This invention relates to the field of communications security, and in particular, to a system and method that verifies the proximity of a node on a network.
Network security can often be enhanced by distinguishing between ‘local’ nodes and ‘remote’ nodes on the network. In like manner, different rights or restrictions may be imposed on the distribution of material to nodes, based on whether the node is local or remote. Local nodes, for example, are typically located within a particular physical environment, and it can be assumed that users within this physical environment are authorized to access the network and/or authorized to receive files from other local nodes. Remote nodes, on the other hand, are susceptible to unauthorized physical access. Additionally, unauthorized intruders on a network typically access the network remotely, via telephone or other communication channels. Because of the susceptibility of the network to unauthorized access via remote nodes, network security and/or copy protection can be enhanced by imposing stringent security measures and/or access restrictions on remote nodes, while not encumbering local nodes with these same restrictions.
It is an object of this invention to provide a system and method that facilitates a determination of whether a node on a network is local or remote. It is a further object of this invention to integrate this determination with a system or method that enforces security measures and access restrictions based on whether the node is local or remote.
These objects and others are achieved by a system and method that facilitates a determination of communication time between a source node and a target node. The proximity of the target node to the source node is determined from the communication time. The source node communicates a query, or “ping”, to the target node. The target node is configured to automatically send a response to the sender of such a query. The communication time is determined based on the time duration between the transmission of the query and receipt of the response at the source node. The communication time is compared to a threshold value to determine whether the target node is local or remote relative to the source node.
Throughout the drawings, the same reference numeral refers to the same element, or an element that performs substantially the same function.
In a preferred embodiment, the query includes an identification of the source node in a form that facilitates a rapid response. For example, the query preferably includes the address of the target node and the address of the source node arranged in such a manner that the target node need only strip its address from the query to form the response. Generally, the response is generated at the processor 240 of the target node 110T, although in a preferred embodiment, the response to the query is generated automatically at the communications device 230 of the target node, to minimize the time required to process the query and generate the response, illustrated in
The source node 110S is configured to measure the time consumed by the query-response process, and from this measure, to determine the proximity of the target node 110T. The query-response time includes the time to communicate the query and response, as well as the aforementioned processing time at the target node 110T. The processing time will vary based on the speed and configuration of the target node 110T. Within a local network, the processing time may exceed the actual communication time, Tcommunicate 260, and thus the measure of the communication time is unreliable. However, if the target node 110T is remote from the source node 110S, the communication time will generally be substantially longer than the expected processing time, and thus the total time, Tquery-response 280, can be expected to substantially correspond to the communication time. By comparing the query-response time to a nominal threshold value, typically not more than a few milliseconds, the proximity of the target node 110T to the source node 110S can be determined. If the communication time is below the threshold, the target 110T is determined to be local; otherwise, it is determined to be remote. Optionally, multiple threshold levels may be defined to distinguish different ranges of distances, such as whether a remote target node is located within the same country as the source node, and so on.
In a typical embodiment, the source 110S uses the remote/local proximity determination to control subsequent communications with the target 110T. For example, some files may be permitted to be transferred only to local nodes, all communications with a remote node may be required to be encrypted, and so on.
The foregoing merely illustrates the principles of the invention. It will thus be appreciated that those skilled in the art will be able to devise various arrangements which, although not explicitly described or shown herein, embody the principles of the invention and are thus within the spirit and scope of the following claims.
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/US03/07178 | 3/11/2003 | WO |
Number | Date | Country | |
---|---|---|---|
60363589 | Mar 2002 | US | |
60445264 | Feb 2003 | US |