-
`nications over the Internet. The variety stems, in part, from the
`different needs of different lntemet users. A basic heuristic
`framework to aid in discussing these different security tech-
`niques is illustrated in FIG. 1. Two terminals, an originating
`terminal 100 and a destination terminal 110 are in communi-
`cation over the Internet. It is desired for the communications
`to be secure, that is, immune to eavesdropping. For example,
`terminal 100 may transmit secret information to terminal 110
`over the lntemet 107. Also, it may be desired to prevent an
`eavesdropper from discovering that terminal 100 is in com—
`munication with terminal 110. For example, ifterminal 100 is
`a user and terminal 110 hosts a web site, terminal 100’s user
`may not want anyone in the intervening networks to know
`what web sites he is “visiting.” Anonymity would thus be an
`issue, for example, for companies that want to keep their
`market research interests private and thus would prefer to
`prevent outsiders from knowing which web-sites or other
`Internet resources they are “visiting.” These two security
`issues may be called data security and anonymity, respec-
`tively.
`Data security is usually tackled using some form of data
`encryption. An encryption key 48 is known at both the origi-
`nating and terminating terminals 100 and 110. The keys may
`be private and public at the originating and destination termi-
`nals 100 and 110, respectively or they may be symmetrical
`keys (the same key is used by both parties to encrypt and
`decrypt). Many encryption methods are known and usable in
`this context.
`To hide traffic from a local administrator or ISP, a user can
`employ a local proxy server in communicating over an
`encrypted channel with an outside proxy such that the local
`administrator or ISP only sees the encrypted traffic. Proxy
`servers prevent destination servers from determining the
`identities of the originating clients. This system employs an
`intermediate server interposed between client and destination
`server. The destination server sees only the Internet Protocol
`(IP) address ofthe proxy server and not the originating client.
`The target server only sees the address of the outside proxy.
`
`This scheme relies on a trusted outside proxy server. Also,
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`2
`proxy schemes are vulnerable to traffic analysis methods of
`determining identities of transmitters and receivers. Another
`important limitation of proxy servers is that the server knows
`the identities of both calling and called parties. In many
`instances, an originating terminal, such as terminal A, would
`prefer to keep its identity concealed from the proxy, for
`example, ifthe proxy server is provided by an lntemet service
`provider (lSP).
`To defeat traffic analysis, a scheme called Chaum’s mixes
`employs a proxy server that transmits and receives fixed
`length messages, including dummy messages. Multiple origi-
`nating terminals are connected through a mix (a server) to
`multiple target servers. It is difiicult to tell which of the
`originating terminals are communicating to which ofthe con—
`nected target servers, and the dummy messages confuse
`eavesdroppers’ efforts to detect communicating pairs by ana-
`lyzing traffic. A drawback is that there is a risk that the mix
`server could be compromised. One way to deal with this risk
`is to spread the trust among multiple mixes. If one mix is
`compromised, the identities of the originating and target ter-
`minals may remain concealed. This strategy requires a num-
`ber of alternative mixes so that the intemrcdiate servers inter-
`posed between the originating and target terminals are not
`determinable except by compromising more than one mix.
`The strategy wraps the message with multiple layers of
`encrypted addresses. The first mix in a sequence can decrypt
`only the outer layer of the message to reveal the next desti-
`nation mix in sequence. The second mix can decrypt the
`message to reveal the next mix and so on. The target server
`receives the message and, optionally, a multi-layer encrypted
`payload containing return information to send data back in
`the same fashion. The only way to defeat such a mix scheme
`is to collude among mixes. If the packets are all fixed-length
`and intermixed with dummy packets, there is no way to do
`any kind of trafiic analysis.
`Still another anonymity technique, called ‘crowds,’ pro-
`tects the identity of the originating temrinal from the inter-
`mediate proxies by providing that originating terminals
`belong to groups ofproxies called crowds. The crowd proxies
`
`are interposed between originating and target terminals. Ea ch
`proxy through which the message is sent is randomly chosen
`by an up stream proxy. Each intermediate proxy can send the
`message either to another randomly chosen proxy in the
`“crowd” or to the destination. Thus, even crowd members
`cannot determine if a preceding proxy is the originator of the
`message or if it was simply passed from another proxy.
`ZKS (Zero—Knowledge Systems) Anonymous 1P Protocol
`allows users to select up to any of five different pseudonyms,
`while desktop software encrypts outgoing trafiic and wraps it
`in User Datagram Protocol (UDP) packets. The first server in
`a 2+—hop system gets the UDP packets, strips off one layer of
`encryption to add another, then sends the traffic to the next
`server, which strips off yet another layer of encryption and
`adds a new one. The user is permitted to control the number of
`hops. At the final server, trafiic is decrypted with an untraec-
`able IP address. The technique is called onion-routing. This
`method can be defeated using traffic analysis. For a simple
`example, bursts of packets from a user during low-duty peri-
`ods can reveal the identities of sender and receiver.
`
`Firewalls attempt to protect LANs from unauthorized
`access and hostile exploitation or damage to computers con-
`nected to the LAN. Firewalls provide a server through which
`all access to the LAN must pass. Firewalls are centralized
`systems that require administrative overhead to maintain.
`They can be compromised by virtual-machine applications
`(“applets”). They instill a false sense of security that leads to
`security breaches for example by users sending sensitive
`
`New Bay Capital, LLC-EX.1001
`
`New Bay Capital, LLC-EX.1001
`
`

`

`US 7,490,151 B2
`
`3
`information to servers outside the firewall or encouraging use
`of modems to sidestep the firewall security. Firewalls are not
`useful for distributed systems such as business travelers,
`extranets, small teams. etc.
`
`SUMMARY OF THE INVENTION
`
`A secure mechanism for communicating over the internet,
`including a protocol referred to as the TunneledAgile Routing
`Protocol (TARP), uses a unique two-layer encryption format
`and special TARP routers. TARP routers are similar in func-
`tion to regular IP routers. Each TARP router has one or more
`IP addresses and uses nomral IP protocol to send 1P packet
`messages
`(“packets” or “datagrams”). The IP packets
`exchanged between TARP terminals Via TARP routers are
`actually encrypted packets whose true destination address is
`concealed except to TARP routers and servers. The normal or
`“clear” or “outside” IP header attached to TARP IP