Patent Grant
7929689
This application is related to co-pending U.S. Patent Application Methods and Systems for Authenticating Messages Ser. No. 10/401,241, filed Mar. 27, 2003.
Keys and cryptographic identifications (“IDs”) play a key role in many applications which require user verification, such as computer systems, and the like. In an exemplary peer-to-peer computer system, a user identification (“ID”) might be used as a verifier to a systems administrator that a user is entitled to access a network when the ID is presented electronically, such as electronic mail. Alternatively, IDs may be transmitted by voice or by writing.
In the past IDs have been presented manually using business cards or verbally. The IDs are typically a long stream of binary numbers that are not easy to remember. The IDs may be secured using cryptographic processes. However, the protected IDs are typically longer yet and also hard to pass around easily. Thus a user further gives up ease of use when protecting an ID with encryption.
The following presents a simplified summary of the disclosure in order to provide a basic understanding to the reader. This summary is not an extensive overview of the disclosure and it does not identify key/critical elements of the invention or delineate the scope of the invention. Its sole purpose is to present some concepts disclosed herein in a simplified form as a prelude to the more detailed description that is presented later.
The present invention provides a relatively short “call sign” to identify a user to a computer network. The network may be a peer-to-peer network where individual computers in the network tend to have more responsibility for security than in other networks. The call sign incorporates information about the person presenting the call sign for admittance to the network. The call sign is short and easy to remember, while conventional IDs are typically long and difficult to remember. Call signs also incorporate a “salt” value that is pre-calculated to cause a hash of itself and the personal information to output a fixed length result that is easily transformed to a call sign that includes letters and digits. Information other than the personal information may be included for hashing depending upon the application.
Those having skill in the art would understand the desirability of having a short easily remembered ID that is cryptographically secure. This type of call sign would necessarily be short enough to remember while still providing sufficient security, thus allowing the usability of peer-to-peer, or other, networks to be improved.
Many of the attendant features of this invention will be more readily appreciated as the same becomes better understood by reference to the following detailed description considered in connection with the accompanying drawings.
The following discussion may be best understood with reference to the various views of the drawings, described in summary below, which form a part of this disclosure.
I. First Embodiment of Call Signs Having an Explicit Number of Zeroes and a Method of Generating Them
II. Second Embodiment Call Signs Having a Requested Number of Zeroes Set by a Verifier and a Method of Generating Them
III. Alphanumeric Encoding for Passage of the Call Sign to ASCII
IV. Third Embodiment of Call Signs as Applied to the Peer-to-Peer Name Resolution Protocol
The detailed description provided below in connection with the appended drawings is intended as a description of the present embodiments of the invention and is not intended to represent the only forms in which the present invention may be constructed or utilized. The description sets forth the functions of the invention and the sequence of steps for constructing and operating the invention in connection with the illustrated embodiments. However, the same or equivalent functions and sequences may be accomplished by different embodiments that are also intended to be encompassed within the spirit and scope of the invention.
Although the present invention is described and illustrated herein as being implemented in a peer-to-peer computer network system, the system described is provided as an example and not a limitation. As those skilled in the art will appreciate, the present invention is suitable for application in a variety of different types of computer systems.
Many computer networks may call for the generation of peer names typically used in the process of “peer-to-peer” name resolution. As currently implemented, peer-to-peer name resolution protocols (PNRP) are typically constrained to, either use short peer names that can be easily handled by the users (that do not tend to provide adequate security); or use long peer names that include long binary strings (that typically provide a higher level of security) that are not easily handled by the users. Those skilled in the art will realize that shortened identifiers may be applied to any type of computer network, or system where a secure and shortened identification tool is desired.
Long peer names can typically be secured through the application of cryptographic processes. However, such long names typically can not be easily handled by a user. The long names are typically hard to remember and enter to gain access to a computer network. In short, the current state of the art typically forces users to choose between ease-of-use and security. It would be desirable to provide a way to identify a computer in a peer-to-peer network, in a secure way, with a short easily remembered identifier.
I. First Embodiment of Call Signs Having an Explicit Number of Zeroes and a Method of Generating them
The method of producing call signs typically used for peer-to-peer identification addresses the difficulty in securely communicating a user's identity. Security is accomplished by using a secure process to construct short call signs that can be easily remembered and entered by users. Such call signs may be strongly protected by a cryptographic process. For example a call sign for peer-to-peer identification such as “ZA4-3Y-4W-ZF4” 202 is short and secure. Such a call sign may be remembered with little more difficulty than remembering ones social security number.
The exemplary call sign illustrated 202 includes ten alphanumeric characters. Those skilled in the art will realize that call signs having more, or less characters may be produced. Each of the ten call sign characters represents five binary bits 203. The segments are portions of a longer binary number that has been broken up into five bit segments. Those skilled in the art will realize that alphanumeric characters may be used in equivalent embodiments to represent binary numbers of lengths either greater, or less than 5 bits.
The first digit in the call sign digits is the letter “Z” as can be seen in this example. In this example, the first digit has been defined to communicate the number of zeroes that are used in decoding the call sign. Here the letter Z has been defined to represent the decimal number 31, which is the five bit binary number 11111. Those skilled in the art will realize that in equivalent embodiments of the invention the placement of the digit identifying the number of zeroes, and the number of zeroes in the call sign may vary. Similarly, any bit pattern or character may be selected in place of “Z” in the example.
The remaining nine alphanumeric characters of this call sign represent the remainder of the binary number. These digits are designated as (“L”). In this example L is forty five bits long. The binary number L has been taken from the result of a cryptographic process used to encrypt the users identification. The remaining L bits in places two through ten are broken into five bit segments that are mapped to the nine remaining alphanumeric characters. Those skilled in the art will realize that the mapping of binary numbers to alphanumeric characters may be done by table lookup, formula, or other equivalent methods known to those skilled in the art. Those skilled in the art will also realize that the ordering of the ten characters may be varied in equivalent embodiments.
After decoding the number of zeroes and the number L from the call sign, cryptographic processing is performed on the binary digits to recreate the user's identity. Once the user's identification has been established then access to a network and other privileges may be granted to the person holding the call sign.
Generating the First Embodiment of the Call Sign from a Distinguished Qualifier
It is assumed that an entity to be named is in possession of a conventionally generated public/private key pair K/P, and a personalization information string, or digital identity, X. The personalization information string may be composed of natural attributes of the entity to be named. For example the personalization information string may include a combination of common name, company name, city, and e-mail address, and the like. The conventionally constructed public key K may be represented by a binary string, and the personalization information string by a text string.
Those skilled in the art will appreciate that any particular bit pattern may be used in place of leading zeroes. For example, further alternative embodiments may utilize leading ones, or a minimum number of “0110” groups or the like. What is sought in generating the call sign is that part of the call matches a predetermined pattern, while the remainder of the bits that make up the call sign and tend to not have patterns make up the remaining digits of the call sign. Alternately, a predetermined pattern could be obtained from a secondary function rather than the hash function used to produce a distinguished hash value.
Hashing is a process often used in cryptographic processes that produces a fixed-size result by applying a mathematical function called a hashing algorithm, to an arbitrary amount of data. The hash functions utilized in the embodiments are of the type known to those skilled in the art. Typical hashing algorithms include MD2, MD4, MD5, and SHA-1.
The hash functions utilized in the embodiments may be characterized as one way cryptographic hash functions. As will be appreciated by those skilled in the art, one way hash functions typically have several unique properties: it is easy to compute the fixed length hash value or result from an arbitrary length message input; given the fixed length hash value it is difficult to compute the arbitrary length message; and given the arbitrary length message input it is difficult to find another message that will produce the same fixed length hash value.
The distinguished hash, H 301 produced from the distinguished salt and other strings starts with a large umber of zeros (or other equivalent defined bit patterns) in the MSB side of the number produced by the hash. Those skilled in the art will appreciate that in alternate equivalent embodiments the zeros (or other equivalent defined bit patterns) may be located on the LSB digits or other positions or that other characteristics of the described hash or another function could be used as an indicator. The distinguished salt value and the final distinguished hash are found through iterations of the one way hash function evaluated with different salt values. The salt value which results in a hash with the largest number of leading zeros is retained as the distinguished hash. The trials are repeated until a certain amount of time T has elapsed. Those skilled in the art will appreciate that the embodiments of the invention seek to find zeroes for some fixed time “T”, under the assumption that an attacker would have to spend a multiple of T to find the same number of zeroes and match forty or forty-five bits. An embodiment of the search process for finding the distinguished salt value may be written as follows:
At the end of the specified time T, a distinguished salt S and a distinguished H are found.
The distinguished hash, H is defined as the hash of K, X and S through a cryptographically strong one way function.
Distinguished hash=H=H(K,X,S)
A logical call sign is created from the distinguished hash H that is a binary number. The distinguished hash 301 is of a predetermined number of bits (“M”). M includes the leading zeroes (“Z”) 302 of the distinguished hash, and a pre-selected number of the bits (“L”) 303 of the distinguished hash value H that immediately follow the last leading zero (or the LSB of the leading zeros).
Once the number of zeros is determined the next step is to determine how many bits, L remaining from the distinguished hash H, are to be included in the content of the call sign. The parameters T (used in finding the distinguished salt) and L are chosen taking into consideration security and scaling considerations. The process presented above has two parameters: the time T during which the trials are run, and the number L of selected bits. These parameters are determined by taking into consideration scaling to a predetermined number of entries, making spoofing attacks by hackers difficult and future proofing the call sign so that it remains secure in the future. Future proofing is typically an exercise in taking into account Moore's law so that the unforgeability of the call sign remains valid as the speed of computers improves. An additional consideration in selecting these parameters is resisting “catalog” attacks from hackers.
Encoding of the Number of Zeroes in the First Embodiment
Once the number of zeroes are found, a way of encoding their number into the call sign must also be found. To generate a short call sign having sufficient security the total number of bits are kept sufficiently small so that they may be encoded in a short digital or alpha-numeric string. The total number of bits to be encoded is the sum of the number L and the number of bits necessary to encode the number of zeroes, Z. Typically, the number Z will be lower than 128, and may be encoded with 7 bits.
In alternative embodiments it is possible, instead of encoding the actual number of null bits, to encode the number of null octets, using 4 bits, or the number of null “4 bits nibbles”, using 5 bits. The modified process for finding a sufficient number of nibbles is:
For example twenty-four leading zeroes can usually be obtained in this way in less than a minute on a conventional PC having a 1 GHz CPU.
As will be shown below, the number L, which is the group of bits following the leading zeroes that will make up the call sign, should seldom be lower than 40 bits. The practical range for the number of leading zeroes, Z, is between 24 and 88. Values between 24 and 87 can be encoded using a formula:
Z=24+R
In this formula, R is a number varying between 0 and 63. Equivalently, the formula below may be used:
Z=24+2*P
P is a number between 0 and 31 that encodes the number of pairs of zeroes. A number between 0 and 31 is very practical, because it can be encoded as a single alphanumeric character. The modified process for finding a sufficient number of zeroes that may be encoded in a single alphanumeric character is:
The next trade-off is the choice of the value L and of the time T. Their selection is discussed later.
The call sign that is suitable for casual exchange is obtained by using a digital or alpha-numeric encoding of the logical call sign, including an encoding of the number of zeroes Z and an encoding of the L selected bits. The Z plus L bits 304 that make up the call sign may be broken up into 5-bit segments. Each 5-bit segment is represented by an alphanumeric character. The alphanumeric characters are then assembled into the call sign 305. And finally one or more separators may be added to form the final call sign 306. One may also adopt call sign shortening conventions such as dropping leading “Q”s.
Call Sign Verification Procedure
When a third party receives a call sign they verify the linkage between the call sign, the public key and the personalization information string by asking the purported owner of the call sign to present the values of the public key K, personalization information string X, and distinguished salt S. The third party will use a verifier to compute the distinguished hash from K, X, and S. They will then verify that the number of leading zeroes matches the value Z expressed in the call sign, verify that the value Z is no less than a predetermined minimum, and verify that the L bits encoded in the call sign match the corresponding bits in the hash value. As an additional precaution, the verifier will “visually” check that the personalization information string X corresponds to the natural values that are expected.
As previously stated the parameters T and L are chosen with security and scaling considerations. The process presented above has two parameters: the time T during which the trials are run, and the number L of selected bits. These parameters are determined by the need to scale to a predetermined number of entries, the need to not make spoofing too easy, and the need to be future proof, i.e. resist to Moore's law. An additional consideration is the resistance to “catalog” attacks.
Choosing L and T in Consideration of a Possible Spoofing Attack
Any process that links a public key to a short signature has to be concerned with the spoofing attack, in which an attacker finds another public key that results in the same signature.
A common defense is to rely on the difficulty of generating a public key. If the signature is a hash of the public key and some fixed text, and if the signature is L bits long, the attacker will have to generate 2^L public keys before finding a match. Those skilled in the art will appreciate that generating a public key involves finding two long prime numbers, which is a very expensive operation. However, only incompetent attackers would try to use standard key generation software to find the matching key. Instead, the attackers would possibly use a process, such as:
Get a first prime.
Add prime to list.
Repeat:
In this process, with a maximum list of size M prime computation only occurs on average once every M loops. By choosing a large M, the attacker effectively minimizes the impact of prime number generation on the run time of the core loop, which ends up being dominated by the cost of the hash function. Relying on the complexity of public key generation is not an efficient defense.
To find a hash that includes Z leading zeroes, the generator will have to perform about 2^(Z) operations; to find a corresponding hash, the attacker will have to perform about 2^(Z+L) operations. By choosing sufficiently large values of Z and L, one guarantees that the call signs are hard to spoof, without having to make hypotheses on the generation of prime numbers.
Another popular defense is to increase the cost of the hash function, for example by requesting that a standard hash be run several times, to obtain what one could call a “power N hash”. Regardless of cryptographic considerations, a drawback is that the increase in the cost of the hash function is symmetric: it applies to both the generation of the call sign and its verification. This is not a desirable property. One would like to have an asymmetric set up, in which generation may require a lot of computation in order to thwart spoofing attacks, but verification is very fast in order not to impose overdue loads on the readers.
The call sign process requires that the generator performs a large number of trials in order to find an adequate numbers of leading zeroes. This may require a long generation time, but does not affect the verification time, which is only marginally slower than a simple hash comparison.
Choosing L and T in Consideration of a Future Proofing and Moore's Law
The evolution of computing power over time is typically considered in evaluating the cryptographic strength of a hashing algorithm. According to Moore's law, the computing power available for a given cost doubles approximately every year and a half and quadruples every three years. This means that, everything else being equal, the amount of computing power available to an attacker doubles every year and a half. Put another way, an attack that requires a million years today would require less than a year 30 years from now. A code that looks unbreakable now may be quite easy to attack in the future, unless it has been sufficiently hardened, or “future proofed”.
To protect the call sign against future attacks the initial number of zeroes are selected to follow Moore's law. By doing this Moore's law benefits the security of the call sign. Instead of over-dimensioning the code so that a long call sign would be produced, the number of initial zeroes is chosen following Moore's law. The codes used today may have a relatively small number of zeroes, but the codes used in a few years will have an increasing number of leading zeroes.
If new codes are generated on new machines, spending the same amount of time in the generation process three years from now will find a hash with two extra zeroes. Those skilled in the art will realize that the cost of generation is proportional to 2^(Z), and the cost of the attack proportional to 2^(Z+L). By spending a fixed amount of time in the generation, the attacker will need to spend 2^L times that amount for mounting an attack. In short, the attack will be just as hard in 30 years as it is now. For example, if the generation period T is set to 1 minute and the length L is set to 40 bits, generating a spoofed value will require about 2 million years of computation on a current machine, and a call sign similarly generated 30 years hence will still require 2 million years of computation on a similar machine to spoof.
This argument only applies however if the call sign is only used for a short duration. Breaking a 40 bit call sign generated in one minute in 2003 requires 2 million years of computation with the computers available in 2003, or 2 million such computers used in parallel for a year. Breaking a 40 bit call sign generated one minute in 2033 will also require 2 million years of computation with the computers available that year. But the 2033 computers will be able to break the 2003 call sign in only 2 years.
Call signs will thus be subject to some form of obsolescence. A call sign generated in a given year should probably not be used for more than a few years. The overall resilience of a call sign depends on the time spent in the generation and of the number of bits L. A better resilience is achieved by letting the generation process run longer: each doubling of the generation time T will protect against an iteration of Moore's law. In further alternative embodiments a really strong sign may be formed by running the generation process for a long time.
In further alternative embodiments a reasonable protection is provided by associating an expiration date to a call sign. This is particularly attractive if the call sign is used as a bootstrapping mechanism, to find the actual public key of a correspondent. After the public key has been found, the complete information can be used, rather than the compressed information represented in the call sign. The complete information is much less vulnerable to obsolescence.
Choosing L and T in Consideration of the Possibility of Natural Collisions
Even in the absence of attacks, a problem with short codes is the possibility of “natural” collisions when two users happen to pick combinations of keys, personalization information strings, and salt that result in the same call sign.
The bit length L used in the call sign is limited in order to keep the call sign short, while the population of computer users (“P”) can be very large. For example, allocating at least one call sign per computer user in a population of P=10^10 to have less than a 50% chance of collision using methods known to those skilled in the art would have the length L larger than 67 bits. L should be larger than 73 bits if the chances of collision are to be less than 1%.
Bit strings this large would be encoded in a 15 alpha-numeric character call sign. This length is above the practical length of a call sign. In short, completely eliminating the possibility of collisions would only be practical if the personalization information string embedded a unique token such as an e-mail address, and if this unique token was securely transferred alongside the call sign.
Since the call sign length is constrained and collisions will occur, a method of detecting collisions may be employed. Collisions are resolved with the resolution of the call sign. If there is a collision, the reader will obtain several versions of the public key, personalization information string, and salt associated to a call sign, all of which pass the first level verification process. The reader selects the “right” or “expected” version based on the personalization information string. The collision resolution process may be iterated by performing the following steps or their equivalents:
1) initiate a search for a call sign;
2) retrieve a public key, personalization information string, and salt associated to the call sign;
3) if there is no such entry available, the search terminates as a failure;
4) perform the verification using the one way function. If it fails, repeat step 2;
5) if the personalization information string matches the expected value, the search concludes successfully; and
6) if the personalization information string does not match, repeat step 2.
If the resolution process is efficient, the key only needs to be long enough to maintain a frequency of collisions compatible with the collision resolution mechanism. For example, it is inefficient to sort through long lists of personalization information strings. Those skilled in the art will realize that collisions will be rather rare, and only involve a couple of matching entries if 2^L is sufficiently larger than P: L>log 2 P.
Quantification in Choosing L and T
The first embodiment of the call sign is composed of a set of alpha-numeric characters. Each character encodes 5 bits of information. For length considerations the first embodiment of the call sign should not be more than ten alpha-numeric characters long. One of the ten characters encodes the number of zeroes Z. The remaining 9 characters to encode L bits, which when using 5 bits per character, puts L at 45 bits. Alternative embodiments of call signs with L=35, 40 or 45 bits are also possibilities. In arriving at an L of 45 bits for the first embodiment the criteria given above have been quantified using methods known to those skilled in the art. The values of L may be assigned quantifiable merit to know which of these values will be acceptable; similarly the time T which should be spent searching for zeroes has been quantified.
The previous sections discussing spoofing attacks, catalog attacks, natural collisions, and increased computing power over time are summarized with the following set of criteria: The total Z+L should be large enough to prevent spoofing. The number of zeros Z corresponds to a compute time T. The product T*2^L should be large enough to prevent spoofing, even if we take into account some iterations of Moore's law. The personalization information string should be unique enough to discourage catalog attacks. The length L should be long enough to make name collisions rare, given a probable population size.
Quantification in Choosing L and T in Consideration of Spoofing Attacks
Values larger than 10,000,000 years are single underlined and italicized these values, would require 100 years of computation on a network of 100,000 present-day computers. As can be seen from the table an L of 45 bits is generally safe. Using an L of 45 bits in combination with search times for zeroes (T) of 16 minutes or more yields a call sign that will likely remain valid for 10 years.
Quantification in Choosing L and T in Consideration of a Catalog Attack
Those skilled in the art will realize that the catalog attack can only be applied against a popular personalization information string. If the personalization information string included only the first name and surname of a user, the catalog attack would be largely ineffective.
In alternative embodiments it is possible to strengthen the security of the call sign by reducing the frequency of popular names by including additional tokens in the personalization information string. For example a city and a country name may be added to the personalization information string. A catalog attack could then only target users who have the same additional tokens in their personalization information. For example those users with the same first name and surname, and who live in the same city. Those skilled in the art will realize that these users form a relatively small population. Those skilled in the art will appreciate that there will rarely be more than a few hundred such users in a city. From the table it can be seen that combining bit length L of 45 bits and duration T of 4 minutes (240 seconds) provides adequate security in the present application.
In further alternative embodiments the personalization information string includes a unique token such as an e-mail address, and when this token is safely passed as part of the call sign, then a catalog attack is defeated. Such a catalog attack is just as hard to successfully achieve as a spoofing attack.
Avoiding Obnoxious Identifiers
The luck of the draw in generating call signs may result in call signs that are not very desirable, such as “IAM-SO-DUMB”. Random chance may even result in call signs including words that are patently offensive, such as some well known four letter words.
The surest way to eliminate these occurrences is to submit the proposed call sign to the user, and let the user either accept the proposed value or ask for another. The design of the computation as 16 sequential steps helps to quickly regenerate another call sign. If a call sign is rejected, it is sufficient in an alternative embodiment to repeat the very last step of the procedure, using only 1/16th of the time necessary for a completely new computation. If the design in which the call sign is derived by a final hash step is maintained, it is possible in yet a further alternative embodiment to introduce at that stage a final salt value, so that new call signs can be derived by simply picking a random number.
Further alternative embodiments embed a protection against undesirable call signs by adding the step of including a list of “unwanted keywords” in the generation process. Such protection of including the keywords makes the code itself somewhat obnoxious. However, in the alternative embodiment, the alphanumeric encoding of binary values is of concern. We can include in the program the binary values are encoded rather than the actual keywords. They are present but in unreadable form.
II. Second Embodiment Call Signs Having a Requested Number of Zeroes Set by a Verifier and a Method of Generating them
There are some possible areas of improvement in the first embodiment. It may not be necessary to encode the number of leading zeros in the call sign, thus allowing for either shorter call signs, or call signs that are equally long but contain a larger number L of significant bits. Also, undesirable results may occur with alpha-numeric encodings. They can inadvertently result in “readable” character strings that contain offensive words. A call sign generation process should make sure that such words are avoided.
Encoding the Number of Zeroes in the Second Embodiment
The encoding of the number of zeroes in the first embodiment is a compromise. It supposes that the number of zeroes will always be larger than 24 and lower than 98, and that encoding the number of pairs rather than the number of zeroes provides sufficient granularity.
More fundamentally, the encoding of the number of zeroes in the call-sign assumes that the owner of a call sign should decide how many zeroes are necessary. In the first embodiment the time spent looking for a distinguished salt is fixed, with the assumption that the number of zeroes found during that time will “follow Moore's law”, and be representative of the average capacity of computers that year. However, the fixed time limit creates a dependency between the power of the computer used to generate the call sign and the strength of that call sign. In the second embodiment, we assume that the necessary number of zeroes will be determined by the receiver of the call sign.
This embodiment encodes a check in the verification code. A receiver of a call sign will obtain the public key K, the identifier X, and the distinguished salt S, and will then verify that the number of zeroes Z in the hash is larger than a minimum value, function of the year Y and the number of significant bits L:
Z>Z0−L+(Y−2003)/X
In this formula, the number Z0 is set to represent a key length that was considered sufficiently strength in the year 2003. The coefficient X describes the number of years needed to double the capacity of the average computer. For practical implementations, we set the value of X to 1.5, according to Moore's law, and the value of Z0 to 62, resulting in the formula:
Z>62−L+(Y−2003)/1.5
In this formula, the number 62 is computed assuming that 100,000 years of computing is a sufficient hurdle. In fact, the “bar” may well depend on the context in which the call sign is used. Financial application may require a larger value, e.g. 66 (1,000,000 years). Military services may be even more demanding.
III. Alphanumeric Encoding for Passage of the Call Sign to ASCII
As can be seen above, in producing a call sign the process assigns a numerical value from 0 to 31 for each character that has been picked for use in the call sign, yielding 32 available symbols. When the call sign is read by the computer, each character of the call sign is assigned a numerical value in the computer memory. When a call sign is output from the computer, each number that makes up the call sign in the computer is assigned a number or letter to make up the call sign output to the user. The combination of characters that make up the call sign are chosen by a call sign generation procedure. Their validity is then checked by a call sign verification procedure.
IV. Call Signs Applied to in the Peer Name Resolution Protocol (PNRP)
Connecting to a peer group, and subsequently joining the peer group are common tasks in peer networks that utilize security precautions in identifying users. To join a group, a peer computer receives an invitation from the owner of a peer group. To receive an invitation from the group owner, the tentative group member must first pass identifying materials to the group owner, which are its peer name and public key. This information is passed using email, file sharing, XML, or the like. The group owner will next issue an invitation to the tentative group member.
When the tentative group member receives the information, the tentative group member uses the invitation information to connect to the group. To connect to the group, the tentative group member uses PNRP and the group ID to resolve the address of a group member, and connect to the peer network through that group member.
Mutual authentication between the tentative group member and the current group member occurs, typically through a web of trust. After mutual authentication, the tentative group member is now a new group member that has a single neighbor. The neighbor is the computer from the peer network that has accepted the connection and with which the authentication occurred.
In particular with respect to connecting to a peer-to-peer computer network, a peer-to-peer network includes infrastructure networking software that provides a set of networking application program interfaces (“APIs”) for networking. These peer-to-peer applications may relate to collaborative communications, content distribution and the like. Peer-to-peer infrastructure API software may include the following components; peer name resolution protocol, multipoint communications, distributed data management, secure peer identities, and secure peer-to-peer groups.
The Peer-to-Peer Name Resolution Protocol (PNRP) allows peers in a peer-to-peer network to resolve “peer names” without involving servers, as would typically be needed in a server based network. The PNRP allows the peer computers to identify the other computers, or peers, in the network. The peer name resolution protocol provides an application program interface (API) that enables peer-to-peer resolution of names to endpoints, or nodes in the network that may conflict.
The peer name resolution protocol (PNRP) API is a name to IP resolution protocol that allows a group of participating peers to interact with each other by allowing computer nodes to find each other in the peer-to-peer network. Tasks that would typically be provided in a peer-to-peer network include registering and un-registering peer names, resolving peer names, and enumerating groups of peers. As will be appreciated by those skilled in the art resolving peer names includes finding peer names that do not conflict with each other. In addition to finding names that do not conflict with each other, it is desirable that the names found provide adequate security, and that users can remember their peer names.
Peer names are stable names that may identify computers, users, groups, or services. A peer name typically includes an authority that tells if the peer is secure, and a classifier that is simply a string of characters. As will be appreciated by those skilled in the art secure peer names may typically use the secure hash algorithm (SHA-1) or the MD5 algorithm to derive a 128-bit PNRP identifier to hash the public key K to the classifier C to provide secure transmission of the peer name. In the third embodiment C includes an identifier X, a salt S, and the identification of the hashing algorithm.
Cryptographic keys are devices known to those skilled in the art to provide security in network communications. Cryptographic keys are commonly used in a peer-to-peer environment to authorize access, and verify the identity of a source. Cryptographic keys allow the person in possession of the key to access data the key is associated with, or to forge the key owner's digital signature. Public key algorithms typically provide a pair consisting of a public key and a private key, denoted as K/P. The private key must be kept private and secure since it can be used as an identifier to the receiver of a message. The public key can be distributed freely so that others may decode a message. The public key of a key pair is often distributed with a digital certificate. When one key of a key pair is used to encrypt a message, the other key from that pair is used to decrypt the message.
These keys tend to be long, typically at least 256 hexadecimal digits. Thus passing them, and especially passing the public key can be cumbersome. Instant messaging or e-mail can be used but are prone to tampering, making verification of the key desirable. It is also desirable to include in the process of verification of the key, a verification that the person receiving the key is the person the sender intended to send the key to.
IV. Third Embodiment of Call Signs as Applied to the Peer-to-Peer Name Resolution Protocol
The Peer-to-Peer Name Resolution Protocol (“PNRP”) allows peers to resolve “peer names” without involving servers. The PNRP peer names are composed of two fields: first the “authority”, which is the SHA-1 hash of a public key; and second the “qualifier”, which is a Unicode text string. PNRP derives from these two fields a 128-bit PNRP-ID, using a cryptographic hashing function such as:
PNRP-ID=hash(authority, hash(qualifier))
This third embodiment augments the PNRP with a “call sign”. In order to generate a call sign for PNRP, the user will generate a “distinguished qualifier”. The combination of authority, a distinguished salt, and distinguished qualifier results in a PNRP-ID that starts with a large number of zeroes. The call sign is derived from this PNRP-ID. A new PNRP API allows users to enumerate the PNRP entries that match a call sign, and then to obtain the associated authority and qualifier.
The Distinguished PNRP Qualifier
A distinguished qualifier is formed from a personalization information string, the identifier of the secondary hash function, and a distinguished salt, separated by the delimiters “//” and “/”. Those skilled in the art will appreciate that the content of the personalization information string may vary depending upon the application in which the call sign is being used. For example the exemplary embodiment of PNRP call signs uses a unique personalization information string while other applications may call for different personalization strings.
Those skilled in the art will appreciate that the strings are separated by delimiters or other equivalent methods known to those skilled in the art. Those skilled in the art will also realize that the order of the strings, and the delimiters used may vary.
The hash function used is also included in the distinguished qualifier, and set off by delimiters. As will be appreciated by those skilled in the art the hash function may be of any type known to those skilled in the art that will yield sufficient security. For example the SHA-1 hash functions or its equivalent.
The salt is chosen during the call sign generation process. The salt is selected by performing a secondary hash of the peer name, causing the hashed result to start with a sufficient number of zeroes. The salt itself is composed of ASCII letters and digits. The formal syntax will be:
Distinguished Qualifier =<personalization>“//”<hash-function>“/”<salt>
An example of a distinguished qualifier is:
Qualifier:JonSmith<jsmith@yuhoo.com>//SHA1/A5E5F3Z4YWZTRF0TW9RTQ
The salt will be chosen so that the secondary hash of the authority and qualifier starts with a large number of zeroes.
Generation of the Third Embodiment of the Call Sign
The purpose of the Call Sign generation procedure is to find a distinguished qualifier that permits the peer name and associated call sign to pass the verification procedure. This includes finding an adequate “distinguished salt”, so the secondary hash of the peer name starts with an adequate number of zeroes.
As seen in the verification section the adequate number of zeroes varies over time. The formula
Z>17+(Y−2003)/1.5
is used for these purposes.
For generation purposes, the value Y should not be set to the current year, but rather to the year until which the call sign is expected to remain valid. By default, this will be set to the current year plus 10.
The generation proceeds as follows:
1) Initialize the value of the PNRP name authority, as per PNRP, using the canonical form of this authority as expected in the verification procedure.
2) Initialize the value of the personalization information X according to the user name.
3) Choose a valid secondary hash function, by default SHA-1, and note the corresponding identifier I.
4) Choose the adequate number of zeroes Z.
5) Repeat:
a. Pick a Salt S.
b. Compose the peer name based on the authority and the tentative distinguished qualifier, based on X, I, and S.
c. Compute the hash of the peer name according to the function I.
d. Measure the number of zeroes (N) in this hash.
Until the number N is larger than or equal to the number Z.
6) Compute the PNRP identifier associated to the peer name.
7) Compose a Call Sign based on the most significant 45 bits of the PNRP identifier.
8) Verify that the Call Sign does not include an offending word; if it does, repeat step 5.
Step 5 is expected to last about 15 seconds on a modern computer.
The last step in the generation function is meant to check that the random set of characters in the call sign does not result in some offensive language. It can be implemented by asking the user whether they accept to use the proposed call sign.
Verification of the Call Sign Generated in the Third Embodiment
The call sign verification procedure compares the peer identifier to the call sign, and verifies that a secondary hash includes a sufficient number of leading zeroes, Z. Verification of the number of leading zeros makes the call sign hard to spoof by third party. In first approximation, the cryptographic strength of the call sign is equivalent to the strength of a symmetric key whose length is Z+45. The value of Z may vary over time. As Moore's law predicts that computers become more and more powerful, the length requirement for Z will tend to increase. If Moore's law is assumed to hold for the foreseeable future, the value for the number of leading zeros, Z may be thought to be a function of the current year Y:
Z>17+(Y−2003)/1.5
Those Skilled in the art will realize that the value 17 used in the above inequality corresponds to a chosen security to computing trade off, and that a larger value may be chosen in more demanding environments.
The secondary hash function used to verify the call sign may change over time. In the current implementation, the hash function SHA1 known to those skilled in the art is used. In alternative embodiments, a list of acceptable hash functions may be maintained by the computer memory for use. In particular it is anticipated that hash functions will continue to be developed to provide improved security. Embodiments of the invention accommodate the development of new hash functions, by providing for their future use as they arise.
The verification shall proceed as follow:
1) Compute the PNRP identifier associated to the peer name.
2) Compare the most significant 45 bits of the PNRP identifier to the 45 bits encoded in the Call Sign.
3) If the 45 bits do not match, the verification fails.
4) Extract the identifier of secondary hash function from the distinguished salt.
5) If the hash function identifier is absent, is not acceptable to the verifier, or is not recognized as a valid value, the verification fails.
6) Compute the hash of a canonized version of the entire Peer Name with the specified secondary hash function.
7) Measure the number of leading zeroes in the resulting hash. If the number of zeroes is less than the target value Z, the verification fails.
8) Verify that the identification string is a plausible description of the person or entity designated by the call sign; if this is not the case, the verification fails.
9) If steps 1 to 8 are passed, the verification succeeds.
The “canonicalized version” of the Peer Name is obtained by making sure that the authority part of the peer name, normally composed of hexadecimal digits, is only encoded with digits and the upper case letters A, B, C, D, E, and F. Note that step 8 typically involves a human interaction.
Retrieval of PNRP Records from a Call Sign
In some cases, it may be useful to retrieve the PNRP record associated to a call sign, and thus the associated Peer Name. This can be achieved by: retrieving all the PNRP records whose PNRP identifiers start with the same 45 bits as the call sign; retrieving the corresponding peer names; eliminating the peer names that cannot pass steps 1 to 7 of the verification procedure; and using step 8 of the verification procedure to only retain the names that match the expected identity.
| Number | Name | Date | Kind |
|---|---|---|---|
| 5005200 | Fischer | Apr 1991 | A |
| 5473691 | Menezes et al. | Dec 1995 | A |
| 5511122 | Atkinson | Apr 1996 | A |
| 5563998 | Yaksich et al. | Oct 1996 | A |
| 5673319 | Bellare et al. | Sep 1997 | A |
| 5729608 | Janson et al. | Mar 1998 | A |
| 5778065 | Hauser et al. | Jul 1998 | A |
| 5784562 | Diener | Jul 1998 | A |
| 5787172 | Arnold | Jul 1998 | A |
| 5848244 | Wilson | Dec 1998 | A |
| 5854898 | Riddle | Dec 1998 | A |
| 5892904 | Atkinson et al. | Apr 1999 | A |
| 5903721 | Sixtus et al. | May 1999 | A |
| 5917480 | Tafoya et al. | Jun 1999 | A |
| 5944794 | Okamoto et al. | Aug 1999 | A |
| 5987376 | Olson et al. | Nov 1999 | A |
| 6028938 | Malkin et al. | Feb 2000 | A |
| 6055234 | Aramaki | Apr 2000 | A |
| 6055236 | Nessett et al. | Apr 2000 | A |
| 6078948 | Podgorny et al. | Jun 2000 | A |
| 6088700 | Larsen et al. | Jul 2000 | A |
| 6088805 | Davis et al. | Jul 2000 | A |
| 6101499 | Ford et al. | Aug 2000 | A |
| 6108673 | Brandt et al. | Aug 2000 | A |
| 6108687 | Craig | Aug 2000 | A |
| 6128738 | Doyle et al. | Oct 2000 | A |
| RE36946 | Diffie et al. | Nov 2000 | E |
| 6148405 | Liao et al. | Nov 2000 | A |
| 6154541 | Zhang | Nov 2000 | A |
| 6155840 | Sallette | Dec 2000 | A |
| 6163809 | Buckley | Dec 2000 | A |
| 6175833 | West et al. | Jan 2001 | B1 |
| 6216110 | Silverberg | Apr 2001 | B1 |
| 6229806 | Lockhart et al. | May 2001 | B1 |
| 6233606 | Dujari | May 2001 | B1 |
| 6237025 | Ludwig | May 2001 | B1 |
| 6237035 | Himmel et al. | May 2001 | B1 |
| 6247029 | Kelley et al. | Jun 2001 | B1 |
| 6269099 | Borella et al. | Jul 2001 | B1 |
| 6279110 | Johnson et al. | Aug 2001 | B1 |
| 6308266 | Freeman | Oct 2001 | B1 |
| 6327652 | England et al. | Dec 2001 | B1 |
| 6341349 | Takaragi et al. | Jan 2002 | B1 |
| 6363352 | Dailey et al. | Mar 2002 | B1 |
| 6367009 | Davis et al. | Apr 2002 | B1 |
| 6367012 | Atkinson et al. | Apr 2002 | B1 |
| 6397303 | Arimilli et al. | May 2002 | B1 |
| 6405290 | Arimilli et al. | Jun 2002 | B1 |
| 6421673 | Caldwell et al. | Jul 2002 | B1 |
| 6424718 | Holloway | Jul 2002 | B1 |
| 6424981 | Isaac et al. | Jul 2002 | B1 |
| 6526411 | Ward | Feb 2003 | B1 |
| 6526506 | Lewis | Feb 2003 | B1 |
| 6529932 | Dadiomov et al. | Mar 2003 | B1 |
| 6578143 | Rose | Jun 2003 | B1 |
| 6600823 | Hayosh | Jul 2003 | B1 |
| 6615348 | Gibbs | Sep 2003 | B1 |
| 6636889 | Estrada et al. | Oct 2003 | B1 |
| 6658568 | Ginter et al. | Dec 2003 | B1 |
| 6671804 | Kent | Dec 2003 | B1 |
| 6675205 | Meadway et al. | Jan 2004 | B2 |
| 6687755 | Ford et al. | Feb 2004 | B1 |
| 6701344 | Holt et al. | Mar 2004 | B1 |
| 6714966 | Holt et al. | Mar 2004 | B1 |
| 6728753 | Parasnis et al. | Apr 2004 | B1 |
| 6732110 | Rjaibi et al. | May 2004 | B2 |
| 6745178 | Emens et al. | Jun 2004 | B1 |
| 6782103 | Arthan et al. | Aug 2004 | B1 |
| 6782294 | Reich et al. | Aug 2004 | B2 |
| 6789189 | Wheeler et al. | Sep 2004 | B2 |
| 6791582 | Linsey et al. | Sep 2004 | B2 |
| 6801604 | Maes et al. | Oct 2004 | B2 |
| 6832322 | Boden et al. | Dec 2004 | B1 |
| 6938166 | Sarfati et al. | Aug 2005 | B1 |
| 6941366 | Antes et al. | Sep 2005 | B2 |
| 6941384 | Aiken, Jr. et al. | Sep 2005 | B1 |
| 6944672 | Crow et al. | Sep 2005 | B2 |
| 6957346 | Kivinen et al. | Oct 2005 | B1 |
| 6968179 | De Vries | Nov 2005 | B1 |
| 7032242 | Grabelsky et al. | Apr 2006 | B1 |
| 7051202 | Tsunoo | May 2006 | B2 |
| 7134019 | Shelest et al. | Nov 2006 | B2 |
| 7216233 | Krueger | May 2007 | B1 |
| 7370197 | Huitema | May 2008 | B2 |
| 7409544 | Aura | Aug 2008 | B2 |
| 7478120 | Zhang | Jan 2009 | B1 |
| 7624264 | Aura et al. | Nov 2009 | B2 |
| 20010010720 | Kimball et al. | Aug 2001 | A1 |
| 20010035976 | Poon | Nov 2001 | A1 |
| 20010053213 | Truong et al. | Dec 2001 | A1 |
| 20020032765 | Pezzutti | Mar 2002 | A1 |
| 20020073204 | Dutta et al. | Jun 2002 | A1 |
| 20020097267 | Dinan et al. | Jul 2002 | A1 |
| 20020133607 | Nikander | Sep 2002 | A1 |
| 20020140730 | Linsey et al. | Oct 2002 | A1 |
| 20020143989 | Huitema et al. | Oct 2002 | A1 |
| 20020152380 | O'Shea et al. | Oct 2002 | A1 |
| 20020152384 | Shelest et al. | Oct 2002 | A1 |
| 20020154172 | Linsey et al. | Oct 2002 | A1 |
| 20020156875 | Pabla | Oct 2002 | A1 |
| 20020184358 | Traversat et al. | Dec 2002 | A1 |
| 20030014485 | Banatwala | Jan 2003 | A1 |
| 20030018701 | Kaestle | Jan 2003 | A1 |
| 20030018813 | Antes et al. | Jan 2003 | A1 |
| 20030028585 | Yeager et al. | Feb 2003 | A1 |
| 20030028790 | Bleumer | Feb 2003 | A1 |
| 20030036941 | Leska et al. | Feb 2003 | A1 |
| 20030055892 | Huitema et al. | Mar 2003 | A1 |
| 20030065934 | Angelo et al. | Apr 2003 | A1 |
| 20030070067 | Saito | Apr 2003 | A1 |
| 20030088544 | Kan et al. | May 2003 | A1 |
| 20030110274 | Pazi et al. | Jun 2003 | A1 |
| 20030120929 | Hoffstein et al. | Jun 2003 | A1 |
| 20030126027 | Nelson et al. | Jul 2003 | A1 |
| 20030126436 | Greenberg et al. | Jul 2003 | A1 |
| 20030135629 | Sasaki et al. | Jul 2003 | A1 |
| 20030142823 | Swander et al. | Jul 2003 | A1 |
| 20030163683 | Xu et al. | Aug 2003 | A1 |
| 20030196060 | Miller | Oct 2003 | A1 |
| 20030217073 | Walther et al. | Nov 2003 | A1 |
| 20030217106 | Adar et al. | Nov 2003 | A1 |
| 20030233568 | Maufer et al. | Dec 2003 | A1 |
| 20040008845 | Le et al. | Jan 2004 | A1 |
| 20040010683 | Huitema | Jan 2004 | A1 |
| 20040010688 | Matsuzaki et al. | Jan 2004 | A1 |
| 20040034794 | Mayer | Feb 2004 | A1 |
| 20040063401 | Meckelburg et al. | Apr 2004 | A1 |
| 20040064693 | Pabla et al. | Apr 2004 | A1 |
| 20040078436 | Demsky et al. | Apr 2004 | A1 |
| 20040082351 | Westman | Apr 2004 | A1 |
| 20040088325 | Elder et al. | May 2004 | A1 |
| 20040088537 | Swander et al. | May 2004 | A1 |
| 20040111423 | Irving et al. | Jun 2004 | A1 |
| 20040117446 | Swanson | Jun 2004 | A1 |
| 20040122898 | Srinivasa | Jun 2004 | A1 |
| 20040122901 | Sylvain | Jun 2004 | A1 |
| 20040128350 | Topfl et al. | Jul 2004 | A1 |
| 20040141005 | Banatwala et al. | Jul 2004 | A1 |
| 20040143603 | Kaufmann et al. | Jul 2004 | A1 |
| 20040151322 | Sovio et al. | Aug 2004 | A1 |
| 20040158714 | Peyravian et al. | Aug 2004 | A1 |
| 20040172455 | Green et al. | Sep 2004 | A1 |
| 20040172456 | Green et al. | Sep 2004 | A1 |
| 20040181689 | Kiyoto | Sep 2004 | A1 |
| 20040184445 | Burne | Sep 2004 | A1 |
| 20040193875 | Aura | Sep 2004 | A1 |
| 20040225881 | Walmsley | Nov 2004 | A1 |
| 20040243819 | Bourne et al. | Dec 2004 | A1 |
| 20040249757 | Walmsley | Dec 2004 | A1 |
| 20040249970 | Castro et al. | Dec 2004 | A1 |
| 20040249972 | White et al. | Dec 2004 | A1 |
| 20040260771 | Gusler et al. | Dec 2004 | A1 |
| 20050009537 | Crocker et al. | Jan 2005 | A1 |
| 20050010794 | Carpentier et al. | Jan 2005 | A1 |
| 20050027805 | Aoki | Feb 2005 | A1 |
| 20050027871 | Bradley | Feb 2005 | A1 |
| 20050038856 | Krishnasamy et al. | Feb 2005 | A1 |
| 20050055280 | Jeans | Mar 2005 | A1 |
| 20050066001 | Benco et al. | Mar 2005 | A1 |
| 20050076218 | Brown | Apr 2005 | A1 |
| 20050080859 | Lake | Apr 2005 | A1 |
| 20050102245 | Edlund et al. | May 2005 | A1 |
| 20050102356 | Manion et al. | May 2005 | A1 |
| 20050135381 | Dubnicki et al. | Jun 2005 | A1 |
| 20050138393 | Challener et al. | Jun 2005 | A1 |
| 20050160291 | Eden et al. | Jul 2005 | A1 |
| 20050160477 | Saito | Jul 2005 | A1 |
| 20050171799 | Hull et al. | Aug 2005 | A1 |
| 20050182928 | Kamalanathan et al. | Aug 2005 | A1 |
| 20050193219 | Vanstone | Sep 2005 | A1 |
| 20050198173 | Evans | Sep 2005 | A1 |
| 20050203901 | Waldvogel et al. | Sep 2005 | A1 |
| 20050220023 | Kodialam et al. | Oct 2005 | A1 |
| 20050228824 | Gattuso et al. | Oct 2005 | A1 |
| 20050235038 | Donatella et al. | Oct 2005 | A1 |
| 20060005014 | Aura et al. | Jan 2006 | A1 |
| 20060020796 | Aura et al. | Jan 2006 | A1 |
| 20060020807 | Aura et al. | Jan 2006 | A1 |
| 20060077908 | Park et al. | Apr 2006 | A1 |
| 20060173959 | McKelvie et al. | Aug 2006 | A1 |
| 20060265436 | Edmond et al. | Nov 2006 | A1 |
| 20070055877 | Persson et al. | Mar 2007 | A1 |
| 20070143619 | Goodman et al. | Jun 2007 | A1 |
| 20070192676 | Bodin et al. | Aug 2007 | A1 |
| 20070245144 | Wilson | Oct 2007 | A1 |
| 20090019141 | Bush et al. | Jan 2009 | A1 |
| Number | Date | Country |
|---|---|---|
| 1248441 | Oct 2002 | EP |
| 1333635 | Aug 2003 | EP |
| 1361728 | Nov 2003 | EP |
| 2378268 | Feb 2003 | GB |
| 2002197246 | Nov 2001 | JP |
| 0120450 | Mar 2001 | WO |
| 2004009550 | Jul 2004 | WO |
| 2005026872 | Mar 2005 | WO |
| 2005078993 | Aug 2005 | WO |
| 2006068450 | Jun 2006 | WO |
| Number | Date | Country | |
|---|---|---|---|
| 20060005013 A1 | Jan 2006 | US |
