Method, device and medium for transmission of fragmented IP addresses and data packets through a network

Abstract

An enhanced device and method for anonymization also offering improved security properties of data exchanged bidirectionally between a client and a server in a communication network. A protocol in respect of data exchange between client and server which relies on a two-level third-party servers architecture as well as on a system for bidirectional communication between the client and the server through these two levels of third-party servers.

Claims

1. An anonymization method for communicating data in an IP communication network, from a sender to a receiver, the method comprising: setting up an anonymization connection between a sender having a plurality of network interfaces and a receiver having at least one IP address, by: selecting a plurality of first-level servers and assigning a first-level server to each network interface, wherein each of the assigned first-level server having a second key shared with the sender, and selecting a plurality of second-level servers and assigning a second-level server to respectively an assigned first-level server, wherein each of the assigned second-level server having a first key shared with the sender; transmitting, by each of the plurality of network interfaces, fragments of the IP address of the receiver respectively to an assigned second-level server, according to the first key; transmitting, by each assigned second-level server, the received IP address fragment to a single server called master server, said master server being able to reconstruct the IP address of the receiver; transmitting, by each of the plurality of network interfaces, data fragments of a data packet, to respectively the assigned first-level server, according to the second key; transmitting, by each assigned first-level server, the received data fragment to the respective assigned second-level server, wherein said assigned second-level server having received from the sender a fragment of the IP address of the receiver according to the first key; transmitting, by each assigned second-level server, the received data fragment to the master server, the master server being able to reconstruct the data packet from all the received data fragments; and transmitting, from the master server, the data packet to the receiver.

2. The method as claimed in claim 1, wherein transmitting, by each of the plurality of network interfaces, data fragments to respectively the assigned first-level servers, comprising: transforming the data packet to be transmitted into as many data fragments as there are network interfaces, said transformation of the packet being done according to the second key; and transmitting each data fragment to a first-level server via a different network interface, each first-level server being assigned to a network interface.

3. The method as claimed in claim 2, comprising, before transforming the data packet, allowing the sender to select and authenticate as many first-level servers as there are network interfaces from among the plurality of first-level servers, and to set up a single communication circuit between each network interface and a selected first-level server.

4. The method as claimed in claim 3, further comprising allowing the sender to select at least as many second-level servers as there are selected first-level servers, and to assign a selected second-level server to each selected first-level server, and informing each first-level server of an assigned second-level server.

5. The method as claimed in claim 1, wherein transmitting, to a plurality of second-level servers, fragments of the IP address of the receiver, comprises allowing the sender to set up a communication tunnel between each network interface and a second-level server.

6. The method as claimed claim 1, comprising allowing for a self-discovery of the second-level servers and establishing communication tunnels between the second-level servers and the master server according to the first key.

7. The method as claimed in claim 1, comprising selecting a master server from among the second-level servers.

8. The method as claimed in claim 1, wherein transmitting, by each assigned second-level server, the received IP address fragment to a single server, comprises transmitting said fragments to a single server called return server, said return server being able to reconstruct the IP address of the receiver and to synchronize the second-level servers in TCP exchanges with the receiver.

9. The method as claimed in claim 8, further comprising: anonymously sending a data packet from the receiver to the return server; transmitting, from the return server to the selected second-level servers, data fragments generated via a third key; transmitting, by each second-level server, the received data fragment to an assigned first-level server; transmitting, by each first-level server, the received data fragment to the sender; and reconstructing, by the sender, the data packet from all the received data fragments.

10. The method as claimed in claim 9, wherein the second and third keys are identical.

11. A computer program product, said computer program comprising code instructions on a non-transitory computer readable medium configured to perform the method of claim 1, when said program is run on a computer.

12. An anonymization device, for communicating data in an IP communication network, from a sender having a plurality of network interfaces to a receiver having at least one IP address, the device having non-transitory computer readable medium configured to perform the method of claim 1.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) Different aspects and advantages of the invention will emerge in support of the description of a preferred, but nonlimiting, implementation of the invention, with reference to the figures below:

(2) FIG. 1 illustrates, in a simplified manner, the setting up of circuits and the bidirectional routing in the Tor network;

(3) FIG. 2 illustrates a first embodiment of a server architecture allowing for the implementation of the invention;

(4) FIG. 3 is a flow diagram to illustrate the setting up of an anonymization connection according to an embodiment of the invention;

(5) FIG. 4 is a flow diagram of an embodiment of the invention to illustrate the exchanges in an uplink flow;

(6) FIG. 5 is a flow diagram of an embodiment of the invention to illustrate the exchanges in a downlink flow;

(7) FIG. 6 illustrates a server architecture allowing for the implementation of the invention in a cooperative mode;

(8) FIG. 7 is a flow diagram to illustrate the setting up of an anonymization connection according to a first variant of the cooperative mode;

(9) FIG. 8 is a flow diagram to illustrate the setting up of an anonymization connection according to another variant of the cooperative mode.

DETAILED DESCRIPTION

(10) The general principle of the invention is based on an architecture of distributed proxy type (200) illustrated in a simplified manner in FIG. 2, implementing several levels of servers placed in series, the servers of each level having complementary functions making it possible to implement an anonymized communication service. In the example illustrated, a user ‘U’ has an equipment item (202) to access a service (204) available at an address ‘S’. The equipment item (202) has at least two network interfaces (202-a, 202-b) to connect to a communication network like the Internet, via Internet access providers (IAP). Preferentially, the interfaces are connected via independent access providers. In a variant implementation, the method of the invention can be operated on a communication device provided with two or more interfaces connected via one and the same IAP, or on a communication device provided with a single interface connected via different IAPs.

(11) A first group of servers (206) called first-level servers (Pui), serves as point of entry to the anonymization service of an uplink flow from the user U to the service, and its function is to mask the IP addresses of the user from the rest of the anonymization system.

(12) A second group of servers (208), called second-level servers (Psi), serves as exit point for an uplink flow from the user to the service, and its function is to mask the address ‘S’ of the service to everything upstream of the anonymization system, in particular to the Internet access providers of the user. The second group of servers also makes it possible to direct the uplink flow to the service via a master server. Preferentially, the master server is chosen from the group of the second-level servers.

(13) An isolated server (210), called return server or downlink flow server (PR), serves as entry point for a downlink flow from the service to the user, and its function is to distribute the downlink flow from S to the second-level servers (Psi). It also has the function of synchronizing the second-level servers in their TCP exchanges with the service S.

(14) In a variant embodiment, the master server and return server functions are hosted by the same machine.

(15) The anonymization system also comprises several types of registers: a connection identifier register (212) between the sender and the receiver R[USx] to store a temporary identifier ‘USx’ which uniquely identifies a connection between the user equipment U and the service S. In a preferential implementation, the connection identifier USx is generated by U to uniquely identify its connection with S, and the register R[USx] is maintained by the second-level servers (Psi).

(16) a register (214) dedicated to the first-level servers R[Pui] which contains a list of servers (Pui) from which the user equipment U can select first-level servers to be assigned to each of its interfaces to set up an anonymized communication. In a preferential implementation, the register R[Pui] is maintained by the first-level servers.

(17) a register (216) dedicated to the second-level servers R[Psi] which contains a list of servers (Psi) from which the user equipment U can select second-level servers to be assigned to each first-level server. In a preferential implementation, the register R[Psi] is maintained by the second-level servers.

(18) a register (218) dedicated to the return server R[PRi] contains a list of servers (PR) from which the user equipment U can select a return server. In a preferential implementation, the register R[PRi] is maintained by the return servers. In a particular embodiment, the return server PR can be a server selected from the group of the second-level servers.

(19) In a particular embodiment, the respective assignment of the first-level servers Pu.sub.i and second level servers Ps.sub.i is done dynamically in order to increase the level of trust in the system. Advantageously, the choice of Pu.sub.i and Ps.sub.i being left to the user of the service, the latter is able to change the Pui and Psi even in the course of a TCP exchange.

(20) In order also to increase the separation of the elements of the triplet (U, S, content), the assignment of the master server which is responsible for reconstructing the fragments received by the second-level servers and transferring them to S, can be done dynamically.

(21) According to variant embodiments, the groups of servers (Pu.sub.i), (Ps.sub.i) and (PR) can each be segmented into several subgroups, making it possible to reduce the probability of information crossover via the monitoring of key elements of the Internet network (such as the operator “backbone”, the underwater cables, etc.).

(22) For the uplink flows from U to S, the implementation of the method of the invention in the distributed proxy architecture is based on steps of:

(23) transfer, by the multiple interfaces of the user to the assigned second-level servers, of the IP address of the service S through a shared secret mechanism, said second-level servers informing the return server which reconstructs the complete address of S and communicates it to the assigned second-level servers;

(24) transfer, by the multiple interfaces of the user to the first-level servers Pui, then to the second-level servers Psi, of the different data fragments of an original packet;

(25) reassembly by the second-level master server, of the packets containing the different fragments of an original packet in the form of a single packet; and

(26) transfer of the reconstructed packet to S.

(27) In the main variant, the original packet to be transmitted by U is firstly transformed via a shared secret mechanism into different fragments. Packets containing these different fragments are transmitted from U to the selected Psi via the Pui, and a master Psi reconstructs the original packet from these different fragments and sends it to S by representing itself as PR. Thus, for the recipient equipment S, everything takes place as if it received the original packet from PR.

(28) In a variant, so-called collaborative embodiment, the fragments are sent directly by the Psi without prior reconstruction by the master Psi. The recipient S is configured to receive the fragments and to reassemble them in order to reconstruct the original packet sent by the user U which is intended for it.

(29) For the downlink flows from S to U, the implementation of the method of the invention in the distributed proxy architecture is based on steps of:

(30) sending of an original packet sent by S to the return server PR;

(31) transfer of fragments of the original packet, obtained via the shared secret mechanism, from PR to the second-level servers Psi, then to the first-level servers Pui, then to U;

(32) reassembly by U of the original packet.

(33) Several implementations can be envisaged:

(34) a management of the ICMP/TCP messages (reception acknowledgements, window control, etc.) directly by PR and therefore by the anonymization service, then necessitating recourse to a buffer at the (Psi) and PR levels. By its nature, this buffer increases the impact of a potential failure of the node concerned; or

(35) a non-management of the ICMP/TCP messages which risks culminating in a lowering of the quality of service of the anonymization service.

(36) FIG. 3 illustrates the flows between the different entities (U, Pui, Psi, PR, S) of FIG. 2 that make it possible to set up an anonymization connection (300) according to an embodiment of the invention. In a first step (302), the sender U selects servers Pui, Psi and a return server PR by looking up the available servers in the corresponding registers R[Pui], R[Psi] and R[PR]. According to variant embodiments, the same number or a different number of servers Pu.sub.i and Ps.sub.i can be chosen. However, to avoid excessively easy information crossovers, the number of servers Ps.sub.i is preferentially greater than the number of servers Pu.sub.i.

(37) The sender U has, via the registers, a list of proxies for the first-level servers Pui that it is capable of authenticating and a list of proxies for the second-level servers Psi that it is capable of authenticating and with which it has a shared secret (or another cryptographic means of exchanging data confidentially).

(38) The next step (304) consists in setting up circuits U-Pui between U and the first-level servers Pui. The sender U sends, through each of its interfaces, a circuit setup request to the Pui(s) chosen to be contacted through this interface. This circuit U-Pui is identified by a unique identifier, chosen randomly or not, by U. For each circuit U-Pui set up, the sender U informs the corresponding Pui of the second-level server Psi which is assigned to it. Each Pui is then able to forward the traffic incoming from U to the Psi which is assigned to it. Reciprocally, the downlink traffic is retransmitted from the recipient S to the Psis, then to the Puis and to U.

(39) The next step (306) consists in setting up a shared secret with the second-level servers. The sender U generates a random number USx, preferentially of standardized size, which will uniquely and temporarily identify the connection. The method makes it possible to check whether this number is already present in the connection identifier register between the sender and the receiver R[USx]. If this number is not in the register R[USx], it reserves this number, otherwise it generates the procedure a second time. Then, the method makes it possible to transfer this identifier via a shared secret mechanism in order to mask it to the servers Pui. For that, the method makes it possible to generate a hash of the sequence {USx-(Psi)}, which will allow each Psi to confirm by itself its membership to the group of assigned second-level servers, by knowing its sender and its address, and by performing the hash function, it checks whether it obtains the same random number USx as that communicated by the sender U via the Puis.

(40) Then, the sender U communicates to the Psis as shared secret, a packet of fixed size {USx-hash(USx-{Psi})} containing the hash sequence placed variably in the packet. The packet contains, in the header, an indicator of the position of the hash sequence and the number ‘N’ of Psis selected. This number N is necessary for each Psi to know the number of Psis with which it must collaborate in the context of the connection USx.

(41) The next step (308) consists in setting up, for the connection USx, tunnels U-Psi between the sender U and the second-level servers Psi. On receipt of a packet sent by U, each Psi triggers the following self-discovery mechanism by sending the hash sequence {USx-hash(USx-(Psi))} contained in the packet to the group of the selected Psis. When two Psis are used, for example: Ps1 and Ps2, U sends the sequence hash({USx-hash({USx-IP_Ps1-IP_Ps2})})). For each hash sequence {USx-hash(USx-(Psi))} received by a Psj, the Psj calculates the hash({USx-Psi-Psj}) and checks that it does indeed correspond to the hash transmitted in the hash sequence. If the two hashes correspond, Psj has a guarantee that the Psi is indeed that with which it will have to cooperate for the USx concerned. When more than two Psis are used, this mechanism is put in place iteratively on all the Psis with an order of priority allocated to the (Psi) and the indication of the number ‘N’ of (Psi) to be considered in the self-discovery mechanism.

(42) The next step (310) consists in setting up tunnels Psi-PR between the second-level servers Psi and the return server PR. This is done by communicating by shared secret the PR address to the Psis. For a maximum of confidentiality, that can be done immediately after the step of discovery of the Psis by incorporating, after the hash {USx-hash(USx-(Psi)), the IP address of PR as shared secret. The validation by PR of the different Psis assigned to the given USx can be done according to a validation mechanism similar to that used in the step of discovery of the Psis. Once the tunnels are set up, PR waits for the alerts from the Psis concerning the sending of data.

(43) The next step (312) consists in communicating the address of S to the second-level servers Psi and to the return server PR. U transfers to the Psis via the shared secret the address of S which inform PR thereof. The return server reconstructs the complete IP address of S, then communicates it in return to the Psis. The Psis inform U that they are ready.

(44) In the next step (314), U can communicate data to S by using the anonymization service. At the end of the exchanges, U disconnects sequentially from PR, from the Psis, releases the temporary random number USx of the register R[PR], and disconnects from the Puis.

(45) The person skilled in the art can implement variants of the method (300) for setting up the anonymization service. Thus, the circuits U-Psi can be encrypted and therefore be tunnels by having Pui as bridge.

(46) In other implementations: the (Pui), (Psi) and PR can be chosen dynamically: since the sender U controls the choice of these servers, it can choose to reinitialize the different (Pui), (Psi) and PR on demand. A high frequency of reinitialization makes it possible to increase the degree of anonymization, but to the detriment of performance (increase in latency); the number of connections supported between U and PR or the modes of transmission of the data packets between U and PR can be adjusted in order to obtain the best desired trade-off between privacy, general “overhead” and response time; the (Pui), (Psi) and (PR) selected for an anonymization service can be conserved for connections with other services to S in order to gain in performance; modifications of certain elements can be applied in order to increase the security while conserving a higher level of performance, such as additional encryption, mechanisms for validating Psi connections by PR for example.

(47) FIG. 4 is a flow diagram of an embodiment of the invention to illustrate the exchanges (400) upon the transmission of a data packet P in uplink flow from U to S. The method (400) which reinforces the confidentiality of the data in uplink flow is based on setting up the anonymization context according to the method described with reference to FIG. 3.

(48) A first step (402) consists in segmenting the packet P to be sent to S in a plurality of fragments Fi corresponding to the number of Puis. U applies a shared secret mechanism to the packet P to be sent and transmits, in the circuits U-Pui, a fragment Fi to the corresponding first-level server Pui via the interface chosen for this Pui. On receipt of the fragment Fi, the Pui transmits this fragment Fi to the Psi assigned in the negotiation (step 304) by following the circuit U_Pui_Psi which has been set up.

(49) In a next step (404), a master server Psi_master is selected. For a greater confidentiality of the exchanges, the elected Psi remains master for a time predefined either by U, or randomly. The Psi_master is responsible for coordinating the Psis with PR and it informs the latter accordingly.

(50) In a next step (406), all the Psis transmit their fragment Fi to the Psi_master.

(51) In a next step (408), the Psi_master reconstructs the packet P, and transfers it to S. The server Psi_master can represent itself as the return server PR, by entering the PR address as sending address in the header of the packet P.

(52) In the case of a TCP transmission, in the step (404), the Psi_master informs (405) the return server PR of its role as master. Then, after the step 408, S can then send (410) ICMP messages (window management and reception acknowledgements) to PR which will have to forward them to the Psi_master.

(53) FIG. 5 is a flow diagram of an embodiment of the invention to illustrate the exchanges (500) upon the transmission of a packet P in downlink flow from S to U. The method (500) which reinforces the confidentiality of the data in downlink flow is based on setting up the anonymization context described with reference to FIG. 3.

(54) In a first step (502), the packet P is sent from S to PR, since PR appears to S as being the server communicating with it, the address of PR being entered in the “sender address” field of the packet P received by S.

(55) On receipt of the packet, the server PR applies to it a shared secret mechanism which may or may not be the same as for the uplink flow, and transmits (504) the fragments F′.sub.i generated to the Psis which are concerned with the current communication and defined in the setting up of the anonymization service (method 300).

(56) On receipt of a fragment, each Psi transmits (506) the fragment F′.sub.i received to U via the circuit U-Pui-Psi set up in the setting up of the anonymization service (300).

(57) On receipt of all of the fragments, U reconstructs (508) the packet P sent by PR.

(58) FIG. 6 illustrates a variant of the distributed proxy architecture of the servers of FIG. 2, allowing for the implementation of the invention in a collaborative or cooperative mode having an implementation of the protocol on a client and a server. In the collaborative mode, the return server PR becomes pointless, and there is no register R[PRi]. The collaborative mode allows two embodiments depending on whether S has made public the IP address of only one of its interfaces, or whether S has made public the IP address of all its different interfaces (Si). The uplink and downlink flows for these two collaborative variants are relatively simple since they do not require a PR, U transfers to S its fragments by shared secret via the different interfaces (Ui), fragments which are respectively received by the interfaces (Si) of S, allowing S to reconstruct the packets.

(59) FIG. 7 is a flow diagram to illustrate the setting up of an anonymization connection in collaborative mode in the case where S has made public, for example through the DNS service, the IP address of only one of its interfaces (S1 for example out of two interfaces S1 and S2). Generally, once the address of S1 has been communicated to the (Psi), a collaborative connection request is sent. In order for S to be able to communicate the address of its other interface S2 non-publicly, the collaborative connection request is initiated by the selected second-level servers (for example PS1 and PS2), which receive, in return, a reception acknowledgement from S confirming the collaborative mode connection agreement, and the IP address of the interface S2.

(60) Compared to the non-collaborative mode variant illustrated by FIG. 3, the steps 702 to 708 are identical to the steps 302 to 308 and are not described again. It should be noted that, in the step 302 of selection of the first- and second-level servers, there is no selection of a return server PR in the embodiment of FIG. 7. Moreover, since the return server PR is pointless for this variant, the step 310 of setting up of the tunnels Psi-PR does not exist.

(61) The method of FIG. 7 continues after the step 708 with a step (710) in which U transfers to the selected second-level servers the public address via a shared secret. In the next step (712), the Psis send to S a request for connection to the public interface 51.

(62) In a next step (714), S generates two random numbers ‘S2sharedsecret1’ and ‘S2sharedsecret2’, such that, once recombined, they constitute the address of the non-public interface S2. S transfers a number respectively to each second-level server PS1 and PS2. Then (step 716) S sends, via the public interface S1, a reception acknowledgement comprising the connection agreement to Ps1 with the shared secret ‘S2sharedsecret1’, and sends, via the non-public interface S2, a reception acknowledgement to Ps2 comprising the connection agreement to Ps2 with the shared secret ‘S2sharedsecret’.

(63) In a next step (716), Ps1 sends its number ‘S2sharedsecret1’ to Ps2 which is then able, with its number ‘S2sharedsecret2’, to recalculate the non-public address S2, and can thus send to it a connection request.

(64) In the next step (718), the second-level servers Psi inform U that they are ready for an anonymized communication. U can then communicate to S by using the anonymization service.

(65) It should be noted that, at the end of the exchanges, U disconnects sequentially from the Psis, releases the temporary random number USx from the register R[PR], and disconnects from Pui.

(66) The method of FIG. 7, which should not be considered to be limiting, has been described for a service S comprising two interfaces. If S has more than two interfaces, the steps 714 and 716 are performed to generate as many numbers of shared secrets as there are interfaces and transfer the addresses of the additional interfaces to the Psis.

(67) FIG. 8 is a flow diagram to illustrate the setting up of an anonymization connection in cooperative mode in the case where S has made public the IP addresses of all its different interfaces (for example S1 and S2 for the case illustrated), for example through an advanced service of DNS type taking account of the capacity of the services to have several interfaces.

(68) Compared to the variant in non-collaborative mode illustrated by FIG. 3, the steps 802 to 808 are identical to the steps 302 to 308 and are not described again. It should be noted that, in the step 302 of selection of the first- and second-level servers (Pui, Psi), there is no selection of return server PR in the embodiment of FIG. 8. Moreover, since the return server PR is pointless for this variant, the step 310 of setting up of the tunnels Psi-PR does not exist.

(69) The method of FIG. 8 continues after the step 708, with a step (810) in which U transfers to the selected second-level servers (Psi) the public addresses S1 and S2 via a shared secret. In a next step (812), each Psi respectively sends a connection request to the interfaces S1 and S2 of S, which in return sends a reception acknowledgement to the Psis.

(70) In the next step (814), the Psis inform U that they are ready. U can then communicate to S by using the anonymization service.

(71) It should be noted that, at the end of the exchanges, U disconnects sequentially from the Psis, releases the temporary random number USx from the register R[PR], and disconnects from Pui.

(72) The method of FIG. 8, which should not be considered to be limiting, has been described for a service S comprising two interfaces. If S has more than two interfaces, the steps 810 and 812 are carried out for as many IP addresses as there are interfaces of the service S.

(73) The present description which illustrates preferential and alternative implementations of the invention is not limiting. The examples have been chosen to allow a good understanding of the principles of the invention, and a concrete application, but are not exhaustive and should allow the person skilled in the art to add modifications and variant implementations while conserving the same principles. The invention can be implemented from hardware and/or software elements. It can be available as a computer program product on a computer-readable medium. The medium can be electronic, magnetic, optical, electromagnetic or be of infrared type. Such media are, for example, semiconductor memories (Random Access Memory RAM, Read-Only Memory ROM), tapes, diskettes or magnetic or optical disks (Compact Disk—Read Only Memory (CD-ROM), Compact Disk—Read/Write (CD-R/W) and DVD).