Note: Descriptions are shown in the official language in which they were submitted.
CA 02353623 2001-07-23
A System and Method for Selective Anonymous Access to a Network
The present invention provides a system and method for computer network users
to
access a privacy enhanced network, in a transparent fashion.
Background
Current methods for accessing a privacy-enhanced network are either by using a
web
proxy or by installing software on the user's workstation. Both of these
approaches have
significant drawbacks.
In the first case, the user is required to make configuration changes to his
or her
workstation.
In the second, the user is required to download and install software and then
configure it.
In a network environment, with a potentially large number of worlcstanon,
administrators may be required to invest a substantial amount of work and time
to
install, manage and maintain this system.
In both cases the user must understand considerably complex notions about how
the
system works. In addition, both cases have the drawback that administrators
are unable
2o to manage its use by users. Finally, both cases are tied to a single
privacy network.
There exists a number of similar services which profess to ensure a users'
privacy.
Safeweb and Anonymizer are two such services. Both have four significant
disadvantages:
1. They are bound to a specific network of servers.
2. All existing services do not operate transparently. Users must make
changes to their browser settings to take advantage.
CA 02353623 2001-07-23
3. All existing services do not operate at the LAN level. They exist as a
service that operates on the Internet. Users must first locate the servers
before they can be used.
4. All existing services do not assure privacy. The existing services are able
to establish and log the source and destination of each connection.
There is thus a need for a system that addresses all of these issues. Users
are not
expected to install any software nor reconfigure their workstations. The
system should
provide a centralized privacy service. At the option of the administrators,
the system is
1o either always on or users are provided with a mechanism to activate or de-
activate the
service at their discretion. Administrators can centrally manage the server,
easing the
time and work investing to maintain the system. If required, administrators
can audit its
use. Finally, the system should not be tied to a particular privacy network:
it can provide
service for a number of these.
Accordingly, there is a need for a system that enables Network users to easily
enroll in
these services as the users are not required to make any local workstation
changes or to
download any software components to enable but are provided with a mechanism
to
activate or de-activate the privacy service for their workstation.
Summary of the Invention
In accordance with this invention there is provided a Gateway for allowing
selective
anonymous access to a privacy enhanced network, such as the Zero-Knowledge
Network. Typically, the Gateway will be installed at the exit point of the
network,
where it will be able to examine all traffic leaving this network. For the
purposes of this
discussion, a network may be as large as a major ISP network. Furthermore, the
gateway is capable of being configured as a public gateway, wherein any user
on the
Internet could use the service. Also, the Gateway may be installed on either
side of a
fire wall
2
CA 02353623 2001-07-23
Detailed Description of the Preferred Embodiments
Ph~'~'~hanaed
rraltwo* A
ZK Privacy
Gatewa Internet
Firewall
p ivay anharcd
r neltw* B
Client I
Computers
Local Area Network
Zero-Knowledge Privacy Gateway
Environment
Figure 1
The Gateway according to an embodiment of the invention is comprised of the
following components:
Management ~ ~ User Control ~ ~ Monitoring
Proxy Protocol Group Gateway Group
Proxyl 1
Gafawrq A
Proxy Z
Gatwray B
P roxy 3
LAN Network
Traffic Pr~, G~",~y
D~cs6n D~cicbn tan
Routing
Zaro-KnoWlodg~ Privacy Gat~~ay
Caanponants
Figure 2
3
CA 02353623 2001-07-23
Routing Component
Packets entering the Gateway are first supplied to the routing component. Each
packet is
examined by the routing component to determine if this packet is to be
redirected to a
Privacy network. The Gateway can serve a number of different Privacy networks.
Packet selection criteria are set by the management and user control
components below.
Redirection takes place in two stages.
First, each packet's protocol is extracted. If a protocol proxy has been
registered for this
protocol, the packets are handed off in a transparent fashion to the protocol
proxy
component (see below). Once the proxy has completed its processing, the packet
is
to returned to the routing component where it will pass it on to the
appropriate Gateway
component.
Packets that do not have a corresponding protocol proxy registered are passed
on
directly to the Gateway Component.
Returning packets from the Privacy Network are passed first to the gateway
component
and then to any registered proxy component.
Packets, which do not match the selection criteria, are forwarded, as a
regular muter
would do. Optionally, packets may be masqueraded (or de-masqueraded in the
case of
returning packets). This allows administrators flexibility with regard to the
installation
of the machine.
Protocol Proxy Group
The protocol proxy component group represents the collection of protocol
proxies that
are registered at any given time. Proxies are supplied for any protocol that
requires
sanitization of the data stream, that is, removal or replacement of
identifying
information.
As an example, and HTTP proxy would handle the removal of embedded IP
addresses
and the replacement of cookies. In addition, this proxy would add a marker to
returning
HTML pages, indicating that the Gateway has processed this page.
4
CA 02353623 2001-07-23
Gateway Component Group
The gateway component Group handles all packets to and from the privacy
network.
The appropriate protocol proxy has rendered the payload of the packets
anonymous. The
Gateway component then removes (or replaces, in the case of a returning
packet) any
TCP/IP or UDP/IP specific information. In addition, the packets are encrypted
or
decrypted for returning packets.
Each Gateway component within this group is designed and implemented to
interface
with a specific Privacy network.
1o Management Component
T'he management component handles all configuration and management of the
Gateway.
This component is used to select, among other things, which protocols will be
handled
by the gateway, which Privacy network will be serviced, which users are use
which
Privacy network and which IP addresses are authorised to use the network. It
interfaces
~5 with site user authentication mechanisms to establish which IP addresses
are used by a
user.
User Control Component
The User Control Component allows authorized users to activate or de-active
the service
2o for them. This can either be through a web-interface on the gateway or a
Java application
running in a browser window.
Monitoring Component
The Monitoring Component interfaces with the various components on the Gateway
to
25 report their state.
As may be evident, the gateway has many applications. In some markets or
industries,
corporations are required to eliminate the potential correlation of an account
to the
location of the account owner. With the advent of the Internet and the
increase usage of
web browsers to access online information about specifc accounts, this
location can be
s
CA 02353623 2001-07-23
compromised by linking the Internet Protocol address assigned to the users
workstation
and the account number. With the Gateway, users can access anonymously the
corporation web site without any installation required on their workstation,
protecting
therefore their location. The corporation can offer this service to their
customers by
providing them with the address of the Gateway that will anonymize the IP
traffic before
reaching the corporation's servers.
In another example, current VPN products will open an encrypted point-to-point
tunnel
when a remote connection is made to the corporate LAN. That point to point
tunnel will
be open with 2 IP addresses (one at each end of the tunnel). The 2 IP
addresses are linked
1o by the tunnel protocol (L2F-L2TP) and will give away the location of the
remote user IP
address connection compromising consequently the approximate geographical
location
(City or states/province, Country). The Gateway solves this problem by routing
the VPN
tunnel on a privacy enhanced network. So, when a user initiates an anonymous
VPN
connection with their corporate network, he will connect to the Gateway, which
anonymizes the request and then from an undetermined exit point of the privacy
enhanced
network, the VPN tunnel is created. Therefore, for somebody who is monitoring
the
tunnel at the corporate network, he sees only the exit point of the privacy
enhanced
network and not the original IP address of the requester.
2o In a still further application, current technologies offer secure e-mails
that guarantee that
the content of the e-mail is not modified or accessible to users other then
the recipients.
However, the identity of the sender and recipients is not protected. The
Gateway offers
the service of private mail that insures that the e-mail is authenticated and
that only the
sender and the recipients are aware of their communication. Also, the
recipients can reply
to the sender without compromising the privacy of their online communication.
Outsiders
should not be able to can know that the recipients received e-mails from
someone using
the Gateway, neither the real identity of the sender. Also, Outsiders should
not be able to
view the content of the e-mails that are processed by the Gateway.
3o In Summary, the definition of a private e-mail is:
6
CA 02353623 2001-07-23
~ Alice is a user behind a Gateway who wants to send an e-mail message to Bob.
~ Bob is the user who should receive Alice's e-mail and be able to reply to it
~ Eve is an external eavesdropper who wants to read the message.
The email is private if Eve cannot read the text of the message, cannot tell
that Alice has
sent a message to Bob, cannot determine that Bob has received a message from
someone
using the Gateway.
Thus, it may be seen that the gateway ensures that no single node used to
transport its
1o traffic is aware of the source and destination of any connection. In
addition, as the gateway
resides at the end-user LAN, the LAN administrator has full control over any
possible
logging that might take place at the gateway.
