New Bay Capital, LLC-EX.1009
`
`Page 1 of 81
`
`
`
`Page 1 of 81
`
`
`
`I, Russell Housley, declare as follows:
`
`
`
`I.
`
`
`
`INTRODUCTION
`
`A. Engagement
`
`1.
`
`I have been retained by counsel for New Bay Capital, LLC as an
`
`expert witness in the above-captioned proceeding. I submit this declaration in
`
`support of the Petition for Inter Partes Review (hereinafter “the Petition”) of claims
`
`1 and 13 of United States Patent No. 7,490,151 (hereinafter “the ‘151 Patent” –
`
`Exhibit 1001), filed in the United States Patent and Trademark Office on behalf of
`
`New Bay Capital, LLC.
`
`
`
`B. Background and Qualifications
`
`2.
`
`I am the founder and owner of Vigil Security, LLC, which I founded
`
`in 2002 to help customers design and implement diligently watchful security
`
`solutions. I provide consulting on security protocols, security architectures, and
`
`Public Key Infrastructure (PKI). Over the last ten years, I have performed security
`
`and vulnerability analyses of various communications architectures and security
`
`policies based on known threats and proposed certification criteria.
`
`3.
`
`Since March 2013, I have served as the chair of the Internet Activities
`
`Board (IAB), which is a voting member of the IAB as well as a non-voting
`
`
`
`2
`
`New Bay Capital, LLC-EX.1009
`
`Page 2 of 81
`
`
`
`member of the Internet Engineering Steering Group (IESG), a voting member of
`
`the IETF Administrative Oversight Committee (IAOC), and a Trustee for the IETF
`
`Trust. Since May 2013, I have served as a member of the Internet Research
`
`Steering Group (IRSG).
`
`4.
`
`From March 2007 to March 2013, I served as the chair of the Internet
`
`Engineering Task Force (IETF). I managed the open and transparent technical
`
`standards process for the Internet.
`
`5.
`
`From March 2003 to March 2007, I served as the IETF Security Area
`
`Director, making me a member of the IESG. As such, I provided leadership to
`
`many working groups that were developing security standards for the Internet,
`
`including the Public Key Infrastructure using X.509 (PKIX), IP Security (IPsec),
`
`Transport Layer Security (TLS), Secure MIME (S/MIME), Domain Keys
`
`Identified Mail (DKIM), Long-Term Archive and Notary Services (LTANS), and
`
`Multicast Security (MSEC) working groups.
`
`6.
`
`Prior to accepting the Area Director position, I chaired the IETF
`
`Secure MIME (S/MIME) Working Group, and I contributed to several cornerstone
`
`Internet PKI standards (including RFC 5280). In November 2004, I was recognized
`
`by the IEEE 802.11 working group for my contributions to IEEE 802.11i-2004,
`
`which fixes the severe security shortcoming of the Wired Equivalent Privacy
`
`(WEP). I provided major contributions to several security protocols, including the
`
`
`
`3
`
`New Bay Capital, LLC-EX.1009
`
`Page 3 of 81
`
`
`
`Cryptographic Message Syntax (CMS), SDNS Security Protocol 4 (SP4), SDNS
`
`Message Security Protocol (MSP), IEEE 802.10b Secure Data Exchange (SDE)
`
`Protocol, and IEEE 802.10c Key Management Protocol.
`
`7.
`
`I have worked in the computer and network security field since 1982.
`
`Before starting Vigil Security, I worked at the Air Force Data Services Center
`
`(AFDSC), Xerox Special Information Systems (XSIS), SPYRUS, and RSA
`
`Laboratories. My security research and standards interests include security
`
`protocols, certificate management, cryptographic key distribution, and high
`
`assurance design and development practices. I have been active in many security
`
`standards organizations, and my recent focus has been on the Internet Engineering
`
`Task Force (IETF).
`
`8.
`
`I have served as the Chair of CertiPath Policy Management Authority,
`
`where I assisted with the transition from SHA-1 to SHA-256. I also provided
`
`technical and policy advice to the WiMAX Forum Policy Authority for the PKI
`
`that is used to authenticate WiMAX Devices and the separate PKI that is used to
`
`authenticate the AAA servers within a WiMAX network.
`
`9.
`
`I am a Consultant to the U.S. Government. I helped with Crypto
`
`Modernization activities, especially in the areas of secure firmware loading, trust
`
`anchor management, public key infrastructure, and key management infrastructure.
`
`
`
`4
`
`New Bay Capital, LLC-EX.1009
`
`Page 4 of 81
`
`
`
`10.
`
`I am a member of the Advisory Board for the Georgetown Center for
`
`Secure Communications (GCSC) at Georgetown University, the Security and
`
`Software Engineering Research Center (S2ERC) at Georgetown University, and
`
`the Center for Information Assurance at the University of Dallas, Graduate School
`
`of Management. I am a technical advisor to Penango.
`
`11.
`
`I received a Bachelor of Science in computer science from Virginia
`
`Tech in 1982, and I received a Master of Science degree in computer science from
`
`George Mason University in 1992.
`
`12.
`
`I am the co-author of two books: Implementing Email and Security
`
`Tokens: Current Standards, Tools, and Practices, published by John Wiley & Sons
`
`in 2008, and Planning for PKI – Best Practices Guide for Deploying Public Key
`
`Infrastructure, published by John Wiley & Sons in 2001.
`
`13.
`
`I am the inventor of five U.S. Patents:
`
`i US Patent 6,003,135: Modular security device
`
`i US Patent 6,088,802: Peripheral device with integrated security
`functionality
`
`i US Patent 6,904,523: Method and system for enforcing access to a
`computing resource using a licensing attribute certificate
`
`i US Patent 6,981,149: Secure, easy and/or irreversible customization of
`cryptographic device
`
`i US Patent 7,356,692: Method and system for enforcing access to a
`computing resource using a licensing attribute certificate.
`
`
`
`5
`
`New Bay Capital, LLC-EX.1009
`
`Page 5 of 81
`
`
`
`14. A copy of my curriculum vitae, which describes in further detail my
`
`qualifications, responsibilities, employment history, and publications is attached to
`
`this declaration as Appendix A.
`
`
`
`C. Compensation and Prior Testimony
`
`15.
`
`I am being compensated at my normal consulting rate for my work
`
`and testimony in this matter. I also am being reimbursed for reasonable and
`
`customary expenses associated with my work and testimony in this matter. My
`
`compensation is not contingent on the outcome of this matter or the specifics of my
`
`testimony and in no way affects the substance of my statements in this Declaration.
`
`16.
`
`17.
`
`I have no financial interest in Petitioner or in the ‘151 Patent.
`
`I have never testified in Federal District Court, but I testified in the
`
`U.S. International Trade Commission on January 13, 2012. Also, I was deposed
`
`on May 31, 2005 for a civil action in the U.S. District Court for the Eastern District
`
`of Virginia, Alexandria Division.
`
`
`
`D. Information Considered and Right to Supplement
`
`18. My opinions are based on my years of education, research and
`
`experience, as well as my investigation and study of relevant materials. In forming
`
`
`
`6
`
`New Bay Capital, LLC-EX.1009
`
`Page 6 of 81
`
`
`
`my opinions, I have reviewed and understand the materials referred to herein or
`
`listed in Appendix B.
`
`
`
`E. Availability for Cross-Examination
`
`19.
`
`In signing this Declaration, I recognize that the Declaration will be
`
`filed as evidence in a contested case before the Patent Trial and Appeal Board of
`
`the United States Patent and Trademark Office. I also recognize that I may be
`
`subject to cross-examination in the case and that cross-examination will take place
`
`within the United States. If cross-examination is required of me, I will appear for
`
`cross-examination within the United States during the time allotted for cross-
`
`examination.
`
`
`
`II. LEGAL STANDARDS AND ANALYSIS
`
`20.
`
`I have reviewed and understand the specification and claims of the
`
`‘151 Patent.
`
`21.
`
`I believe a person of ordinary skill in the art in the field of the ‘151
`
`Patent would be someone who, prior to February 2000, was familiar with TCP/IP
`
`networking principles and Internet Engineering Task Force (IETF) activities in the
`
`areas of DNS, IP Security, and Virtual Private Networks. The person of ordinary
`
`
`
`7
`
`New Bay Capital, LLC-EX.1009
`
`Page 7 of 81
`
`
`
`skill is deemed to have a general knowledge of all relevant prior art including
`
`patents and published patent applications, books, academic papers, and other
`
`publications. The person of ordinary skill in the art may have at least a Bachelor’s
`
`degree in engineering or computer science. The person of ordinary skill in the art
`
`may have worked in academia, for a technology company, or for a government.
`
`
`
`III.
`
`THE ‘151 PATENT
`
`22. For purposes of claims 1 and 13, the ‘151 Patent relates to automatic
`
`creation of a secure, encrypted communication channel in response to a domain-
`
`name service (DNS) look-up function (Ex.1001 at 36:58-60).
`
`23.
`
`In the ‘151 Patent, a DNS request is generated from a client computer
`
`to request an IP address corresponding to a domain name that is associated with a
`
`web site hosted by a server. A determination is made whether the DNS request is
`
`requesting access to a secure web site, e.g., based on a domain name extension, or
`
`by reference to an internal table of such sites. (Ex.1001 at 37:60-65). When the
`
`DNS request corresponds to a secure web site, a VPN is automatically initiated
`
`between the client computer and the target computer. (Ex.1001 at 37:33-
`
`38). When the DNS request does not correspond to a secure web site/server, a
`
`
`
`8
`
`New Bay Capital, LLC-EX.1009
`
`Page 8 of 81
`
`
`
`look-up function is performed that returns the IP address of the non-secure web
`
`site. (Ex.1001 at 37:43-48).
`
`24. The ‘151 Patent discloses various exemplary embodiments for
`
`implementing such automatic creation of a VPN. With respect to receiving the
`
`DNS request and determining if the request corresponds to a secure web site (e.g.,
`
`the user is authorized to access the secure web site), a DNS server may perform
`
`these steps. (Ex.1001 at 37:33-38). In another example, a DNS proxy may receive
`
`the DNS requests and perform the determining. (Ex.1001 at 37:60-62). In some
`
`embodiments, the DNS proxy may reside on a different machine than the DNS
`
`server (Ex.1001 at 38:33-35), and in other embodiments, the DNS proxy and DNS
`
`server may be combined in a single machine. (Ex.1001 at 38:31-33).
`
`25. With respect to creating the encrypted channel (e.g., the VPN), the
`
`DNS server may set up the VPN between the client computer and the
`
`server. (Ex.1001 at 37:33-38). Alternatively, a DNS proxy may send a request to
`
`a gatekeeper to create the VPN between the client computer and the
`
`server. (Ex.1001 at 39:10-20). The gatekeeper facilitates the allocation and
`
`exchange of information needed to communicate securely and may send a resolved
`
`address back to the client computer via the DNS proxy. (Ex.1001 at 38:24-28,
`
`39:10-20). In any of these examples, the VPN is established without user
`
`involvement.
`
`
`
`9
`
`New Bay Capital, LLC-EX.1009
`
`Page 9 of 81
`
`
`
`26. As with the DNS proxy and DNS server, the gatekeeper and DNS
`
`server may reside on different machines or be combined on a single
`
`machine. (Ex.1001 at 38:53-55). By extension, any of the DNS proxy, DNS
`
`server, and gatekeeper may be on the same or different machines.
`
`27. With respect to the look-up function, the DNS proxy may send a DNS
`
`request to a DNS server, which performs the look-up to return an IP
`
`address. (Ex.1001 at 38:22-24). In some embodiments, the gatekeeper instructs
`
`the DNS proxy to send the DNS request to the DNS server. (Ex.1001 at 39:28-36).
`
`
`
`IV.
`
`KIUCHI
`
`28. Based on personal experience, I can establish that the article entitled
`
`“C-HTTP – The Development of a Secure, Closed HTTP-based Network on the
`
`Internet,” written by Takahiro Kiuchi and Shigekoto Kaihara (hereinafter “the
`
`Kiuchi paper” or simply “Kiuchi”), was presented to the public at the Symposium
`
`on Network and Distributed Systems Security (SNDSS) in 1996, and the paper was
`
`published in the symposium proceedings, distributed to the participants and made
`
`available to the public. At the time, I was then the Chief Scientist at SPYRUS and
`
`I gave a presentation as part of a panel discussion in session 4 at the SNDSS
`
`conference. The C-HTTP paper was presented in session 3 of the conference.
`
`
`
`10
`
`New Bay Capital, LLC-EX.1009
`
`Page 10 of 81
`
`
`
`29. Similar to the ‘151 Patent, Kiuchi was concerned with establishing
`
`secure network links between different hosts on the Internet. (Ex.1002 at 64). In
`
`particular, the service was contemplated for use by medical institutions for
`
`protecting patient information and other private information of the institutions,
`
`although Kiuchi makes clear that the closed virtual network can be used in other
`
`areas (Ex.1002 at 69, paragraph 5). To facilitate my explanation of Kiuchi, I
`
`present the following figure (Figure 1), which shows the relevant components of
`
`Kiuchi’s system (which Kiuchi calls the “C-HTTP” system):
`
`
`
`30. Kiuchi creates a closed network over the Internet that allows a user
`
`agent computer to access private web pages (HTML documents) stored on an
`
`origin server (i.e., a “secure target web site”) in the closed network. The user agent
`
`
`
`11
`
`New Bay Capital, LLC-EX.1009
`
`Page 11 of 81
`
`
`
`and origin server are members of the closed network constructed over the Internet
`
`using a client-side proxy that performs proxy functions for the user agent and a
`
`server-side proxy that performs proxy functions for the origin server. The client-
`
`side proxy and server-side proxy are installed in firewall devices situated between
`
`the user agent and the origin server, which are unaware of these proxies. (see Ex.
`
`1002 at 64, sec. 2.1).
`
`31. The user agent and the origin server are conventional HTTP/1.0
`
`compatible devices, e.g., “[c]ommunications between two kinds of proxies and
`
`HTTP/1.0 compatible servers/user agents within the firewalls are performed based
`
`on HT'TP/1.0.” (Ex.1002 at 64, sec. 2.1, emphasis added). It is well-known that
`
`HTTP is the communication protocol used to connect to servers on the World
`
`Wide Web. (Ex.1023 at 436). Kiuchi shows an example in which a web page
`
`(HTML document) is sent from origin server to client-side proxy (see Ex.1002 at
`
`66, Figure (a)). The client-side proxy sends a rewritten version of the HTML
`
`document with modified links (URLs or resource names) to the user agent (see
`
`Ex.1002 at 66, Figure (b)). An end-user is able to select and request a modified
`
`link in order to generate an HTTP GET request for the requested web page (see
`
`Ex.1002 at 65, sec. 2.3(a); Ex.1002 at 66, Figure (c)(1)). Thus, it is clear that
`
`Kiuchi is providing access to private web pages at a secure target web site (i.e., the
`
`origin server).
`
`
`
`12
`
`New Bay Capital, LLC-EX.1009
`
`Page 12 of 81
`
`
`
`32. The client-side proxy and server-side proxy work in conjunction with
`
`a C-HTTP name server over the Internet. (Ex.1002 at 64). For permitted secure
`
`communications, the C-HTTP name server is the server that responds to name
`
`service requests by looking up domain names and returning their IP address and
`
`related VPN resources, i.e., public key and Nonce values (Ex.1002 at 65, sec.
`
`2.3(2)). Each proxy is registered with the C-HTTP name server, including a
`
`hostname, IP address, and public key for the proxy. (Ex.1002 at 65, sec. 2.2). The
`
`hostname (domain name) of the server-side proxy is used to access resources at an
`
`origin server being proxied by the server-side proxy. For non-secure connections,
`
`a conventional DNS name service is used to return IP addresses. Id. Thus, domain
`
`name services are provided by the C-HTTP name server for secure communication
`
`requests and by a conventional DNS for non-secure communication requests.
`
`33. The client-side proxy receives, from the user agent, an HTTP request
`
`specifying a web page (HTML document) stored at the origin server and associated
`
`with a given URL. The URL in the HTTP request has the format
`
`“http://<hostname>/<web page>[connection ID]” (see the sample URL at Ex.1002
`
`at 65, sec. 2.3(1), where “server.in.current.connection” is the hostname (i.e.,
`
`“domain name”) of the server-side proxy, “sample.html” is a web page stored on
`
`the origin server being proxied by the server-side proxy, and “6zdDfldfcZLj8V!i"
`
`is an optional connection ID).
`
`
`
`13
`
`New Bay Capital, LLC-EX.1009
`
`Page 13 of 81
`
`
`
`34. Thus, the functions performed by Kiuchi’s client-side proxy and C-
`
`HTTP name server can be represented as depicted schematically in the following
`
`figure (Figure 2):
`
`
`
`35.
`
`In order to create a secure, encrypted channel (VPN), the client-side
`
`proxy first determines whether the HTTP request is directed to a secure server (i.e.,
`
`a server-side proxy) in the closed network. Specifically, the client-side proxy
`
`“asks the C-HTTP name server whether it can communicate with the host specified
`
`in [the] URL” (Ex.1002 at 65, sec. 2.3(2)), specifically by “[taking] off the
`
`
`
`14
`
`New Bay Capital, LLC-EX.1009
`
`Page 14 of 81
`
`
`
`connection ID and [forwarding] the stripped, the original resource name to the
`
`server in its request” to the name server. (Ex.1002 at 65, sec. 2.3(1)). Thus, the
`
`client-side proxy extracts the domain name from the HTTP request and sends the
`
`requested domain name to the C-HTTP name server to request the IP address of
`
`the host.
`
`36. Upon receiving the request from the client-side proxy, the name
`
`server “examines whether the requested server-side proxy is registered in the
`
`closed network.” (Ex.1002 at 65, sec. 2.3(2)). The name server returns an IP
`
`address only if the requested server-side proxy is registered in the closed network,
`
`and a secure connection with the server-side proxy is permitted. (Ex.1002 at 65,
`
`sec. 2.3(2)). Along with the IP address, the C-HTTP name server also returns the
`
`public key of the server-side proxy and Nonce values. Id. A Nonce value is a
`
`value used once for security/encryption. The C-HTTP name server generates and
`
`provides the Nonce values, which are later used to establish a secure connection
`
`between the client-side proxy and the server-side proxy. (see Ex. 1002 at 65, sec.
`
`2.2). A Nonce value is used to prevent a replay attack. Id.
`
`37. The client-side proxy uses the public key and Nonce values to create a
`
`secure, encrypted communication channel (i.e., VPN) with the server-side proxy
`
`(Ex.1002 at 65, sec. 2.3(3)). Specifically, the client-side proxy “sends a request for
`
`connection to the server-side proxy, which is encrypted using the server-side
`
`
`
`15
`
`New Bay Capital, LLC-EX.1009
`
`Page 15 of 81
`
`
`
`proxy’s public key and contains the client-side proxy’s IP address, hostname,
`
`request Nonce value and symmetric data exchange key for request encryption.”
`
`(Ex.1002 at 65, section 2.3(3)). Thus, the secure, encrypted channel (VPN) is
`
`automatically initiated in at least two ways, first by the C-HTTP name server,
`
`which sends the public key and Nonce values to the client-side proxy to cause
`
`creation of the VPN (which is analogous to the DNS proxy in the ‘151 Patent
`
`sending a message to the gatekeeper computer to request that a VPN be created –
`
`see Ex. 1001 at 37:66-38:2), then by the client-side proxy, which sends the request
`
`for connection to the server-side proxy.
`
`38. When the server-side proxy receives the client-side proxy’s IP
`
`address, the hostname and public key, it authenticates the values and generates a
`
`connection ID as well as a second key for response encryption (Ex.1002 at 65-6,
`
`sec. 2.3(4)). When these are accepted and checked by the client-side proxy, the
`
`secure, encrypted communication channel is established (Ex.1002 at 66, sec.
`
`2.3(5)). Security between the proxies is made possible by the public key and Nonce
`
`values provided by the C-HTTP name server.
`
`39. Once the secure, encrypted communication channel is established,
`
`HTTP/1.0 messages can then be exchanged between the user agent and the origin
`
`server over the secure, encrypted channel via the proxies (ex.1002 at 66, ¶¶ (7)-
`
`(8)).
`
`
`
`16
`
`New Bay Capital, LLC-EX.1009
`
`Page 16 of 81
`
`
`
`40.
`
`If a secure connection with the requested host is not permitted, the
`
`name server instead returns an error status to the client-side proxy. (Ex.1002 at 65,
`
`sec. 2.3(2)). Specifically, in response to determining that the requested server-side
`
`proxy is not registered in the closed network (which indicates that the DNS request
`
`does not correspond to a secure server), the C-HTTP name server returns to the
`
`client-side proxy “a status code which indicates an error.” (Ex.1002 at 65, sec.
`
`2.3(2)). In turn, “[i]f the client-side proxy receives an error status, then it performs
`
`DNS lookup, behaving like an ordinary HTTP/1.0 proxy.” (Ex.1002 at 65, sec.
`
`2.3(2)). It is well-known that such a DNS lookup involves sending a request to a
`
`DNS server and receiving an IP address back from the DNS server. (Ex.1010 at 70
`
`et seq.). In this way, the domain name is resolved and the IP address is returned to
`
`the client-side proxy, specifically by the client-side proxy sending a lookup request
`
`to the conventional DNS server which resolves the domain name and returns the IP
`
`address to the client-side proxy. Once the IP address is obtained, a typical non-
`
`secure communication may take place.
`
`41. Kiuchi discloses at least two ways in which a gatekeeper computer is
`
`used for automatically initiating the VPN between the client-side proxy and the
`
`server-side proxy, one in which gatekeeper computer functions are implemented in
`
`the C-HTTP name server, and the other in which gatekeeper computer functions
`
`are implemented in the server-side proxy.
`
`
`
`17
`
`New Bay Capital, LLC-EX.1009
`
`Page 17 of 81
`
`
`
`42. With regard to the former, the ‘151 Patent makes clear that the
`
`gatekeeper can be implemented as a function within the DNS server (see Ex.1001
`
`at 38:22-24). As discussed above, the C-HTTP name server automatically initiates
`
`the VPN by sending the C-HTTP name service response to the client-side proxy.
`
`In this context, the C-HTTP name server also performs the functions of a
`
`gatekeeper computer because it allocates VPN resources, e.g., it generates and
`
`provides the request and response Nonce values and returns the public key of the
`
`server-side proxy and the request and response Nonce values to the client-side
`
`proxy. (Ex.1002 at 65, sec. 2.2).
`
`43. With regard to the latter, as discussed above, Kiuchi’s client-side
`
`proxy automatically initiates the VPN by sending a request for connection to the
`
`server-side proxy. In this context, the server-side proxy also performs functions of
`
`a gatekeeper computer because it receives a request for connection from the client-
`
`side proxy (which is analogous to the gatekeeper computer in the ‘151 Patent
`
`receiving a message from the DNS proxy requesting that a VPN be created –
`
`Ex.1001 at 37:66-38:02) and allocates VPN resources such as a Connection ID and
`
`a second symmetric data exchange key that are used in establishing a secure
`
`connection between the client-side proxy and the server-side proxy. (see Ex.1002
`
`at 66, sec. 2.3(4)-(5)). In order to create the VPN, the server-side proxy (i.e., the
`
`gatekeeper) has to accept the request for connection from the client-side proxy,
`
`
`
`18
`
`New Bay Capital, LLC-EX.1009
`
`Page 18 of 81
`
`
`
`authenticate the client-side proxy, check the integrity of the Nonce values, and
`
`generate a connection ID and other parameters for the VPN (Ex.1002 at 65(4)-
`
`66(5)). Under the broadest reasonable interpretation, the gatekeeper computer can
`
`be a function in the target computer.
`
`44. A person of ordinary skill in the art would have understood that
`
`devices such as the client-side proxy device, the server-side proxy device, and the
`
`C-HTTP name server device are data processing devices and that functions
`
`performed in such devices are necessarily stored in computer program code in
`
`memory, as is the case for any such processing device. A person of ordinary art
`
`also would have understood that several elements claimed in the ‘151 Patent – e.g.,
`
`client computer, DNS proxy server, target computer, and gatekeeper computer –
`
`encompass implementation of such elements in software modules. Such software
`
`modules can reside on separate machines or be combined in ways where various
`
`functions reside on the same machine. This is the nature of software, where
`
`developers generally have great leeway in how to divide functions into software
`
`modules and where to place the software modules. Kiuchi also teaches to an
`
`ordinarily skilled artisan that the functions of a “DNS proxy server” can be
`
`included in the same machine as the client computer (i.e., the client-side proxy
`
`machine) or in a DNS server such as the C-HTTP name server, and that the
`
`
`
`19
`
`New Bay Capital, LLC-EX.1009
`
`Page 19 of 81
`
`
`
`functions of a “gatekeeper computer” can be included in the server-side proxy or
`
`the C-HTTP server.
`
`45. Moreover, it would have been a matter of design choice to a person of
`
`ordinary skill in the art to consolidate domain name resolution functions in
`
`Kiuchi’s C-HTTP name server. Kiuchi clearly recognizes and discloses that a
`
`conventional DNS lookup is needed when the DNS request does not correspond to
`
`a secure server, i.e., when the requested server-side proxy is not registered in the
`
`closed network. (Ex.1002 at 65, sec. 2.3(2)). This is identical to the ‘151 Patent,
`
`where a DNS lookup is performed when the DNS request does not correspond to a
`
`secure server. (ex.1001 at 38:12-16).
`
`46. Kiuchi defines three new components for the system, namely the
`
`client-side proxy, the server-side proxy, and the C-HTTP name server. (Ex.1002 at
`
`64, sec. 2.1). While Kiuchi describes a system in which a conventional DNS
`
`lookup request is made from the client-side proxy, it would have been apparent to a
`
`person of ordinary skill in the art based on Kiuchi’s teachings to make the
`
`conventional DNS lookup request from the C-HTTP name server. As discussed
`
`above, the C-HTTP name server already determines whether the DNS request
`
`received from the client-side proxy corresponds to a secure server in the closed
`
`network. Rather than returning an error status to the client-side proxy when the
`
`DNS request does not correspond to a secure server, it would have been trivial and
`
`
`
`20
`
`New Bay Capital, LLC-EX.1009
`
`Page 20 of 81
`
`
`
`obvious as a mere design choice for the C-HTTP name server to forward the DNS
`
`request to the conventional DNS server by passing the domain name received in
`
`the C-HTTP name service request to the conventional DNS server, as depicted in
`
`the following figure (Figure 3):
`
`
`
`47. Such a configuration, which places a DNS proxy server function in a
`
`modified C-HTTP name server, is merely a rearrangement of existing functions
`
`within the C-HTTP system and could be implemented with or without modifying
`
`Kiuchi’s protocols. For example, a C-HTTP name service response message
`
`
`
`21
`
`New Bay Capital, LLC-EX.1009
`
`Page 21 of 81
`
`
`
`containing an IP address without a public key and Nonce values (e.g., using values
`
`of zero or other convention for the public key and Nonce fields, or modifying the
`
`protocol to use a previously unused flag in the response to indicate that a public
`
`key and Nonce values are not provided) would indicate to the client-side proxy that
`
`the DNS request does not correspond to a secure server and hence that no VPN is
`
`needed. The motivation for modifying Kiuchi in this way would have been to
`
`streamline the operation of the system, e.g., instead of having the C-HTTP name
`
`server send an error status to the client-proxy which would in turn initiate a
`
`conventional DNS inquiry, the modification eliminates the error status message
`
`from the process by having the C-HTTP name server directly initiate the request to
`
`the conventional DNS server.
`
`48.
`
`I have gone through the claims in view of Kiuchi as discussed in
`
`paragraphs 29-47 above and have set forth the correspondence between them,
`
`element by element, as set forth in the claim chart attached as Appendix C.
`
`49. Additionally, Kiuchi’s client-side proxy performs a “resolver”
`
`function that receives a domain name resolution request from an internal client
`
`(i.e., the domain name extracted from the received HTTP request) and returns an
`
`IP address for the domain name. The client and resolver functions performed by
`
`Kiuchi’s client-side proxy can be represented as depicted schematically in the
`
`following figure (Figure 4):
`
`
`
`22
`
`New Bay Capital, LLC-EX.1009
`
`Page 22 of 81
`
`
`
`
`
`50. Prior to February 2000, it was well-known for a client function of a
`
`client computer (e.g., an application such as a web browser) to request domain
`
`name resolution from a resolver function in the client computer. For example,
`
`client applications running on Windows and Unix operating systems made function
`
`calls to the operating system (specifically, the “gethostbyname” function) in order
`
`to obtain an IP address for a given hostname (see Ex.1004 – “From an
`
`application’s point of view, access to the DNS is through a resolver …. The
`
`[gethostbyname(3) library function] takes a hostname and returns an IP
`
`address…The resolver contacts one or more name servers to do the mapping”).
`
`Ex.1005 at 112 describes error return codes from gethostbyname() and
`
`
`
`23
`
`New Bay Capital, LLC-EX.1009
`
`Page 23 of 81
`
`
`
`gethostbyaddr() library functions “when using the resolver.” Ex.1006 describes
`
`the gethostbyname eCos system library function. Ex.1007 at 2:63-3:8 states that
`
`"When a user program, such as the browser, requests information ... a resolution
`
`request is passed in the form of a query to the resolver." Ex.1008 at 9:49-54 states
`
`that "Access to the DNS is through a resolver and software library functions. The
`
`function in this case takes a domain name or host name and returns an IP address."
`
`51. Thus, in Kiuchi, an internal resolution request is made to the resolver
`
`function (which is a collection of software functions within the client-side proxy),
`
`which acts as a DNS proxy server to contact the C-HTTP name server and
`
`optionally also the conventional DNS server to obtain an IP address for the domain
`
`name and return the IP address to the internal client. This internal resolution
`
`request is a domain name service request because it is a communication that
`
`contains a domain name and requests an IP address for the domain name.
`
`52. Furthermore, a careful consideration of the inner workings of the
`
`client-side proxy also reveals that the resolver function performs functions that
`
`map directly to the functions performed by the DNS proxy server of the ‘151
`
`Patent. The DNS proxy server of the ‘151 Patent receives a DNS request,
`
`determines whether access to a secure web site has been requested (e.g., based on a
`
`domain name extension or by reference to an internal table of such sites),
`
`automatically initiates a VPN if access to a secure target web site has been
`
`
`
`24
`
`New Bay Capital, LLC-EX.1009
`
`Page 24 of 81
`
`
`
`requested, and passes through the DNS request to a conventional DNS server if
`
`access to a non-secure site had been requested (see Ex.1001 at 37:60-38:16).
`
`Similarly, the resolver function of Kiuchi receives a DNS request, determines
`
`whether the DNS request corresponds to a secure server (based on a query to the
`
`C-HTTP name server, which essentially is just a remote table lookup similar to the
`
`internal table lookup of the ‘151 Patent), automatically initiates/creates a secure,
`
`encrypted channel (VPN) if access to a secure target web site has been requested,
`
`and forwards the DNS request to a conventional DNS server if the DNS request
`
`does not correspond to a secure server.
`
`53. Thus, when the Client Module receives the HTTP request from the
`
`user agent, it extracts the hostname from the URL received in the HTTP request
`
`and sends an internal resolver request containing the domain name to the DNS
`
`Proxy Server Module. This internal resolver request is a “DNS request” because it
`
`is a communication that contains a domain name (i.e., the hostname from the URL
`
`in the HTTP request) and requests an IP address for the domain name.
`
`54. Upon receiving the DNS request from the Client Module, the DNS
`
`Proxy Server Module sends the domain name to the C-HTTP name server in the
`
`form of a C-HTTP name service request to ask the C-HTTP name server whether
`
`the client-side proxy can communicate with the specified host. (Ex.1002 at 65, sec.
`
`2.
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
