U.S. patent application number 11/122099 was filed with the patent office on 2006-02-16 for meta-protocol.
Invention is credited to Ibrahim S. Abdullah, Daniel A. Menasce.
Application Number | 20060036755 11/122099 |
Document ID | / |
Family ID | 35801315 |
Filed Date | 2006-02-16 |
United States Patent
Application |
20060036755 |
Kind Code |
A1 |
Abdullah; Ibrahim S. ; et
al. |
February 16, 2006 |
Meta-protocol
Abstract
The present invention teaches a multi-layer protocol management
system and method, embeddable in a tangible computer-readable
medium, that allow for on-the-fly machine-readable protocol
discovery and negotiation, distribution of protocol specifications
and components, automatic implementation of protocols from
corresponding machine-readable protocol specifications, and
corresponding execution of automatically generated implementations.
Automatic protocol implementation may be accomplished using
eXtensible Markup Language (XML)-related technologies and
Component-based Software Engineering (CBSE). The present invention
is also a tangible computer-readable medium encoded with
instructions capable of generating, as well as capable of being
designed to generate, protocol specifications. A program of
instructions, called XML-based protocol specification language
(XPSL), may be used for creating a specification of a communication
protocol (such as high-level specifications of a protocol) in a
machine readable form. Using CBSE principles, XPSL may also be used
for allowing high-level specifications of a protocol, expressible
in Finite State Machines (FSM). An eXtensible Stylesheet Language
for Transformations (XSLT) may be used to transform specification
description into actual code. XSLT stylesheets can be designed to
produce code in different programming languages (e.g., C++ or
Java). CBSE may be used to build a set of operations needed by a
protocol.
Inventors: |
Abdullah; Ibrahim S.;
(Jeddah, SA) ; Menasce; Daniel A.; (Cabin John,
MD) |
Correspondence
Address: |
GEORGE MASON UNIVERSITY;OFFICE OF TECHNOLOGY TRANSFER, MSN 5G5
4400 UNIVERSITY DRIVE
FAIRFAX
VA
22030
US
|
Family ID: |
35801315 |
Appl. No.: |
11/122099 |
Filed: |
May 5, 2005 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
60568664 |
May 7, 2004 |
|
|
|
Current U.S.
Class: |
709/230 |
Current CPC
Class: |
H04L 69/03 20130101;
H04L 63/0442 20130101; H04L 67/34 20130101; H04L 69/26 20130101;
H04L 63/061 20130101 |
Class at
Publication: |
709/230 |
International
Class: |
G06F 15/16 20060101
G06F015/16 |
Claims
1. A tangible computer readable medium encoded with instructions
for generating protocol specifications, executable by a machine
under the control of a program of instructions, in which said
machine includes a memory storing said program, wherein execution
of said instructions by one or more processors causes said one or
more processors to perform a multitude of steps comprising: a.
using at least one first element, said at least one first element
including at least one protocol element, each of said at least one
protocol element capable of being used as a root of an XML protocol
specification document; b. adding at least one second element, said
at least one second element including at least one first-state
element, each of said at least one first-state element capable of
specifying the starting state of a Finite State Machine (FSM); and
c. adding at least one third element, wherein said at least one
third element includes at least one state element, for each state
in said FSM.
2. A tangible computer readable medium according to claim 1,
further comprising: a. adding at least one fourth element, said at
least one fourth element including at least one object element,
each of said at least one object element capable of defining
data.
3. A tangible computer readable medium according to claim 1,
further comprising: a. adding at least one fifth element, said at
least one fifth element including at least one instance element,
each of said at least one instance element capable of holding
actual data.
4. A tangible computer readable medium according to claim 1,
further comprising: a. adding at least one sixth element, said at
least one sixth element including at least one action element, each
of said at least one action element capable of defining actions
required by each state.
5. A tangible computer readable medium according to claim 4,
further comprising: a. adding at least one seventh element, said at
least one seventh element including at least one moveto element,
each of said at least one moveto element capable of indicating the
next state.
6. A tangible computer readable medium according to claim 5,
further comprising: a. adding at least one eighth element, said at
least one eighth element including at least one expression element,
capable of serving as a logical expression for producing a set of
predefined values; and b. adding at least one ninth element, said
at least one ninth element including at least one case element,
capable of serving as a list of cases for pointing to the next
state for each possible value of said logical expression.
7. A tangible computer readable medium according to claim 1,
wherein the step of said "adding at least one third element"
further comprises at least one of the following steps: a. adding at
least one fourth element, said at least one fourth element
including at least one object element, each of said at least one
object element capable of defining data; b. adding at least one
fifth element, said at least one fifth element including at least
one instance element, each of said at least one instance element
capable of holding actual said data; c. adding at least one sixth
element, said at least one sixth element including at least one
action element, each of said at least one action element capable of
performing actions required by each state; d. adding at least one
seventh element, said at least one seventh element including at
least one moveto element, each of said at least one moveto element
capable of indicating the next state; e. adding at least one tenth
element, said at least one tenth element including at least one arg
element, each of said at least one arg element capable of
facilitating the passing of data objects to said at least one state
element; and f. adding at least one eleventh element, said at least
one eleventh element including at least one name element, each of
said at least one name element capable of identifying elements.
8. A tangible computer readable medium according to claim 1,
further comprising: a. adding at least one eleventh element, said
at least one eleventh element including at least one name element,
each of said at least one name element capable of identifying
elements.
9. A tangible computer readable medium according to claim 1, in
which said protocol specifications include at least one XML
protocol specification.
10. A tangible computer readable medium according to claim 1, in
which said protocol specifications include a description of a
protocol specification language specified in an XML schema.
11. A protocol management system having a layered approach
comprising: a. a negotiation layer capable of allowing
communicating parties to agree upon at least one protocol
specification, wherein said negotiation layer includes a
negotiation mechanism; b. a distribution layer capable of
retrieving and/or distributing said at least one protocol
specification and any missing component, wherein said distribution
layer includes a delivery mechanism; c. an implementation layer
capable of using eXtensible Stylesheet Language Transformations
(XSLT) for converting said at least one protocol specification and
said any missing component into at least one executable code
capable of implementing said at least one protocol specification
and said any missing component, wherein said implementation layer
includes a machine-readable protocol specification converter; and
d. an execution layer capable of loading and/or running said at
least one executable code, wherein said execution layer includes an
executable code system manager.
12. A protocol management system according to claim 11, further
including at least one searchable repository system, said at least
one searchable repository system capable of storing said at least
one protocol specification and said any missing component.
13. A protocol management system according to claim 11, further
including at least one security measure, said at least one security
measure capable of protecting said system.
14. A protocol management system according to claim 11, wherein
said negotiation layer uses at least one of the following
approaches: a. a manual approach; and b. an automatic approach,
wherein said automatic approach includes at least one of the
following: i. a secure channel; and ii. a customized version of the
Internet Security Association and Key Management Protocol
(ISAKMP).
15. A protocol management system according to claim 14, wherein a
protocol specification using said customized version of ISAKMP is a
bootstrap of said system.
16. A protocol management system according to claim 11, wherein
said distribution layer uses at least one directory service.
17. A protocol management system according to claim 11, wherein
said distribution layer is capable of distributing at least one
digitally signed protocol specification.
18. A protocol management system according to claim 11, wherein
said distribution layer is capable of distributing at least one
digitally signed component referenced in a protocol
specification.
19. A protocol management system according to claim 11, wherein
said distribution layer is capable of retrieving said at least one
protocol specification from a local cache.
20. A protocol management system according to claim 11, wherein
said implementation layer produces code that implements said at
least one protocol specification automatically using: a.
XML-related technologies, wherein said XML-related technologies
include XML schema, XSLT transformations, XSLT processors, XML
parsers, and XML editors; and b. a multitude of components
referenced in said at least one protocol specification.
21. A protocol management system according to claim 20, wherein
said system uses Component-based Software Engineering to build said
"multitude of components referenced in said at least one protocol
specification."
22. A protocol management system according to claim 11, wherein a
single XSLT stylesheet is associated with a single programming
language, said XSLT stylesheet capable of generating said at least
one executable code for a multitude of said at least one protocol
specification, wherein said at least one executable code is an
implementation of said at least one protocol specification.
23. A protocol management system according to claim 11, wherein
said at least one executable code of said at least one protocol
specification is retrieved from a local cache.
24. A protocol management system according to claim 11, wherein
said execution layer comprises at least one of the following: a. at
least one interface responsible for delivering requests and
feedback between the external world and said execution layer; and
b. at least one control operation capable of managing internal
affairs of said execution layer.
25. A protocol management system according to claim 11, in which
said at least one protocol specification includes at least one XML
protocol specification.
26. A protocol management system according to claim 11, in which
said at least one protocol specification includes a description of
a protocol specification language specified in an XML schema.
27. A method for managing protocols comprising the steps of: a.
agreeing upon at least one protocol specification; b. retrieving
and/or distributing said at least one protocol specification and
any missing component; c. converting said at least one protocol
specification and said any missing component into at least one
executable code, said at least one executable code is an
implementation of said at least one protocol specification; and d.
loading and/or running said at least one executable code.
28. A method according to claim 27, further including the step of
storing said at least one protocol specification and said any
missing component.
29. A method according to claim 27, further including the step of
protecting said method of managing protocols using at least one
security measure.
30. A method according to claim 27, wherein the step of "agreeing"
uses at least one of the following approaches: a. a manual
approach; and b. an automatic approach, wherein said automatic
approach includes at least one of the following: i. a secure
channel; and ii. a customized version of the Internet Security
Association and Key Management Protocol (ISAKMP).
31. A method according to claim 30, wherein said at least one
protocol specification using said customized version of ISAKMP is a
bootstrap of said method.
32. A method according to claim 27, wherein the step of "retrieving
and/or distributing" further includes using at least one directory
service.
33. A method according to claim 27, wherein the step of "retrieving
and/or distributing" further includes distributing at least one
digitally signed protocol specification.
34. A method according to claim 27, wherein the step of "retrieving
and/or distributing" further includes distributing at least one
digitally signed component referenced in a protocol
specification.
35. A method according to claim 27, wherein the step of "retrieving
and/or distributing" further includes retrieving said at least one
protocol specification from a local cache.
36. A method according to claim 27, wherein the step of
"converting" further includes producing code that implements said
at least one protocol specification automatically using: a.
XML-related technologies, wherein said XML-related technologies
include XML schema, XSLT transformations, XSLT processors, XML
parsers, and XML editors; and b. a multitude of components
referenced in said at least one protocol specification.
37. A method according to claim 36, wherein said method uses
Component-based Software Engineering to build said "multitude of
components referenced in said at least one protocol
specification."
38. A method according to claim 27, wherein a single XSLT
stylesheet is associated with a single programming language, said
XSLT stylesheet capable of generating said at least one executable
code for a multitude of said at least one protocol specification,
wherein said at least one executable code is an implementation of
said at least one protocol specification.
39. A method according to 27, wherein the step of "converting"
further includes retrieving at least one executable code associated
with at least one protocol specification from a local cache.
40. A method according to 27, wherein the step of "loading and/or
running" comprises at least one of the following steps: a.
delivering requests and feedback; and b. managing internal
affairs.
41. A method according to claim 27, in which said at least one
protocol specification includes at least one XML protocol
specification.
42. A method according to claim 27, in which said at least one
protocol specification includes a description of a protocol
specification language specified in an XML schema.
43. A tangible computer readable medium comprising instructions for
a method of managing protocols, said tangible computer readable
medium executable by a machine under the control of a program of
instructions, in which said machine includes a memory storing said
program, wherein said instructions comprise the steps of: a.
agreeing upon at least one protocol specification; b. retrieving
and/or distributing said at least one protocol specification and
any missing component; c. converting said at least one protocol
specification and said any missing component into at least one
executable code, said at least one executable code is an
implementation of said at least one protocol specification; and d.
loading and/or running said at least one executable code.
44. A tangible computer readable medium according to claim 43,
wherein said instructions further include the step of storing said
at least one protocol specification and said any missing
component.
45. A tangible computer readable medium according to claim 43,
wherein said instructions further include the step of protecting
said method of managing protocols using at least one security
measure.
46. A tangible computer readable medium according to claim 43,
wherein the step of "agreeing" uses at least one of the following
approaches: a. a manual approach; and b. an automatic approach,
wherein said automatic approach includes at least one of the
following: i. a secure channel; and ii. a customized version of the
Internet Security Association and Key Management Protocol
(ISAKMP).
47. A tangible computer readable medium according to claim 46,
wherein said at least one protocol specification using said
customized version of ISAKMP is a bootstrap of said method.
48. A tangible computer readable medium according to claim 43,
wherein the step of "retrieving and/or distributing" further
includes using at least one directory service.
49. A tangible computer readable medium according to claim 43,
wherein the step of "retrieving and/or distributing" further
includes distributing at least one digitally signed protocol
specification.
50. A tangible computer readable medium according to claim 43,
wherein the step of "retrieving and/or distributing" further
includes distributing at least one digitally signed component
referenced in a protocol specification.
51. A tangible computer readable medium according to claim 43,
wherein the step of "retrieving and/or distributing" further
includes retrieving said at least one protocol specification from a
local cache.
52. A tangible computer readable medium according to claim 43,
wherein the step of "converting" further includes producing code
that implements said at least one protocol specification
automatically using: a. XML-related technologies, wherein said
XML-related technologies include XML schema, XSLT transformations,
XSLT processors, XML parsers, and XML editors; and b. a multitude
of components referenced in said at least one protocol
specification.
53. A tangible computer readable medium according to claim 52,
wherein said method uses Component-based Software Engineering to
build said "multitude of components referenced in said at least one
protocol specification."
54. A tangible computer readable medium according to claim 43,
wherein a single XSLT stylesheet is associated with a single
programming language, said XSLT stylesheet capable of generating
said at least one executable code for a multitude of said at least
one protocol specification, wherein said at least one executable
code is an implementation of said at least one protocol
specification.
55. A tangible computer readable medium according to 43, wherein
the step of "converting" further includes retrieving at least one
executable code associated with at least one protocol specification
from a local cache.
56. A tangible computer readable medium according to 43, wherein
the step of "loading and/or running" comprises at least one of the
following steps: a. delivering requests and feedback; and b.
managing internal affairs.
57. A tangible computer readable medium according to claim 43, in
which said at least one protocol specification includes at least
one XML protocol specification.
58. A tangible computer readable medium according to claim 43, in
which said at least one protocol specification includes a
description of a protocol specification language specified in an
XML schema.
Description
CROSS-REFERENCE TO RELATED APPLICATIONS
[0001] The present application claims the benefit of provisional
patent application: Ser. No. 60/568,664 to Abdullah et al., filed
on May 7, 2004, entitled "Meta-Protocol," which is hereby
incorporated by reference.
[0002] Reference to Computer Program Listing Appendix on a Compact
Disc
[0003] Two copies of a single compact disc (Compact Disc), labeled
Copy 1 and Copy 2, are hereby incorporated by reference in their
entirety. Each Compact Disc contains Computer Program Listing
Appendices A-H. Computer Program Listing Appendix A (created on
Compact Disc on May 5, 2005 and having a size of 482,816 bytes)
contains Documentation of Experiments. Computer Program Listing
Appendix B (created on Compact Disc on May 5, 2005 and having a
size of 57,856 bytes) contains XSLT Stylesheet for Protocol
Transformation. Computer Program Listing Appendix C (created on
Compact Disc on May 5, 2005 and having a size of 54,272 bytes)
contains XPSL XML Schema. Computer Program Listing Appendix D
(created on Compact Disc on May 5, 2005 and having a size of 31,744
bytes) contains Java Interface Code to Process XSLT Stylesheet.
Computer Program Listing Appendix E (created on Compact Disc on May
5, 2005 and having a size of 262,656 bytes) contains Needham
Schroeder Authentication Protocol (NSAP) protocol FSM, XML protocol
specifications and java code. Computer Program Listing Appendix F
(created on Compact Disc on May 5, 2005 and having a size of
561,664 bytes) contains Transport Control Protocol (TCP) 3-way
Handshake protocol FSM, XML protocol specifications, java code and
testing scenarios. Computer Program Listing Appendix G (created on
Compact Disc on May 5, 2005 and having a size of 477,696 bytes)
contains Internet Security Association and Key Management Protocol
(ISAKMP) Base Exchange Experiment protocol FSM, XML protocol
specifications and java code. Computer Program Listing Appendix H
(created on Compact Disc on May 5, 2005 and having a size of
557,056 bytes) contains a protocol FSM, XML protocol specifications
and java code for Secure Socket Layer (SSL) Experiment:
TLS_RSA_with_DES_CBC_SHA. Computer Program Listing Appendix I
(created on Compact Disc on May 5, 2005 and having a size of
1,581,056 bytes) contains Protocol Components Library showing a
description of components and listing of components in java code
used in the experiments.
BACKGROUND OF THE INVENTION
[0004] Communication protocols play a central role in today's
information systems. The wide spread use of the Transmission
Control Protocol/Internet Protocol (TCP/IP) protocol and the rapid
development of communication technologies laid the ground for an
explosion in the use of information technologies at homes,
businesses and government agencies. Several protocols, including
TCP/IP, HTTP, SMTP, S/MIME, SSL and IPsec, have contributed to this
growth. Moreover, new technologies are emerging frequently to
support the growing need for efficient, easy and secure
communication.
[0005] Developed in the mid-1970's by the Defense Advanced Research
Project Agency (DARPA) of the U.S. Department of Defense, the
TCP/IP protocol has several features that led to its widespread
adoption: open standard, freely available for developers and
independent of any specific physical network hardware. The first
two features led to TCP/IP's wide acceptance, and the latter
feature made it easy for different kinds of networks to
interoperate. With the adoption of TCP/IP, the Internet has seen an
exponential growth.
[0006] The TCP/IP stack consists of four layers: the network access
layer, the Internet Protocol layer (IP), the transport layer and
the application layer. The network access layer is located at the
bottom of the architecture. It consists of many protocols that
provide access to physical networks. Compared to the Open System
Interconnection (OSI) seven-layer reference model, the network
access layer comprises just two layers: a data link layer and a
physical layer.
[0007] The IP layer is responsible for defining the Internet
addressing scheme, composing datagrams and routing them to their
destination. IP is a connectionless protocol. Yet, it does not
provide handshake or reliability mechanisms. Thus, IP depends on
other layers to provide such services.
[0008] The transport layer consists of two protocols: Transmission
Control Protocol (TCP) and User Datagram Protocol (UDP). TCP
provides connection management reliability, flow control and
sequencing, whereas UDP serves as a simple interface between
applications and IP. One other distinction is that UDP does not
provide reliability, flow-control or error-recovery.
[0009] The application layer is at the top of the stack. It
includes protocols that use the transport layer to deliver data to
the network. Many protocols run at the application layer to provide
services such as TELNET, HTTP, SMT and FTP.
[0010] Problematically, TCP/IP does not have security measures to
support the kind of applications that have appeared over time.
Therefore, several security solutions have been proposed to address
the different kinds of vulnerabilities of TCP/IP, as well as the
additional security needs of applications. Such security solutions
are typically associated with a single layer of the TCP/IP stack or
with specific applications.
[0011] Security protocols also play a central role in today's
information systems. Most tend to have more commonalities than
differences. For example, security protocols share significant
functionality and utilize a common set of encryption, hash and
compression algorithms. They usually differ in the handshaking
mechanism (which includes authentication), target data, header
processing, key sizes, replay mechanisms and the order in which the
various algorithms are applied.
[0012] One common security protocol is the secure socket layer
(SSL). The motivation for the SSL protocol development was to
provide protection to electronic commerce and Web transactions. In
1994, Netscape communications introduced SSL version 1.0 in its
Mosaic Web browser. Netscape made SSL an open standard and
encouraged the Web community to participate in its development.
Later, in May 1996, the development of SSL became the
responsibility of the Internet Engineering Task Force (IETF), which
was later renamed as Transport Layer Security (TLS).
[0013] SSL has two important features. First, it provides strong
protection based on public key cryptography. That is, SSL uses
public key cryptography to encrypt the pre-master key that is used
to generate the set of shared keys. Second, SSL is efficient
because it uses symmetric key cryptography to protect the traffic
between the communicating parties. Therefore, SSL consumes
relatively little CPU time to protect the exchange of data between
parties. These two features made SSL suitable for most e-commerce
applications on the Internet.
[0014] Today, SSL is the most widely used Web security protocol.
Almost every browser and Web server supports SSL. SSL adds security
by inserting itself between the Hypertext Transfer Protocol (HTTP)
application and the TCP layer. Therefore, SSL requires minor
changes in the applications. In addition, SSL is not limited to
HTTP traffic (through its original specification) but it can
support other Internet applications, such as Net News, FTP and
Telnet.
[0015] However, a disadvantage of SSL is that it only supports TCP.
In the typical handshake process, an SSL initiator sends to the
second party a list of the security capabilities that it can
support. For instance, TLS v.1 currently supports 32 different
capabilities. In this format, the responder selects his preferred
capability and sends it back to the initiator along with a
certificate that contains a public key. The certificate is then
used by the initiator to authenticate the responder. Next, the
initiator creates a pre-master secret key, encrypts it with the
responder's public key and sends the encrypted message to the
responder. Afterwards, both parties use the pre-master secret key
to create six shared keys for the protection of the subsequent
communication. Each party indicates its readiness to switch to
protected mode by sending a single byte message called
ChangeCipherSpec. The first protected message sent by each party is
the Finish message. This message contains a hash value of all the
previously exchanged messages between the parties to protect the
session against replay attacks.
[0016] Another security protocol is IP Security Protocol (IPsec).
IPsec is a security standard developed by the Internet Engineering
Task Force (IETF). This protocol is designed to establish a solid
security ground for the Internet. IPsec is part of the Next
Generation Internet or Internet II (IPv6). Most of the VPN products
nowadays adopt the IPsec protocol (e.g., Cisco VPN, eTrust, VPN-1
and Symantec). A complex technology, IPsec's main goal is to secure
the flow of information between two endpoints. Its security
services are designed for the IP layer. Furthermore, it provides
several types of protections such as source IP authentication,
integrity and confidentiality. The protection scope varies. For
example, it may include the IP header, or it may be limited to the
payload only. These choices are determined by a set of security
policies that are managed by a system administrator. However, an
IPsec-secured connection is very cumbersome to setup and configure
because it comes in many varieties. Therefore, an IPsec user has to
have a clear set of requirements and security policies before
implementation. Otherwise, it would be hard to validate whether
there is a secure connection or not.
[0017] IPsec consists of two major protocols: Authentication Header
(AH) and Encapsulating Security Payload (ESP). Each protocol can be
configured to run in Transport Mode or in Tunnel Mode. The
Transport Mode provides security for transport layer (TCP, UDP or
ICMP). Typically, this mode is used for end-to-end communication.
Therefore, ESP in transport mode encrypts, and optionally
authenticates, the IP payload but not the IP header. Similarly, AH
in transport mode authenticates the IP payload and selected
portions of the IP header without encryption.
[0018] Tunnel mode provides security for the entire packet. A new
header with the gateway destination address is added to the packet.
ESP in tunnel mode adds a new header to the packet, encrypts it and
optionally authenticates the new packet including the new header.
In contrast, AH in tunnel mode authenticates the entire packet and
parts of the new header without encryption.
[0019] IPsec manages keys and establishes sessions through a
protocol called the Internet Key Exchange (IKE). IKE is a
collection of protocols: Internet Security Association and Key
Management Protocol (ISAKMP), Oakley Key Determination Protocol
(Oakley) and Secure Key Exchange Mechanism (SKEME). Therefore,
IPsec supports a wide variety of key types and sizes.
[0020] IPsec provides general IP security services regardless of
the specific needs of the applications. However, IPsec is
transparent to applications. Therefore, similar to SSL, IPsec
cannot address specific needs of an application, such as
authenticating a user or protecting parts of a document (e.g., part
of a contract or a payment document).
[0021] The current approach to implementing security protocols is
centered on designing a protocol as a single package comprised of
two layers: control and a library of algorithms. This approach is
based on the assumption that every protocol is complete and does
not need to be integrated with other security protocols. Yet, this
assumption may not be valid in situations where several security
protocols need to coexist. In such cases, redundancy and conflicts
may occur. For example, running Secure/Multipurpose Internet Mail
Extensions (S/MIME) over IPsec introduces redundancy. Both provide
similar encryption: S/MIME does it at the document level and IPsec
at the packet level. This situation is common in
business-to-business (B2B) applications when an application uses
S/MIME as a document-level protection while using IPsec to protect
the communication with a remote branch office.
[0022] Moreover, the current approach of designing autonomous and
complete protocols has several disadvantages. First, it may result
in conflicts when various protocols need to coexist. For example,
if compression is done at an upper layer (e.g., S/MIME), repeating
it at a lower layer may increase the size of the message. Second,
there is not enough flexibility in most security protocols (e.g.,
S/MIME, SSL, IPsec) and, consequently, their users have to adopt
them without being able to make changes. For instance, a user may
want to change the header by adding or removing some fields for
quality of service (QoS) purposes. Third, these protocols offer
coarse grained security services and the developer of an
application does not have the ability to fine tune operations
within the use of these protocols. For example, S/MIME services are
applied to an entire document, preventing a user from applying it
on selective parts of the document. Fourth, the use of coarse grain
services may lead to unnecessary performance degradation. For
instance, SSL has to calculate a block of four shared keys and a
couple of IVs even if the user does not want to use some of the
modes such as the read mode, the write mode, the encryption service
or the integrity service.
[0023] Furthermore, the traditional approach to implementing
protocols is monolithic. Adhering to monolithic protocols limits
users to situations for which the protocols were implemented.
Internet applications and their security requirements are evolving
very rapidly. Video, audio, wireless applications, collaborative
applications and many other emerging technologies raise new
challenges and require flexible approaches to deal with them. This
monolithic implementation approach is not well-suited to cope with
rapid changes in communication and security requirements.
[0024] Overall, the current process of implementing a protocol is
tedious and error-prone. Protocol specifications in natural
language are often ambiguous and may lead to defective
implementations. Moreover, implementations have to be thoroughly
tested. This testing is a time-consuming effort due to the timing
dependencies of events processed by protocols.
[0025] Consequently, it would be desirable to have a model for
sharing protocol specifications to produce protocol implementations
automatically. It would also be desirable to free protocols from
being dependent on the monolithic implementation of a limited
number of capabilities. Additionally, it would be desirable to have
a flexible infrastructure for businesses to exchange protocol
specifications and automatically generate code that supports the
evolving B2B environment. Furthermore, it would be desirable to
have a framework that could be applied to overlay networks and Web
Services.
BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS
[0026] The accompanying drawings, which are incorporated in and
form a part of the specification, illustrate an embodiment of the
present invention and, together with the description, serve to
explain the principles of the invention.
[0027] FIG. 1 shows a protocol management system.
[0028] FIG. 2 shows one embodiment as per an aspect of a layered
structure of the Meta Protocol framework.
[0029] FIG. 3 shows another embodiment as per an aspect of a
layered structure of the Meta Protocol framework.
[0030] FIG. 4a shows one embodiment as per an aspect of a flow
process for interacting among the layered structure of a protocol
management system.
[0031] FIG. 4b shows a tangible computer-readable medium encoded
with the embodiment of FIG. 4a.
[0032] FIG. 5a shows another embodiment as per an aspect of a flow
process for interacting among the layered structure of a protocol
management system.
[0033] FIG. 5b shows a tangible computer-readable medium encoded
with the embodiment of FIG. 5a.
[0034] FIG. 6 shows an ISAKMP packet format.
[0035] FIG. 7a shows a list of messages for Base Exchange.
[0036] FIG. 7b shows FSM diagrams for ISAKMP Base Exchange.
[0037] FIG. 8 shows an example of an ISAKMP header carrying a
proposal payload.
[0038] FIG. 9 shows a manual protocol production process.
[0039] FIG. 10 shows an automated protocol production process.
[0040] FIG. 11 shows a system architecture.
[0041] FIG. 12 shows an example of an access list.
[0042] FIG. 13 shows an example of a UML entity class diagram for
the access list.
[0043] FIG. 14 shows an example of records in a registry
database.
[0044] FIG. 15 shows a UML entity class diagram for the registry
database.
[0045] FIG. 16 shows a UML activity diagram for a PCS
operation.
[0046] FIG. 17 shows FSM diagrams for the Needham-Schroeder
authentication protocol.
[0047] FIG. 18 shows a traditional manual protocol production
process.
[0048] FIG. 19 shows an automated protocol production process.
[0049] FIG. 20 shows an example of XPSL XML elements.
[0050] FIG. 21 shows one embodiment as per an aspect of a method
for using XPSL.
[0051] FIG. 22 shows a XPSL syntax for NSAP's client state 3.
[0052] FIG. 23 shows another embodiment as per an aspect of a
method for using XPSL.
[0053] FIG. 24 shows an example of an <object> element.
[0054] FIG. 25 shows an example of an <instance> element.
[0055] FIG. 26 shows an example of a <moveto> element nested
inside an <action> element.
[0056] FIG. 27 shows an example of a <moveto> element.
[0057] FIG. 28 shows an example of an <instance> element
nested inside an <action> element.
[0058] FIG. 29 shows an example of protocol specification and
implementation using XPSL.
[0059] FIG. 30a shows one embodiment as per an aspect of XPSL
stored in a tangible computer-readable medium.
[0060] FIG. 30b shows another embodiment as per an aspect of XPSL
stored in a tangible computer-readable medium.
[0061] FIG. 31a shows a data type comparison between programming
languages.
[0062] FIG. 31b shows a list of XPSL protocol primitive data
types.
[0063] FIG. 32a shows a common pictorial view of an FSM indicating
the possible transitions between states.
[0064] FIG. 32b shows a behaviorally equivalent pictorial
representation.
[0065] FIG. 33 shows a tree of XML elements corresponding to an
FSM.
[0066] FIG. 34 shows one embodiment as per an aspect of steps
required to check a protocol specification.
[0067] FIG. 35 shows a main segment of the XML schema for XPSL
specifications.
[0068] FIG. 36 shows an XML schema definition of an <object>
element.
[0069] FIG. 37 shows steps required to generate a protocol
implementation from an XPSL specification.
[0070] FIG. 38 shows an XSLT main template.
[0071] FIG. 39 shows an example of a <first-state>
template.
[0072] FIG. 40 shows an example of an <object> template.
[0073] FIG. 41 shows an example of an <instance>
template.
[0074] FIG. 42 shows an example of an <action> template.
[0075] FIG. 43 shows an example of a <moveto> template.
[0076] FIG. 44 shows an example of a <state> template.
[0077] FIG. 45 shows partial Java code of the NSAP.
[0078] FIG. 46 shows an FSM diagram for TCP handshake.
[0079] FIG. 47a shows a TCP sequence of states transition.
[0080] FIG. 47b shows a TCP sequence of message exchange.
[0081] FIG. 47c shows a TCP sequence of states transition.
[0082] FIG. 47d shows another TCP sequence of message exchange.
[0083] FIG. 48 shows an XPSL specification of the first state.
[0084] FIG. 49 shows a list of the Java code corresponds to the
specification presented in FIG. 48.
[0085] FIG. 50 shows components and objects used in the ISAKMP
initiator.
[0086] FIG. 51 shows data structure of the ISAKMPFSM object.
[0087] FIG. 52 shows BXcomposeMainHeader Java class.
[0088] FIG. 53 shows a Java class for sending a UDP packet.
[0089] FIG. 54 shows an SSL Handshake sequence of message
exchange.
[0090] FIG. 55 shows an FSM diagram for SSL Handshake.
[0091] FIG. 56 shows an SSL Handshake Client SessionState object
XPSL specification.
[0092] FIG. 57 shows an SSL Handshake Client first state XPSL
specification.
[0093] FIG. 58 shows an SSL Handshake Server first state XPSL
specification.
[0094] FIG. 59 shows a generated Java code corresponding to the
specification in FIG. 56.
[0095] FIG. 60 shows a generated Java code corresponding to the
specification in FIG. 57.
[0096] FIG. 61 shows FSM diagrams for an XSPL SSL protocol.
[0097] FIG. 62 shows an SSLSessionState data structure.
[0098] FIG. 63 shows actions inside state 7 of the client XPSL
specification.
[0099] FIG. 64 shows a format of an SSL packet.
[0100] FIG. 65 shows java implementation of the TCPListen
Component.
[0101] FIG. 66 shows XPSL actions inside state 6 of the server
process.
[0102] FIG. 67 shows an example of an encryption component.
DETAILED DESCRIPTION OF THE INVENTION
[0103] The present invention is a multi-layer protocol management
system and method, embeddable in a tangible computer-readable
medium, that allow for on-the-fly machine-readable protocol
discovery and negotiation, distribution of protocol specifications
and components, automatic machine-readable protocol implementation
and execution of machine-readable protocol specifications.
Automatic protocol implementation may be accomplished using
eXtensible Markup Language (XML)-related technologies and
Component-based Software Engineering (CBSE).
[0104] The present invention is also a tangible computer-readable
medium encoded with instructions capable of generating, as well as
capable of being designed to generate, protocol specifications. A
program of instructions, called XML-based protocol specification
language (XPSL), may be used for generating a specification of a
communication protocol (such as high-level specifications of a
protocol) in a machine readable form. A language that protocol
designers can use to describe the design of a protocol, XPSL may be
expressible in Finite State Machines (FSM) by using CBSE
principles. Taking an XPSL document as input, an eXtensible
Stylesheet Language for Transformations (XSLT) may be used as a
code generator to transform specification description into actual
code (e.g., an implementation for the communication protocol). XSLT
stylesheets can be designed to produce code in different
programming languages (e.g., C++ or Java). CBSE may be used to
build a set of operations needed by a protocol.
[0105] XML is a set of rules for creating new markup languages.
Originally, XML may be construed as a subset of the Standard
Generalized Markup Language (SGML), which specifies syntactic and
semantic rules for creating new markup languages, such as the
Hypertext Markup Language (HTML). SGML may also be deemed as an
International Standards Organization (ISO) standard.
[0106] XML 1.0 was announced as a World Wide Web Consortium (W3C)
recommendation on Feb. 10, 1998. A goal of XML is to provide a
language for expressing metadata. Metadata refers to information
about data. Metadata is often important in searches, filtering, and
document management. XML is intended to be human-readable as well
as machine-readable. A document that conforms to the XML
specification can be called "well-formed." XML editors and parsers
typically provide the capability to check if an XML document is
well-formed or not.
[0107] An XML specification may include two parts. One may specify
rules for constructing XML documents, while the other may specify
rules for Document Type Definitions (DTD). A DTD may specify how
tags are used in a class of XML documents; the order they should
appear; the nesting structure of a document; and the attributes of
XML elements for that class of documents. A DTD may also describe
constraints on XML elements that are used to validate the
correctness of an XML document. But, a DTD may also have
disadvantages. First, it is not written in XML; it has a special
syntax. Second, a DTD has a limited expressive syntax to address
needs such as different kinds of data types and cardinality
constraints. To overcome the limitations of DTDs, XML schemas may
be introduced.
[0108] The W3C released the Schema standard in May 2001. An XML
schema may specify valid elements and attributes in an XML
document. It may also specify XML elements order, attributes
constraints, accepted data types and accepted value ranges. Schema
can help applications determine whether an XML document complies
with a system's requirements.
[0109] XPSL may be based on XML, which is an open standard used to
express Metadata in machine readable form. Because XML is known to
be widely used for easy sharing and exchanging of information about
transmitted data, XPSL can benefit from the wide spread tools and
technologies of XML. In essence, the development of XPSL addresses
the need of sharing and exchanging protocol specifications among
users in a machine readable form.
[0110] The eXtensible Stylesheet Language (XSL) is a language that
allows XML document users to specify how an XML document may be
transformed into a resulting output document (e.g., HTML, SVG, PS,
PDF, plain text, or any other format). The XSLT 1.0 recommendation
was released on Nov. 16, 1999. XSLT tends to be attractive to
developers because it is not a programming language. An XSLT
stylesheet may be written down as a set of rules, which may be
applied to the XML document during the transformation to produce
the required output.
[0111] I. The Meta-Protocol Framework
[0112] A protocol may be defined as a set of rules shared by two or
more communicating parties to facilitate data communication. These
rules can have two parts: syntax and semantic. Syntax refers to the
format of the messages that are to be exchanged; semantic refers to
the sequence of operations to be performed by each party when
events (e.g., timeouts and reception of messages) occur.
[0113] Referring to FIG. 1, as one embodiment, a protocol
management system, sometimes referred to as a Meta-Protocol
framework, can demand a plurality of requirements. First, it may
require a negotiation mechanism for allowing communicating parties
to agree upon a machine-readable protocol specification (also
sometimes referred to as protocol specification or specification).
The specification may be an XPSL specification. Second, it may
require a delivery mechanism for retrieving and/or distributing the
machine-readable protocol specification and any missing component.
Third, it may require a searchable repository system to store
specifications and any missing component. Fourth, it may require a
machine-readable protocol specification converter to convert the
protocol specification and any missing component into executable
code. Fifth, it may require an executable code system manager for
managing the executable code by loading it and running it as
needed. Sixth, it may require a security measure against attacks,
such as identify theft, Denial of Service (DoS), anti-replay and
connection hijacking. Seventh, it may require a layered
architecture.
[0114] The layered architecture is often necessary to maintain
flexibility. Natural boundaries between layers may be found
according to technologies chosen at each layer. Indeed, each layer
may encompass multiple technologies that fit the requirements of
that layer. For example, off-line or online approaches may be used
at the negotiation layer, which is usually the first layer of the
Meta-Protocol framework. Moreover, any security measures needed may
vary per layer.
[0115] To implement the Meta-Protocol framework, a development
environment and/or an execution environment may be needed. The
development environment is generally responsible for writing down
protocol specifications from protocol designs, developing
components, and verifying specifications and components. Once a
specification is complete along with all the required components,
the protocol may be deployed into the execution environment. The
development environment architecture and tools can be widely open
and can vary from a simple standalone editor and compiler to
complex visual (e.g., GUI) systems that integrate editing, coding,
and verification.
[0116] The distinction between the two environments is important
from an operational and performance point of view. An objective of
the development environment is to prepare a system and produce
necessary code. This objective may be achieved in the background
(e.g., under no time constraints). On one hand, operations in the
development environment may involve human interaction and may take
several cycles to produce the correct specification and, if any,
components code. On the other hand, operations in the execution
environment may take place at run time. Therefore, by separating
these two environments, protocol code may be executed with minimum
possible overhead.
[0117] Referring to FIG. 2, the Meta-Protocol framework may have
four different layers: a negotiation layer, a distribution layer,
an implementation layer and an execution layer. In the negotiation
layer, communicating parties may agree upon protocol specification.
It is preferable, albeit not necessary, that the protocol
specification be written using XPSL. For example, the protocol
specification can also be written using XML. In the distribution
layer, the responding party may retrieve and/or distribute the
agreed upon protocol specification, as well as any components
needed for the protocol implementation. The protocol specification
may exist locally or at a remote site. The responder may retrieve
the protocol specification and verify its authenticity, or
alternatively, allow a trusted third party to do so. In the
implementation layer, the protocol specification may automatically
be converted into code (e.g., executable code) through a
transformation process that uses XSLT. In the execution layer, the
code may be loaded and executed as needed.
[0118] Various mechanisms may be employed to assist in performing
these functions. These include a negotiation mechanism, delivery
mechanism, machine-readable protocol specification converter and
executable code system manager. Each may be embedded within its
respective layer as exemplified in FIG. 3. Additionally, the
framework may also be supplemented by incorporating a searchable
repository system and a security measure. The searchable repository
system may assist in storing a protocol specification and/or any
missing component. A security measure can help protect the system
and method from attacks, such as viruses and access without
permission.
[0119] The system may be able to interact among the layers using a
method as exemplified in FIG. 4a. Additionally, the method may
further include a storing step and a securing (i.e., protection)
step as exemplified in FIG. 5a. Both FIGS. 4b and 5b show that its
respective method may be embedded in a tangible computer-readable
medium.
[0120] A. Negotiation Layer
[0121] A goal of the negotiation layer is to establish an agreement
between two communicating parties on the name and location of a
protocol specification and its components. The protocol
specification may be written in XML and/or include a description of
a protocol specification language (such as, but not limited to
XPSL) specified in an XML schema. In essence, for example, the
protocol specification may be a machine-readable XPSL
specification. A component may be any software component, such as
the ones listed in the Computer Program Listing Appendix. A
negotiation mechanism can be used to help accomplish this goal. The
initiator of the communication can provide a set of proposed
protocol specifications. The responder can then select a protocol
specification according to its preferences and notify the
initiator.
[0122] This goal may be achieved either manually or automatically.
The manual approach may be feasible for local areas but may not be
appropriate for long distances. Under the automatic approach, the
goal may be achieved either via a secure channel (e.g., SSL or
IPsec) or through the use of a customized version of the Internet
Security Association and Key Management Protocol (ISAKMP).
Customization can be performed according to a user's requirements
or needs. If secure channels are used, negotiation mechanisms may
need to be added. Yet, it is preferable to choose a customized
version of ISAKMP because it may already provide a negotiation
mechanism in addition to several important security features.
[0123] ISAKMP tends to provide packet formats and negotiation
procedures for establishing security associations (SA) and key
management. For the purpose of maintaining interoperability between
systems, it is preferable to separate security association
management from key exchange. In addition, the ISAKMP standard may
be independent of any specific security protocol or key exchange
algorithm. Moreover, this standard may be highly flexible and
interoperable with other protocols and algorithms.
[0124] Every ISAKMP packet may include one or more payloads
organized as a linked list. Each payload can vary in length as
specified in a payload header. The first payload may be defined in
the main ISAKMP header, and every payload may carry a field that
defines the next payload type, which may define the structure of
such payload and its content.
[0125] It is preferable to customize a Domain of Interpretation
(DOI) to define new payload formats, exchange types and name
conventions, as well as to save time and effort. To achieve this
feature, the IPsec format may be used with various types of
information tailored to the needs of the Meta-Protocol framework.
For example, IPsec may use ISAKMP proposals to deliver information
related to the IPsec type of operation and transforms (e.g., AH or
ESP). In the Meta-Protocol framework, ISAKMP may be used to deliver
information related to protocol name, location and versions.
[0126] The operation of ISAKMP may include two phases. The first
phase preferable negotiates security proposals. An agreement upon a
specific proposal can establish phase-1-SA. In the second phase, a
protocol specific SA may be created under the protection of
phase-1-SA. The first phase may offer five types of exchanges:
Base, Identity Protection, Authentication Only, Aggressive and
Informational. Each type of exchange tends to describe a sequence
of messages, and each may differ in the level of authentication and
number of messages exchanged. An initiator can select one of these
exchanges to deliver proposals according to its needs. The Base
Exchange may provide session integrity protection. One embodied
implementation of the present invention uses this exchange to
deliver the file name and file location of an XPSL protocol
specification instead of delivering IPsec related information. If
confidentiality is required, then the Identity Protection exchange
can be used.
[0127] As an embodiment, FIG. 6 exemplifies the format of ISAKMP's
main header and payload header. ISAKMP may mandate the use of UDP
as the transport protocol for ISAKMP messages. According to one
ISAKMP recommendation, a set of cookies in the header is generated
by hashing the IP source and destination addresses, the UDP source
and destination ports, and any locally generated secret number. The
Next Payload Type field in the main header defines 13 types and
leaves a range of values from 128 to 255 for private use. The
Exchange Type field defines the five types of exchanges as
mentioned previously. This field also leaves a range of values from
240 to 255 for private use. The private use code ranges provide the
flexibility to define additional sequences of messages for
different types of exchange as needed.
[0128] FIG. 7a shows a list of messages that may be used by Base
Exchange to deliver protocol proposals. FIG. 7b shows an example of
FSM diagrams for this Base Exchange. As part of the customization
of IPSec's DOI, the semantic of the messages of the Base Exchange
may be changed.
[0129] According to these exemplified illustrations, in ISAKMP's
Base Exchange, an initiator starts by sending a set of protocol
proposals, similarly to an exchange of security associations, and a
nonce. The nonce may be used to protect against anti-replay. The
responder chooses one of the proposals and notifies the initiator.
This notification message also includes another nonce. In the next
two messages, the parties exchange key information and
authentication information. The authentication payload contains a
hash value over the previous messages to protect against session
highjacking.
[0130] The ISAKMP protocol may contain all the security measures
needed to protect the negotiation process against DoS, anti-replay
and connection highjacking. The five exchange types in ISAKMP
usually have different levels of authentication. The most protected
exchange may be the Identity Protection exchange with six messages,
and the least protected may be the Aggressive exchange with only
three messages.
[0131] In an instance, as shown in FIG. 8, an initiator may send an
ISAKMP packet to deliver a protocol proposal composed of a protocol
specification name, its location and its version. The name and
location of the protocol specification are preferably mandatory;
the protocol version is optional. The protocol specification name
(Protocol_X) and versions (MjVer and MinVer) are placed in the
first payload while the location goes in the next payload. An
initiator may send multiple proposals linked to a main ISAKMP
header using the Next Payload field. The list is terminated by a
null value in the Next Payload field.
[0132] The initiator may also have the option to append to the
packet a key exchange payload carrying information about the
proposed key exchange technique (e.g., Oakley or Diffie-Hellman).
The key exchange may also carry the required data to generate
session keys.
[0133] Preferably, a protocol specification of the customized
version of ISAKMP may serve as the bootstrap of the Meta-Protocol
framework. Simply, this embodiment is typically required from any
network node to use the Meta-Protocol framework since the code for
ISAKMP may be generated from its specification.
[0134] B. Distribution Layer
[0135] Generally, specifications and components referenced therein
do not need to be stored locally. Communicating parties may
exchange them directly (e.g., via a communicating party
distribution) or retrieve them from a trusted third party. Such
exchange may be facilitated using a delivery mechanism.
Specifications and components that are only needed for a short
period of time may be deleted after their use to save space.
Alternatively, specifications may be retrieved and/or distributed
from a local cache. To protect specifications and components
referenced therein from unsolicited or malicious alteration, each
ought to be digitally signed by their authors and verified by the
receiving party. Trusted providers may place their specifications
and components at public repositories on the Internet so users may
retrieve them when needed. Newer versions may also be pushed from
these providers to subscribed users to keep theirs up-to-date.
[0136] As a preferred embodiment, the distribution layer uses a
directory service, such as the Universal Description, Discovery,
and Integration (UDDI) directory, which is a known comprehensive
industry initiative that helps businesses define themselves,
discover other businesses and share information about their
interactions globally. UDDI is also an architecture for web
services integration that contains standards-based specifications
for advertising, description and discovery services. Each service
advertised in a UDDI directory has the freedom to specify a
transport mechanism to access that service (e.g., SMTP, FTP, HTTP,
and SOAP). Every UDDI user may have the option to check the
transport mechanism of the service he or she is seeking before
connecting to that service. Communicating parties in the present
invention may use UDDI to advertise protocol names, the location of
their specifications, the location of the components needed by the
specification and the preferred transport mechanism to download the
specification and components.
[0137] In addition, using UDDI at the distribution layer may also
serve users who are planning to start a negotiation but do not have
specifications to propose to another party. Such users may consult
UDDI directories to discover protocol specifications, their
providers, the location of the specifications and their components
for download.
[0138] UDDI is an open standard specification for directory
services. The standard was released on Sep. 6, 2000 as a project
aimed to provide service-centric business-to-business (B2B)
integration. A goal of UDDI is to enable businesses to establish
many business relationships. UDDIs are repositories of information
that facilitate discovery and interaction between customers and
vendors. Vendors may present their offerings through UDDI as
regular text descriptions or as electronic representations (e.g.,
Web services).
[0139] Another goal of UDDI is to provide two main services:
publishing and discovery. Typically, publishing is done by the
service providers, and discovery is done by the customers. Today,
there are several public UDDI sites that are running the most
current specifications and are usually available free-of-charge to
UDDI developers (e.g., uddi.ibm.com, uddi.rte.microsoft.com and
udditest.sap.com). These UDDI sites help enable anyone to search
existing data or register new services.
[0140] The data available within UDDI may be divided into three
categories: white pages, yellow pages and green pages. White pages
may include general information about the provider of the service
(e.g., contact information). Yellow pages may provide
classification information about the service providers (e.g.,
industry, products and codes). Green pages may contain technical
information about the service. This technical information may
contain a pointer to an external specification, address of the
service provider and a specification of the method for accessing
the service. UDDI may not be limited to advertising Web services.
Rather, UDDI can be used to advertise any service including web
pages, e-mail addresses and Common Object Request Broker
Architecture (CORBA) services.
[0141] C. Implementation Layer
[0142] The traditional manual process, as shown in FIG. 9, for
producing protocols may have three stages: design, verification and
implementation. The first two stages may produce a specification
document. The specification of standard protocols (e.g., TCP/IP,
FTP, SSL and IPsec) may be written in natural English (e.g., RFC)
and may be translated into code by programmers.
[0143] The manual design and verification process may be similar to
the traditional approach. However, the design process in the
present invention may use FSMs to produce protocol specifications
in XML. These specification documents generally have to be
well-formed XML documents and ought to comply with the rules
specified in the protocol XML schema. If these conditions are
satisfied, an XSLT stylesheet may automatically implement the
protocol without human intervention.
[0144] The implementation layer of the present invention may
include an approach to produce code (e.g., executable code) that
implements a protocol automatically. The proposed approach is
preferably based on XML-related technologies and a multitude of
components referenced in at least one of the protocol
specifications. XML-related technologies may include, but are not
limited to, XML schema, XSLT transformations, XSLT processors, XML
parsers, and XML editors. Where XPSL protocol specifications are
involved, it is suggested that an XML-based language, such as XPSL
as later discussed herein, be used to produce code. In general,
XPSL may specify protocols described through FSMs. XSLT may be used
to transform or convert the specification and any missing component
into actual code, such as an executable code. To aid this
conversion process, a machine-readable protocol specification
converter may be used. XSLT stylesheets may be designed to produce
code in different programming languages (e.g., C++, Java or Cobol).
It is possible that a single XSLT stylesheet may be associated with
a single programming language. Such stylesheet may be used to
generate an executable code, which may either be an implementation
of or a code used for implementing at least one protocol
specification, for a multitude of protocol specifications. The
executable code itself may be retrieved from a local cache.
[0145] CBSE, a software component, may be used to build a set of
operations (e.g., encryption) needed by the protocol. Such set may
be a multitude of components referenced in at least one of the
protocol specifications. FIG. 10 highlights a proposed automated
protocol production process.
[0146] Every component used in an XPSL specification may be an
executable program designed based on CBSE principles. Furthermore,
a component may be a software component. Moreover, a component may
be shared by more than one XPSL specification. For example, an RSA
encryption algorithm may be used in a single protocol several times
and may be shared by many protocols. However, a component may also
comprise several subcomponents. For instance, a security envelope
component consists of a header processing subcomponent, a MAC
subcomponent and an encryption algorithm subcomponent.
[0147] The idea of modular or component-based design approach is
common in many engineering fields and industries. For instance,
most electronic devices, such as computers, are assembled from
parts that can interoperate within a single system. These parts
comprise many different kinds and are supported by many "industry
standards" such as motherboards, chips, memory, keyboard and
cables. This process also requires that standards for interfaces be
defined to allow disparate sets of parts to be assembled into one
system. Some of these standards may be dictated by major vendors,
while others may be de facto industry standards.
[0148] In software engineering, CBSE may help improve the
efficiency of the software development process, reduce maintenance
costs and enhance the quality of the resulting product. Recently,
CBSE has been adopted by many vendors in technologies such as
CORBA, COM+, JavaBeans and Software Agents.
[0149] A software component may be defined as "a software element
that conforms to a component model and can be independently
deployed and composed without modification according to a
composition standard." The component model mentioned in this
definition refers to the interaction and composition standard. The
interaction aspect of the model defines the interface of the
component. The composition aspect defines the deployment of the
component in terms of installation, configuration and
instantiating. While other definitions exist for software
component, the recurring characteristics identified by these
definitions are independency, interface, context, relationships and
the architecture of the component.
[0150] CBSE is an approach that helps simplifying complex systems
by dividing them into smaller subsystems. Each subsystem may be
regarded as a component that can be designed, implemented and
tested independently. This approach may exhibit several advantages:
the ease of designing and developing large systems,
language-independent, reusable, scalable, facilitation of testing
and validation, and flexibility.
[0151] D. Execution Layer
[0152] Generally, the execution layer deals with an executable code
of a protocol and depends on services provided by an underlying
operating system and a network. All kinds of message exchanges
between parties may be performed by a code running at this layer.
Protocol code should be loaded as a privileged process by the
operating system. This process and its address space may need to be
protected against any malicious alteration or termination. To
manage the loading and/or running of an executable code, an
executable code system manager may be used.
[0153] Playing a central and integrative role in the present
invention, this layer may include a set of interfaces and control
operations. The interfaces are usually responsible for delivering
requests and feedback between the external world and the execution
layer to, for example, deliver user requests to start or terminate
a protocol. The external world may be defined as anything outside
of the execution layer, such as a tangible or intangible object,
system, action, method, process, etc. Control operations, which may
take place at run time, may manage the internal affairs of the
execution layer. Internal affairs may be defined as the internal
matters, activities, thought processes, operations, etc. within a
particular environment, such as the execution layer. Examples
include authenticating a user to access a protocol, checking the
availability of a protocol, loading or terminating a protocol.
[0154] In this environment, the Protocol Control System (PCS) may
control the internal activities and provide several interfaces to
connect the layers of the present invention to the external world.
FIG. 11 shows one aspect of a proposed system architecture for the
implementation of the Meta-Protocol framework. The PCS may include
a controller, cache memory, code generator, a set of interfaces, a
set of databases (including protocol specifications and
components), and a collection of components. These components may
be protected by an operating system. There are usually two types of
allowable access to the PCS: administrative access and user access.
Users may access the PCS to request operations, such as the
execution of a protocol or addition of a protocol specification or
component. Administrative access may be granted to a few legitimate
users for administrative and maintenance tasks, such as registering
users, registering a trusted site and changing the configuration of
the system (e.g., audit policies). In highly secure environments,
administrators may also be classified into several levels according
to the environment requirements, such as supervisor, backup only
and users' management administrator.
[0155] The controller often serves as the core of the PCS. It is
generally responsible for the coordination of the internal
activities of the system. To maintain the integrity of the system,
all types of accesses to the internal subsystems should be limited
to the controller. The controller is typically responsible for
receiving protocol invocation requests, verification of user's
access privileges, configuration management, storage of
specification and components, protocol code creation or removal,
loading or terminating the execution of a protocol, and auditing
operations. Requests for system services may come to the PCS from,
for example, a user, the operating system, an application or a
network.
[0156] The controller may also be responsible for authenticating
users to access protocols or modify databases (e.g., for
registering, adding or deleting a specification or component). To
achieve this task, the controller may need to consult internal or
external user directory services and access lists determined by the
PCS configuration.
[0157] Management of the configuration information may also be part
of the responsibility of the controller. Only a supervisor
administrator is generally allowed to change the configuration
information. Configuration information may include time
synchronization source, host identity and address, administrator
contacts, maximum disk quota allowed for various system databases,
audit policies, and access information to external databases (e.g.,
locations, user accounts, and access methods).
[0158] Important roles of the controller include audit and I/O
management. Audit logs may be important for problem analysis and
security investigations. I/O services may include handling and
protecting inter-process communication, as well as communicating
with network interfaces. The interfaces with the execution layer
may also maintain their own logs of activities.
[0159] The cache memory is basically a temporary memory that may
used by the PCS to improve the efficiency of the system. Copies of
frequently used protocols, components or security related
information (e.g. keys and passwords) may be temporarily stored in
this cache to reduce preparation time and to speed up execution of
protocols.
[0160] The code generator may include two processors: an XSLT
processor and a compiler. The code generator may act on behalf of
the implementation layer. The XSLT processor may take as input an
XSLT stylesheet for a specific programming language and an XPSL
protocol specification. The XSLT processor may output source code
in the language specified in the XSLT stylesheet. The compiler may
convert the source code from the XSLT processor into executable
code for the protocol.
[0161] The interfaces subsystem may be responsible for facilitating
the communication between the external world and the PCS. Multiple
types of interfaces (e.g., a user, application, operating system,
network, etc.) are often needed. Breaking down the communication of
the PCS with the external world into specific interfaces may
improve evolution and the scalability of the system. Evolution may
be improved by replacing an old version of an interface with a
newer one. Scalability may be improved by adding new interfaces as
needed (e.g., when a new network driver appears).
[0162] A difference between the user interface and the application
interface is that the former may be used for the manual access to
the system. The latter may be used for automated access. For
example, a system administrator who wants to make changes in the
system needs a user interface. However, an application that needs
to query the system or invoke the execution of a protocol requires
an application interface. The operating system interface is
typically responsible for coordinating the execution of protocols
with the operating system. The network interface is often
responsible for remote management of the PCS and for retrieving
specifications and components from remote sites.
[0163] The database subsystem may manage information needed for the
operation of the PCS, such as, though not limited to, users'
accounts, access list, secret keys, certificates, XPSL protocol
specifications, components, administrative accounts, trusted
providers, and a registry. To save system resources, some of these
databases may be maintained externally (e.g., LDAP, UDDI, iPlant,
and Active Directories). Thus, the PCS may consult these
directories and retrieve information as needed. The choice of an
external or internal database is part of the configuration process
of the PCS; such information may be saved as part of the
configuration information.
[0164] Preferably, the present invention uses an access list and a
registry. These two databases tend to be specific to the PCS
operation. The access list defines the access permission that each
user has to each object (XPSL specification or component) in the
system. Each user may have four types of permissions: read (R),
write (W), execute (E), and delete (D). A user may also be assigned
to a combination of these permissions. FIG. 12 shows an example of
an access list. The "*" in the last row of the table stands for
"others." A value of "1" in the table indicates permission and
value of "0" indicates denial. FIG. 13 shows an example of a
Unified Modeling Language (UML) entity class diagram for the access
list.
[0165] The second database can be the registry. This database may
be used to register available objects (specifications or
components), their location, provider information, authentication
information, and expiration date. This registry can be updated in
two ways: automatically or manually. The automatic update may be
limited to adding new specifications or components through the
on-the-fly process of exchanging protocol specifications. Deleting
an object from the registry may be limited to legitimate users
(e.g., Administrator). Legitimate users may be allowed to access
this registry manually and update it. FIG. 14 shows an example of
records in the registry database.
[0166] A registry record may include, inter alia, an object id,
object location, identity of a user who registered the object,
identity of a provider who created the object, a signature value
(e.g., in binary format), and an expiration date and time for the
use of the object. FIG. 15 shows a UML entity class diagram for the
registry database.
[0167] Every component may be an executable program having a design
based on CBSE principles. A component can be designed out of a
simple operation (e.g., encryption), or it could comprise several
components as a compound component (e.g., security envelope). A
component may be shared by more than one XPSL protocol
specification. On one hand, for example, an RSA encryption
algorithm can be a single component. Such a component may be used
in a single protocol several times, as well as being shared by many
protocols. On the other hand, a component may also comprise several
subcomponents. For instance, a security envelope component may
include a header processing subcomponent, a MAC subcomponent and an
encryption algorithm subcomponent.
[0168] The set of all needed components may not need to be stored
in every PCS system. Communicating parties can download a code of a
component from one system to another if a code is needed but
missing from one of the systems. Moreover, components that are
needed for a short time period or by a certain process can be
deleted from the system after their use. Furthermore, upgrading a
component may be easier than upgrading a version of a protocol in
the traditional sense. This same concept may also apply to the XPSL
specification of protocols, which can be downloaded from one user
to another or from a trusted center to the user for temporary usage
or for an upgrade.
[0169] To protect these components from malicious alteration, they
may need to be signed by their authors and checked by the PCS
system before being added to the system. As portrayed in FIG. 3,
trusted third parties, such as trusted component providers, may
place the components in public repositories on the Internet so that
users may pull them when needed. Newer versions may also be pushed
from trusted providers to subscribed users to keep their systems
up-to-date.
[0170] Every component may have an interface that specifies its
parameters and types. This interface should be published with a
description of the component operations so that protocol designers
can understand it and use it. Developing interfaces and defining
conventions for components, names and functions may be, however,
essential for compatibility and interoperability among components
in the framework. This development can be achieved in two
ways--either by standards development committees or by the fact
that a component becomes widely available because a major vendor
with global reach supports it. A component should not have several
names on different machines because this aspect may create
confusion and may prevent PCS systems from locating the correct
component. Moreover, duplicates can occur because the PCS may
contain several instances of the same components but with different
names.
[0171] Data objects may also be considered components in the
system. Such data objects may be used during the process of writing
of protocol specifications. Additionally, such data objects tend to
be used to hold values that are common among several components,
such as time, security keys, sequence and random numbers, and
header information.
[0172] One objective of the operation of the PCS is to integrate
the layers of the Meta-Protocol framework. Each layer of the
framework may be implemented through at least one call for an
operation as follows: [0173] 1. At least one call for negotiating
an operation; [0174] 2. At least one call for retrieving a
specification or a component; [0175] 3. At least one call for
generating protocol code (XSLT processing and compilation); and
[0176] 4. At least one call for execution.
[0177] One way that a call may be performed is via a mechanism
within a layer as shown in FIG. 3. For example, a negotiation
mechanism may negotiate a protocol specification. A delivery
mechanism may retrieve a specification or a component. A
machine-readable protocol specification converter may generate
protocol code. An executable system code manager may conduct
execution.
[0178] FIG. 16 illustrates a UML activity diagram for a PCS
operation. This diagram describes how the four layers of the
framework can be integrated via implementation of the four calls
mentioned above. For simplification purposes, FIG. 16 does not show
all the error controls and security checks. Examples of security
checks not shown in the diagram include (1) checking user authority
to use a protocol, (2) checking authority to access a component and
(3) verifying the integrity of the protocol specification and its
components.
[0179] To exemplify how a PCS may operate, one may consider a
typical scenario that starts with a request to run a protocol. The
PCS checks locally for the protocol code. If that code is found,
the PCS sends that code for execution. If that code is not found,
the PCS looks for a specification, transforms the specification
into code, and sends it for execution. Otherwise, the PCS uses the
location information provided in the request to retrieve the
specification. Once the specification is downloaded, the PCS
transforms the specification into code and sends the code for
execution. The transformation of protocol specifications to code
requires the availability of the code of the components mentioned
in the specification. If there are missing components, the PCS has
to retrieve them from remote locations according to its internal
operational policies.
[0180] The minimum requirements for any user of the present
invention are usually the ISAKMP specification, its components and
an XML transformation stylesheet. Again, ISAKMP may be considered
the bootstrap of the present invention. Communicating parties may
be required to generate code for ISAKMP to be able to agree upon
the subsequent protocol they plan to use. Once that agreement is
established, the parties may proceed to download the specification
of the agreed-upon protocol, generate a code and start
communication by running the generated code.
[0181] Performance can also be a concern. While actual performance
may depend on the implementation of the present invention, some
architectural issues may be relevant to performance. In general,
the development process of components and protocols should generate
optimized code that has reasonable performance compared to
traditional protocols. For example, if a specification specifies
the services of an SSL protocol, the present invention should be
able to generate an implementation of SSL with similar performance
characteristics as an implementation generated by traditional
means. The code generated by the PCS can be cached in memory for
reuse by similar calls to avoid the overhead of regenerating
it.
[0182] II. XPSL
[0183] A. Use of FSMs in Protocol Design
[0184] FSMs are commonly used for describing protocols. The
graphical representation of an FSM may serve as a visual aid to a
designer of a protocol. This representation can help in testing and
verifying the correctness of the design. An FSM may have a set of
states (represented by circles) and a set of transitions between
these states (represented by directed arrows connecting the
states). At each state, a set of events may occur. Each event may
trigger a transition out of a state. Before a transition occurs, a
(possibly empty) set of actions may be executed. One of the states
in an FSM is often designated the initial state. To portray an FSM,
as shown in FIG. 17, one may consider a Needham-Schroeder
authentication protocol (NSAP), which is a two-way authentication
protocol based on public key cryptography. A client may start the
process by using the public key of a server to encrypt his identity
and a random number, Na. The server may receive the message,
generate a random number, Nb, encrypt the concatenation of Na and
Nb using the client's public key, and send the message back to the
client. The server's authenticity may be verified if the client
successfully retrieves his Na. The client may return Nb encrypted
with the server's public key to prove his identity.
[0185] A pair of FSMs, one for each communicating party, may
specify a protocol. State activities and state transitions may be
coordinated between these two FSMs based on message exchanges. Each
state machine may keep track of its internal shared state. The
machine shared state may hold common information needed by
individual states, such as public or shared keys, user identities
and access permissions. The termination of the FSM or the final
state may be implicitly defined according to the execution
sequence.
[0186] B. XPSL XML Elements
[0187] An essential concept of the present invention is the use of
a domain-specific specification language in lieu of technical
natural language for the specification of protocols, as in IETF
RFCs. This approach may facilitate automatic protocol
implementation from specification. FIG. 18 shows the traditional
manual production process for protocols. The process can pass
through three stages: design, verification, and implementation. The
first two stages may produce a specification document. Standard
protocols (e.g., TCP/IP, FTP, SSL and IPsec) specifications may be
written in natural English (e.g., RFC). Programmers may have to
translate these documents into code.
[0188] As illustrated in FIG. 19, the manual design and
verification process of the present invention appear similar to the
traditional approach. However, the design process may use FSMs to
produce protocol specifications in XPSL. These specification
documents may have to be well-formed XML documents and may have to
comply with the rules specified in the protocol XPSL schema. If
both conditions are satisfied, the XSLT stylesheet may
automatically produce implementation for the protocol without human
intervention. Many different implementations in several programming
languages can be developed for the same protocol specification.
[0189] For a number of reasons, XML may be used as the basis for a
language, which may be called XPSL, to express the specification of
protocols. First, XML tends to be an open standard. Second, the
tools for handling and processing XML documents and its related
technologies are typically mature and widely available. Third, XML
is often programming language neutral. Fourth, the XSLT technology
usually makes it easy to transform an XML document into any
user-preferred programming language.
[0190] To specify a protocol executable by a machine under the
control of a program of instructions, preferably XPSL, several
types of XML elements may be utilized or added. For example, these
types include, but are not limited to and are without any
particular order, <protocol>, <first-state>,
<object>, <instance>, <state>, <action> and
<moveto>. FIG. 20 illustrates a tree structure of these XML
elements and their relationships with each other. The XML elements
are depicted in triangular brackets; the attributes of these
elements are shown in square brackets. It is important to note that
elements not designated as optional are preferably mandatory.
[0191] Referring to FIG. 21, as one embodiment, the basic
foundation of the present invention begins with three elements,
capable of being encoded in a tangible computer-readable medium
readable by a machine. Preferably, a first element used may be a
<protocol> element. The <protocol> element may serve as
a root element of an XML protocol specification document and is a
mandatory element according to the XPSL definition. It may also
serve as the parent element of the following elements:
<first-state>, <state>, <object>,
<instance> and <action>. It should be noted that both
<object> and <instance> tend to have a global scope and
may be used to prepare objects shared by the states of the
protocol.
[0192] A second element that may be added is a <first-state>
element. Typically a mandatory element, the <first-state>
element may be used to identify the starting state of an FSM. The
starting state generally serves as the state that produces the
"Hello" message to start a communication. This element should occur
only once in an XPSL specification given that an FSM can only have
one initial state. However, all other elements may have multiple
occurrences.
[0193] A third element that may be added is a <state>
element. The <state> element may describe different states of
a protocol. FIG. 22 illustrates an XPSL syntax for NSAP's client
state 3. A <state> element may not be able to be nested
inside another <state> element. Every state in an FSM ought
to be described by exactly one <state> element XPSL.
[0194] Staying with this embodiment, a protocol may include at
least one protocol specification written in XML. Moreover, a
protocol may include a description of a protocol specification
language (such as XPSL) specified in an XML schema.
[0195] Additionally, several elements may be added, and used, to
extend a machine-readable XPSL for specifying protocols and a
method of its integration, into a machine-readable tangible
computer-readable medium. A purpose of extension is to address
possible requirements of a general XML specification and the
process of generating executable code. Such extension may be
exemplified in FIG. 23.
[0196] Hence, a fourth element that may be added is an
<object> element. The <object> element may be used to
define data, such as messages, keys, constants and random numbers,
needed during protocol operations. Every object may have a name and
a set of fields. Every field may have a type attribute associated
with a <name> element as later described herein. Data types
may include, but are not limited to, predefined types, such as
Keys, Strings, Integers and Booleans. Objects may be passed as
parameters from one action to another. Exemplified in FIG. 24, an
object called SessionState is used to hold shared information
between states. Simply, there may not be any public information
unless it is defined as an object and passed as a parameter to the
actions of a state.
[0197] A fifth element that may be added is an <instance>
element. The <instance> element is similar to the concept of
instance in object-oriented programming; objects may represent
definitions of classes and instances may either be the actual
realization of the definition or hold actual data. An object may
have several instances, as needed. However, every instance may
represent one object and there may not be any shared information
among instances. For example, an object, called error-message, may
be used to create several instances of error messages as needed in
the protocol states. Every error message instance may hold
different error codes and an identification of the component that
generated the message.
[0198] FIG. 25 depicts an example of an error message
<instance> element. This element includes a name, a type and
at least one initial value. This example shows an instance named
error with a type CompLib.Error_message, and initial values
(0,0,null). The data type definition of this instance may come from
a component library called CompLib. This library may also provide
interface descriptions for each component to help developers
determine the initial values.
[0199] A sixth element that may be added is an <action>
element. The <action> element may define actions (e.g., calls
to components in a library) that take place inside a state. In some
cases, elements may be nested inside an <action> element.
These situations may occur when a component needs an instantiation
of a data object that was not passed to the state for temporary
local usage. For example, a seventh element, such as a
<moveto> element, may be added and nested inside an action in
various situations (e.g., branching out of a state before
completing all the actions in a state due to errors). FIG. 26 shows
a <moveto> element nested inside an <action> element.
This example shows that if the component CompLib.checkRcvSynAck
raised an error, the control flow will branch to an error state
instead of moving to the next action.
[0200] The <moveto> element may act as a switch-case
statement in a procedural programming language. This element may
provide the mechanism that controls the transitions from one state
to another. The <moveto> element may add an eighth element,
namely an <expression> element, serving as a logical
expression, and a ninth element, namely a <case> element,
serving as a list of cases. This logical expression may be
evaluated to produce a set of predefined values. A <case>
element may point to the next state for each possible value of the
expression. FIG. 27 illustrates the XML syntax for a <moveto>
element.
[0201] A <moveto> element may either be a child of the
<state> element or, again, a child of an <action>
element. Being a child of an <action> element can provide
flexibility for early branching out of the state before finishing
all the actions listed in the state. This feature can be useful if
an error or timeout is raised by some actions. However, when a
<moveto> is used as a child of a state, it may have to be the
last element in the state after all the actions.
[0202] As another example of an element nested in an <action>
element, FIG. 28 shows a case where a nested <instance>
element instantiates a random integer object that may be needed
locally by a component but was not passed to the state. State local
objects should be created locally. But, they should not be passed
as parameters to other states.
[0203] Referring again to the third element, as depicted in FIG.
20, a <state> element can have one of the following child
elements: <object>, <instance>, <action> and
<moveto>. A purpose of these elements is to express the
operations that may be performed inside every state of the FSM.
Typically, the branching out of a state is performed as the last
action in a state. However, in a case where an error exists,
branching may take place in the middle of the state. Developers
should anticipate such cases and place <moveto> elements
after the actions that raised such errors.
[0204] Furthermore, each <state> element may add an optional
tenth element called <arg>, as illustrated in FIG. 22. This
child element may describe external objects that are passed to the
state. The <arg> element may have a name attribute, the name
of the object to be passed to the state and may be followed by a
<type> element that describes the type of the object.
[0205] Moreover, XPSL and its method of integration may add an
optional, eleventh element that is used for identification purposes
for any of the above elements. This additional element may be
called a <name> element and may be designated as a single or
child element. For example, as shown in FIG. 20, the <name>
element may be used as a child element of the <protocol>
element to help identify the <protocol> element. The XSLT
processor may either ignore or replace the <name> element
with any other user-supplied identifier.
[0206] Writing down XPSL specifications may be generally perceived
as a manual process, as illustrated in FIG. 29. In this process, an
FSM may be mapped to a set of XML elements. As one embodiment of
the present invention, one process of writing down XPSL
specifications may follow this sequence: [0207] 1. Place the
<protocol> element as the root of the XPSL specification
document. [0208] 2. Add a <name> element as a child of the
<protocol> element to specify the name of the protocol.
[0209] 3. If needed, add a group of elements that prepare the
environment (e.g., define public objects as <objects> or
<instances>). [0210] 4. Add the <first-state> element
to specify the starting state of the FSM. [0211] 5. For each state
in the FSM, insert a <state> element. [0212] a. Inside each
<state> element, add a group of <action> elements to
perform the actions required by the state. [0213] b. At the end of
each state, add a <moveto> element to indicate the next
state.
[0214] XPSL may be stored in a tangible computer-readable medium
readable by a machine, as exemplified in FIGS. 30a and 30b. A
tangible computer-readable medium includes, but is not limited to,
CDs, DVDs, hard drives, floppy disks, random access memory (RAM),
read only memory (ROM), flash cards, memory cards, computer chips,
cache files, etc. A machine includes, but is not limited to,
computers, personal digital assistants (PDAs), phones, CD players,
DVD players, cameras, camcorders, etc.
[0215] C. Protocol Data Types
[0216] Every programming language often follows a specific approach
for defining syntax and semantics for data types. XPSL may adopt a
minimum common denominator to provide a unified approach to serve
the most popular programming languages. This aspect may be
addressed by two formats. First, XPSL may support six primitive
data types that are common in most programming languages: byte,
int, long, char, string and Boolean. FIG. 31a shows a comparison of
data types among several programming languages. FIG. 31b shows a
set of primitive data types chosen for developing XPSL protocol
specifications. Second, using an objected-oriented approach, new
data types may be defined in a component library when needed for an
XPSL specification.
[0217] D. Sufficiency of the Specification Language
[0218] The set of XML elements used in XPSL may be sufficient to
describe any FSM. For illustrative purposes, all elements of an FSM
are mapped into the XPSL specification, and the XPSL specification
captures the behavior of an FSM in terms of state transitions. For
instance, an FSM F is a tuple (S, s.sub.0, T), where S is a set of
states, s.sub.0 is the initial state and T is a set of state
transitions defined as T={(s, v, c, A) |s, v.epsilon.S, c.OR
right..OMEGA., A.OR right..THETA.)}. In addition, a transition (s,
v, c, A) is a tuple with two states (the "from" state s and the
"to" state v), a condition c from a set of conditions .OMEGA., and
a set of actions A from the set of possible actions .THETA.. The
condition c is a Boolean expression whose terms may include
occurrence of events (e.g., arrival of a message and timeout) and
comparisons including variables (e.g., window size) and constants.
Examples of actions include composing and sending messages.
[0219] The behavior of an FSM may be defined by the set of rules
that determine how the FSM moves from state to state starting from
the initial state s.sub.0. This behavior may be described by the
following algorithm: TABLE-US-00001 s s.sub.0 repeat if
.E-backward. (s, .nu., c, A) .di-elect cons. T | (.nu. .noteq.
null) (c = true) then s .nu.; execute actions in A else stop
forever
[0220] This algorithm may start execution from the initial state
s.sub.0, the current state s at the beginning. Then, all
transitions (s, v, c, A) out of the current state may be examined.
The one for which the condition c is true may trigger a state
transition to state v. Before moving to the next state, all actions
in the set A ought to be executed. The next state should then
become the current state s. The process may repeat itself until a
terminal state (i.e., a state with no outgoing transitions) is
reached.
[0221] FIG. 32a exemplifies a common pictorial view of an FSM
indicating the possible transitions between state s and states
V.sub.1, . . . , V.sub.m. The labels alongside each transition show
the condition c.sub.i that may trigger the transition and the set
of actions A.sub.i carried out when the transition takes place.
[0222] FIG. 32b illustrates a behaviorally equivalent pictorial
representation. The decision on what state to move to and the
corresponding actions to execute may be shown "inside" the state
circle and not along the transition arc. Yet, the behavior should
still remain the same. The design of XPSL may be based on the
pictorial representation of FIG. 32(b), which is generally
equivalent to the FSM representation of FIG. 32(a).
[0223] An FSM may be described with a tree of XML elements as in
FIG. 33. The initial state s.sub.0 of an FSM is preferably mapped
to a <first-state> element and every state in the FSM may be
mapped to a <state> element. Every <state> element may
have two child elements: a <name> element to identify the
state and a <moveto> element that specifies the process of
evaluating the conditions and executing the actions associated with
each state. The <moveto> element may have two acceptable
types of child elements: a single <expression> element and as
set of <case> elements. Each <case> element preferably
corresponds to a transition in the set T in the FSM in which the
"from" state is the state identified by the <name> element
and the "to" state is specified by the <case> element.
[0224] Because an FSM may have limitations for describing the
behavior of programs, the XML tree referenced in FIG. 33 should be
extended to address the requirements imposed by the general XML
specification and the process of generating executable code. To
address these requirements, four XML elements may be added to XPSL:
a <name> element to identify the implementation of the
protocol, <object> and <instance> elements to define
data objects, and an <arg> element to define data objects to
be passed to states. Basically, an executable code needs a name to
identify the resulted code. Therefore, a <name> element may
be added to the specification to identify the generated executable
code. This <name> element may be placed as a child of the
<protocol> element. Now, since an FSM does not explicitly
express data objects, the <object> element may be added to
express the types and structure of the data involved in the FSM. In
addition, according to the object oriented programming approach,
instances tend to be created out of data objects during the
execution to hold the actual data. Therefore, an <instance>
element may be added to address this requirement. Furthermore, to
control the scope of access of objects in the different states, an
<arg> element may be added as a child of the <state>
element. One purpose of the <arg> element is to facilitate
passing data objects to states. FIG. 20 shows a full XPSL as per an
aspect of the present invention. FIG. 20 also shows that
<action> elements may be allowed under the root element
before the <first-state> and under the <state> element
before <moveto>. The reason for such design choice is to
allow for code optimization. The actions that are placed in these
positions are usually common actions required by the protocol or by
a state, which result in reducing the repetition of the shared
code.
[0225] E. The XML Schema for XPSL
[0226] It is favorable to have an XML schema to enforce XML
protocol rules. This schema may be used to validate the syntax of
protocol specifications. Generally, the schema prevents developers
of XPSL specifications from introducing illegal elements. The
schema may also help developers find any missing mandatory
elements, such as the <first-state> element, before they run
a transformation. The XPSL schema for protocols described using
FSMs can be found in the Computer Program Listing Appendix. FIG. 34
shows the steps required to check a protocol specification.
[0227] For each element or an attribute in an XPSL protocol
specification, there tends to be a corresponding definition or
constraint that controls the content of the specification. FIG. 35
highlights the main segment of XPSL's XML schema. Referring to this
drawing, the first two lines declare the XML and schema versions
followed by the definition of the protocol root element. The root
element may contain a <name> element and five references.
Each reference may define the allowed content and its cardinality.
The min0ccurs and max0ccurs constraints may define how many times
an element could appear in a protocol specification.
[0228] The definitions in FIG. 35 show that a protocol
specification may have zero or more objects. Similarly, instances
and actions may occur zero or more times. However, as a preferred
embodiment, the <first-state> element needs to appear exactly
once. Moreover, as another preferred embodiment, the <state>
element must appear at least once. Otherwise an error may be
signaled.
[0229] FIG. 36 exemplifies a definition of an <object>
element. This definition indicates that if an <object>
element exists, then it should have a <name> element and at
least one <field> element. The value in the field element may
indicate the name of the field. The field may also have a required
attribute that indicates its type. If the value or attributes is
missing from the XPSL specification, the XML Schema checker may
raise an error. Typically, the XML Schema checkers enforce the
permitted data types (e.g., string, int, byte) for a field.
[0230] III. Automatic Code Generation
[0231] To transform XPSL protocol specifications into code, XSLT
may be used. In some cases, only one XSLT is needed to transform
the protocol specifications in a given programming language. Every
element in an XPSL specification may cause the XSLT processor to
produce the required code. An XSLT spreadsheet may be developed to
produce Java code from any XPSL protocol specification. This
spreadsheet may also be used on several XPSL protocol
specifications. For example, Sun Microsystems' XML Pack, which
includes an XSLT transformer and an XML Schema checker, may be
used. XSLT rules and filters may be used to identify different XML
elements, convert them to their corresponding program code and lace
them in the proper XSLT output tree. Every programming language
tends to require its own XSLT transformation sheet. Once that sheet
is available, any protocol specification written in XPSL may be
transformed to that language and compiled in an appropriate system.
Code for an XSLT spreadsheet may be found in the Computer Program
Listing Appendix.
[0232] As a demonstration, FIG. 37 shows the steps required to
generate a protocol implementation from an XPSL specification.
Using this approach, any system on the Internet with the proper
XSLT stylesheet may be able to download an XPSL specification and
use the stylesheet to produce code in the preferred programming
language, compile it and run it. For instance, sixteen templates
may be used in the Java XSLT stylesheet to transform XPSL
specifications to Java code. The XML specifications, the Java XSLT
stylesheet and the XML schema that were developed for validation of
the XML specifications may be found in the Computer Program Listing
Appendix.
[0233] A. The Stylesheet Structure
[0234] Producing Java code may require writing a main program and a
set of classes. The main program is typically responsible for
starting the execution. Classes may correspond to either objects or
states. Thus, the first few lines in the stylesheet tend to
describe the XML version, the stylesheet version, the XPSL name
space, and the type of output. FIG. 38 displays such description.
The main template can be used to determine the stylesheet's
structure. This main template may push to the output a header for
the main Java program and may call five other templates:
(1)/protocol/name, (2) action, (3) first-state, (4) object and (5)
state template. In addition, FIG. 38 also shows declarative
instructions and the main template of the stylesheet. From among
all templates, which may be found in the Computer Program Listing
Appendix, favorable examples include <first-state>,
<object> and <instance>.
[0235] The <first-state> template often serves as a trivial
template that produces the name of an entry point of the state
machine. This template may be called once from the main template of
the stylesheet. Therefore, as portrayed in FIG. 39, the main Java
program may only have one class to call.
[0236] The <object> template typically produces code for data
objects. As shown in FIG. 40, this template may produce a Java
class that defines an object interface and a construct for the
instantiation of the data members. This template may be called from
the main template or from any state. If it is called from the main
template, the object may become a public object. However, if it is
called from within a state, it may become local to that state.
[0237] The <instance> template, referring to FIG. 41, may
cause the transformer to push Java code that corresponds to
instantiating an object. The data object, name, type and initial
values may be picked up from the XPSL specification and arranged
into the appropriate Java code.
[0238] FIG. 42 shows the template of an action. A goal of the
<action> template is to push out the interface statement of a
component as listed in the protocol specification. However, since
this element may be nested with other elements, the template may
have to test for three cases: instance, moveto or object. If none
of these cases exist, the default action may be listing the
interface of the component.
[0239] The <moveto> template may be responsible for producing
a Java switch statement for branching. This template generally
calls two other templates: (1) the test part of the Java switch
statement, and (2) the expected cases as presented in the protocol
specification. The first may be referred to as "expression,"
whereas the second may be referred to as "case." FIG. 43 identifies
an example of a <moveto> template.
[0240] The <state> template is similar to the main template.
Every <state> template may represent a state of an FSM. Every
state may consist of a set of objects, instances, actions, and
should end up with a <moveto> statement. The <state>
template may produce a Java class that corresponds to an FSM state.
Typically, the <moveto> statement comes toward the end of the
state to determine the next state. However, in some cases (e.g.,
errors) control flow may branch earlier. Such cases should be
expected by the developer of the protocol specification. Therefore,
the <moveto> statement should be embedded inside an
<action> statement. Otherwise, the sequence of operations may
be faulty. FIG. 44 shows an example of a <state>
template.
[0241] B. Protocol Components
[0242] Generally, every component has an interface that specifies
its parameters and their types. This interface should be published
with a description of a component's operations so that protocol
designers can understand and use it. Developing interfaces and
defining conventions for component names and functions may,
however, be essential for compatibility and interoperability among
components in a framework. These actions may be achieved either by
standard development committees or by the fact that a component
becomes widely available because of a major vendor with global
reach it supports. A component should not have different names on
the same or different machines because doing so may prevent the
execution layer of the present invention from locating the correct
component.
[0243] Data objects may also be considered components. Such data
objects may be used during the process of writing protocol
specifications. Furthermore, data objects are often used to hold
values that are common among several components, such as time,
security keys, sequence and random numbers and header
information.
[0244] C. Performance
[0245] An automatically generated implementation may perform
similarly to that of a manually generated one. Some performance
degradation should be tolerated given that the present invention
often provides an extra level of flexibility (e.g., on-the-fly code
generation for new protocols) not available in manually generated
implementations. It is likely that most performance concerns may be
handled if the components used in the implementation generated by
the present invention are optimized for performance. Further
performance optimizations may be obtained by caching already
generated code for reuse.
[0246] IV. Validation Experiments
[0247] Several experiments may be conducted to demonstrate the
feasibility of the present invention. For instance, XPSL may be
used to specify NSAP, TCP's three-way handshake, ISAKMP and SSL
cipher suite number 16 (SSL#16). Choosing protocols may provide
diversity in terms of protocol purpose (e.g., authentication,
transport, negotiation, location in the network stack, and
complexity). Except for NSAP, which is usually a simple theoretical
security protocol that has no practical use unless combined with
other security mechanisms (e.g., anti-replay), all other protocols
are often used widely in the Internet. Documentation of these
experiments may be found in the Computer Program Listing
Appendix.
[0248] Each experiment preferably has two parts: 1) specification
and automatic code generation and 2) execution and verification of
the resulting code. These experiments may be designed to test four
qualities of the framework: completeness, consistency, correctness,
and flexibility. A complete sequence of operations typically
includes negotiation, delivery, automatic code generation, and
execution. To demonstrate the consistency of the framework, four
experiments may be developed according to the Meta-Protocol
framework, where an XPSL specification is preferably written for
these protocols. This specification may be shared between two
remote parties for generating code. ISAKMP's Base Exchange may be
used for the negotiation to determine the required subsequent
protocol (e.g., the SSL#16).
[0249] The correctness of the framework may be validated by testing
the correctness of the XPSL specification, the XSLT stylesheet, and
the generated code. The correctness of the generated code may be
verified by compiling and running the code and checking its output
(e.g., values, formats and sequence of messages). Several test
cases may be designed to provide adequate coverage of the main
paths of the protocol operation. The results of these tests showed
that the four protocol implementations compiled correctly and
performed according to their specifications.
[0250] The flexibility aspect of the framework may be demonstrated
by introducing changes into the XPSL specification, such as
replacing some components with others that perform different
functionality, changing the order of operations, or inserting
additional operations into the sequence. In the ISAKMP Base
Exchange (BX) experiment, the MD5 secure may be replaced with a
Secure Hash Algorithm (SHA). In the SSL experiment, a Data
Encryption Standard (DES) encryption may be replaced with
Triple-DES (3DES). These changes may require modification of a
single line in the XPSL specification. The code generated through
the Java XSLT stylesheet may be tested and found to run
correctly.
[0251] A. The NSAP Experiment
[0252] Two processes are generally needed: one for the client and
one for the server. The network support may be simulated in the
form of files. A process writing to a file may be considered as
sending out data to a communication channel. Message receiving
events is typically manual. The process may be designed to pause
for input when entering every state to give the user the control to
coordinate between a client process and a server process. FIG. 45
shows partial Java code of the NSAP, where the code shows Java
output of the transformation of the object SessionState.
[0253] The generation of the NSAP code typically requires four
components developed specifically for NSAP, as well as several
other generic components, which are not limited to NSAP and could
be shared by many protocols. These specific components include:
ComposeNSAClientMsg, ComposeNSAServerRes, DecomposeNSAClienMsg, and
DecomposeNSAServerRes. Examples of generic components include
Encrypt, Decrypt and Generate_Int_rand.
[0254] B. The TCP Handshake Experiment
[0255] As one embodiment, this experiment requires a single process
because the FSM for TCP given in RFC 793 recommends the use of a
single FSM that combines the client and server operations.
Therefore, the XPSL protocol specification and the XSLT
transformation may produce code that works on behalf of either a
client or a server. However, two error states may be added to
demonstrate their flexibility.
[0256] An example of a TCP Handshake FSM diagram is illustrated in
FIG. 46. It includes 13 states. The final state is the ESTAB, where
actual data transfer starts between two parties. The first party (a
sender) starts a handshake by sending a message containing a SYN
bit on and a sequence number. The sequence number is a random
number. In this experiment a fixed number is used to simplify
readability and verification of the changes. Therefore, the
sender's sequence number starts at 3000, and the server's sequence
number starts at 5000.
[0257] As seen in FIG. 46, the second party (a receiver) receives
the SYN message, sends back an ACK message, and moves to a SYN-RCVD
state. The ACK message consists of an ACK bit set and two sequence
numbers: a new sequence number and the received sequence number
after increasing its value by one. When the first party receives
the ACK message, it compares the values of its previous sequence
number with the received number to verify that both are in sync. If
this verification process succeeds, the first party sends another
ACK message. In this message, both sequence numbers are advanced by
one. If the second party succeeds in receiving and verifying the
sequence numbers, the handshake is complete and the data transfer
starts. This process may be called "3-way handshake" because it
requires three messages to complete the handshake.
[0258] The following Table 1 outlines the commands for the FSM
diagram for the TCP handshake, as illustrated in FIG. 46.
TABLE-US-00002 TABLE 1 Identifier Commands for FSM diagram for TCP
Handshake Identifier Command 4602 Passive open; create TCP Control
Block (TCB) 4604 CLOSE; Delete TCB 4606 SEND; Send SYN 4608 Active
open; create TCB; Send SYN 4610 CLOSE; Delete TCB 4612 Receive SYN;
Send SYN, ACK 4614 Receive SYN; Send ACK 4616 CLOSE; Send FIN 4618
Receive ACK of SYN; x 4620 Receive SYN, ACK; Send ACK 4622 CLOSE;
Send FIN 4624 Receive RIN; Send ACK 4626 Receive ACK of FIN; x 4628
Receive FIN; Send ACK 4630 CLOSE; Send FIN 4632 Receive FIN; Send
ACK of FIN2 4634 Receive ACK of FIN; x 4636 Receive ACK of FIN2;
x
[0259] Two data objects and five components have been designed
specifically for this experiment. The first data object may be used
to maintain the state of the process. One of its functions is to
hold public information: sequence numbers and port numbers. The
second data object may be used to construct a TCP datagram. The
components may be designed for composing and sending TCP datagrams
(sendDatagram), checking the received sequence number
(checkAckofSYN and checkRcvSynAck), receiving TCP datagrams and
decomposing its information, and printing out datagram information
(for testing purposes). TCP datagram fields that have no role in
the handshake tend not to be implemented (e.g., URG, data offset,
and options).
[0260] One example of state transition and exchange of messages to
set up a handshake is shown in FIGS. 47a and 47b, respectively. In
this exchange, the client starts by sending a SYN message with a
SYN bit on and a sequence number of 3000. The server responds with
both SYN and ACK bits on, a new sequence number of 5000, and a
received sequence number after incrementing it with one. To
complete the handshake, the client verifies the numbers and sends
back an ACK message and incremented sequence numbers. FIG. 47a
shows the branch numbers that the sequence of operations follows,
along with the state names. FIG. 47b shows the message contents at
each transition. Another scenario is shown in FIGS. 47c and 47d to
demonstrate the transition in case an error is introduced in the
SynAck message.
[0261] The user may be required to run the code twice to develop
client-server interaction scenarios on a single machine. This
experiment may be more difficult to run and synchronize manually.
Therefore, to lessen the difficulty, a testing result sheet showing
the expected results for each sequence to be compared with the
results obtained in the experiment may be used. For instance, the
branches may be labeled with numbers. The user may be prompted
during the experiment to choose a branch. FIG. 48 shows an XPSL
specification of the first state, the closed state. This state may
receive two objects as input parameters. The first object may be
called tcb and may maintain the state information of the process.
The second object may be an error message requesting the code to be
returned. The description of the error message may occur inside the
state. The first action in this state may be inserting Java code.
This code may be inserted temporarily for the purpose of manual
synchronization. Based on this action, the user may choose one of
the two branches that the state can move to. This move may be
expressed using a <moveto> element. In the first choice, a
set of actions may initialize a TCP datagram with proper
information and may move to synsent state. However, in the second
choice, the control may flow to the listen state without changing
the state of the machine. The XPSL specification of the TCP
Handshake may be found in the Computer Program Listing
Appendix.
[0262] The same XSLT stylesheet used in the previous two
experiments may be used again to generate Java code. Being able to
generate correct code for the three experiments using the same XSLT
stylesheet may help demonstrate the power of the XSLT
transformation. FIG. 49 lists Java code that may correspond to the
specification presented in FIG. 48.
[0263] C. ISAKMP Experiment
[0264] ISAKMP may be used to implement the negotiation layer of the
Meta-Protocol. Once again, FIG. 7b shows an example of an FSM
diagram of ISAKMP Base Exchange. Based on this diagram, two XPSL
specifications may be developed: one for an initiator and the other
for a responder. In addition, components and objects needed for the
actions taking place in each of the FSM states were developed.
Fourteen new components and five new objects may be added to a
component library to implement ISAKMP.
[0265] Referring to FIGS. 7a and 7b, the initiator may start by
sending a set of proposals. The responder may select one of the
proposed protocols and notify the initiator. In the remaining
states, both could exchange identification and security-based
information to close the agreement.
[0266] A comparison between a list of components and objects used
in the initiator (i.e., ISAKMP initiator), as exemplified in FIG.
50, and the list mentioned in the XPSL specification for ISAKMP, as
depicted in the Computer Program Listing Appendix, shows a high
rate of reuse of components. It also may show that a component can
be used several times within a protocol, as well as being shared by
other protocols. For example, the Error State component is used in
every state, the SendUDP component is used in states 1 and 3, and
CreateNewFile is used in the states 2, 3, and 4. In addition, other
components, such as GeneratIntRandomNumber and HashingStringMD5,
may also be used.
[0267] In the first state of an ISAKMP session, the initiator
receives some input parameters from an application: destination IP
and port, a secret value to be used in generating cookies, and
initiator private, and public RSA keys. These values may then be
passed inside an object called ISAKMPFSM. This object may hold all
the variables that are publicly required by all the states during a
session. FIG. 51 illustrates a data structure of the
ISAKMPFSMobject.
[0268] A goal of the initiator, in the first state, is to prepare a
proposal and send it to the responder. This proposal may consist of
three parts: payload header, proposed protocol name and location.
Again, an example of an ISAKMP initial message may be viewed in
FIG. 8. Five components are used to build the client message in the
first state: HashingStringMD5, BXcomposeMainHeader,
CompLib.BXcomposeProposals, GeneratIntRandomNumber, and
BXcomposePayload. The names used for these components indicate
their functionality. FIG. 52 shows a Java class that may perform
the operation of composing an ISAKMP main header. In this
operation, the nine fields of the header may be concatenated into a
string of bytes. These fields may have a fixed length. Therefore
padding may be needed to adjust the length of each field to a
proper size. The resulting string of bytes may then be stored into
a file. The proposal payload and the nonce payload may be prepared
similarly. When this process is complete, the initiator may send
the main header and the payloads to the responder. The UDP protocol
may be used for the exchange of these messages in ISAKMP.
[0269] A Java class for the send operation, SendUDP, may be
represented in FIG. 53. This operation may take as input an array
of bytes, the length of the array, destination IP address, and
destination port number.
[0270] The responder XPSL specification may work similarly compared
to that of the initiator but in reverse order. For example, when
the initiator sends a message, the responder should receive that
message. Most action components are shared by both parties.
However, there tends to be two main differences, namely the values
they process and some context-specific operations. For instance,
cookies and nonces are prepared by the same components (e.g., MD5
and random number), but their values vary because they are
generated by two different processes with different input values
(e.g., IP address and port numbers for cookies). Examples of
context-specific operations include, but are not limited to,
preparing proposal payloads and preparing selection payloads. The
proposal payload operation may be performed by the initiator; the
selection operation may be performed by the responder.
[0271] D. The SSL Experiment
1. SSL Handshake Experiment
[0272] In this experiment, two processes may be used to represent a
client and a server. The user may also be required to synchronize
between the two processes manually. The experiment can be limited
only to the Handshake protocol. The Record layer protocol and the
Alert protocol are generally not part of the experiment. Therefore,
the process should stop after generating the shared keys, composing
the Finish message and delivering it to the record layer protocol.
The record layer protocol may have to use the negotiated set of
keys to apply crypto operations and add an SSL header. Also,
limited error checking may be implemented. Moreover, the client and
the server may read the RSA keys from local files.
[0273] Generally, SSL handshake has three objectives: a client and
server need to agree on a set of crypto algorithms to be used to
protect traffic, agree on a set of shared keys and authenticate
each other. The last objective is optional and may be used to
authenticate a server to a client. The SSL specification may
provide about 32 options for the first objective. Each option may
represent a set of algorithms. An example of an option is:
TLS_RSA_with_DES_CBC_SHA.
[0274] As per one aspect of the present invention, the SSL
handshake process follows the following sequence: [0275] 1. A
client sends a Hello message to a server. This Hello message
contains the client's supported ciphers suite and a random number.
[0276] 2. A server responds with a Hello message, a digital
certificate and a ServerHelloDone message. The server Hello message
contains the chosen set of ciphers and a random number. The
ServerHelloDone is a single byte message indicating that the server
has sent all the messages to be sent at this phase. [0277] 3. The
client sends a KeyExchange message, a ChangeCipherSpec message and
a Finish message. The KeyExchange message contains a
pre-master_secret (48 bytes consisting of two bytes of the client's
version number followed by 46 random bytes). The client uses the
server's public key to protect the pre master_secret. The
ChangeCipherSpec is a single byte message to indicate the switch to
protected mode. The client also calculates the set of shared keys,
which are also used to protect the Finish message. The Finish
message is produced by hashing all previous messages exchanged by
the client and server. [0278] 4. The Server uses the
pre-master_secret and random numbers to generate the shared keys.
The server sends a ChangeCipherSpec message and a Finish
message.
[0279] FIG. 54 shows a SSL Handshake sequence of messages in
notation form, and FIG. 55 shows embodied sequences of states in
FSM form. One way of performing this experiment is to develop 19
components to carry out operations. The calculation of the keys may
be done according to the specification given in RFC2246, TLS
protocol version 1.0.
[0280] The XPSL protocol specification may follow the sequence
shown in the FSM. The state of the machine is maintained in an
object called SessionState. FIG. 56 shows an XPSL specification of
the SessionState object of a client process. This object may
include version numbers, session id, the RSA keys file names, and a
set of shared keys to be used to protect the traffic of a
session.
[0281] FIG. 57 shows an XPSL specification of the first state of a
client process. Two parameters may be passed to this state: a
SessionState object and an Error_message object. The Error_message
object may be used to return an error code in case of error inside
the state. This state may start with the creation of an instance of
ClientHello object and initialization with proper values from the
SessionState object. A random number may be generated using the
component IntObject, which may return an integer random number. The
ClientHello message, which may be composed by the content of the
ClientHello object, may be sent to the server.
[0282] FIG. 58 shows the first state of an SSL server process. In
this state, another ClientHello object may be instantiated. A
component CompLib.SSLReadClientHello, may be used to read a
received ClientHello message and load its content to the
ClientHello object. The SessionState object may be updated
accordingly. For simplification, the code shown in FIGS. 57 and 58
may not include some actions used for synchronization and user
help. As one aspect, the XPSL specification for SSL is presented in
the Computer Program Listing Appendix.
[0283] The Java code corresponding to the specification shown in
FIGS. 57 and 58 is shown in FIGS. 59 and 60, respectively. This
code may be generated using the same XSLT Stylesheet used in the
three previously presented experiments.
[0284] The component library may provide a component, called
createKey, that generates a pair of RSA keys. Generally, this
component has to be executed before running the client and server
processes. It may take as input a) two file names, one for the
public key and the other for the private key, and b) a password to
protect the private key. These file names may have to be included
in the specification of the protocol before generating the code of
the experiment.
SSL #16 Experiment
[0285] Here, again, two processes may be used to represent a client
and a server. As one embodiment, the SSL record layer protocol has
to use the negotiated set of keys in the handshake phase to apply
the crypto operations and add the SSL header. The SSL may have 32
options, where each option may represent a set of cryptographic
algorithms. The operation may be limited to a single option:
TSA_RSA_with_DES_CBC_SHA. Moreover, 44 components including 9 data
objects may be developed to carry out the operations of SSL#16.
[0286] The experiment here is an extension to the SSL Handshake
experiment. Five new states may be added to the XPSL specification
used in the SSL handshake. FIG. 61 shows an expanded SSL FSM. The
states used in the handshake are shaded with diagonal lines and the
other states are clear. This part of the experiment also tends to
show how easy it may be to extend or shrink some protocol
specifications by simply adding more states or components or
removing them from the specification. FIG. 61 also shows this
sequence of operations in an FSM diagram.
[0287] An example of the XPSL specification for SSL#16 is listed in
the Computer Program Listing Appendix. Twenty-five components,
including 9 data object types, may be developed according to the
SSL specification RFC2246 to simplify demonstration and
verification. The list of components and data object types is among
the components library in the Computer Program Listing
Appendix.
[0288] It is important to note that this experiment ignores the
implementation of many checks (e.g., errors, resource availability,
or data types and ranges validations) because such checks may
complicate the experiment and verification process. However, one
skilled in the art would recognize that such features are needed in
real life, and would preferably include such checks to address real
life scenarios. In addition, except for the network (TCP),
interfaces to application and the operating system are not
implemented. TCP may be used to demonstrate that the experiment can
run over a network. However, to include these interfaces, a user
may manually manage such operations in the experiment.
[0289] Since the first four states of the SSL#16 have been
described in SSL Handshake, this section describes the remaining
five states. In these states, the client and the server may use
shared keys developed during the handshake to exchange application
data. These keys may be held in an object called SSLSessionState.
The structure of the SSLSessionState may be shown in FIG. 62 using
Java-like code. This data object may be instantiated at the
beginning of each session with null values. During the handshake
process the values may be generated and stored for later use by any
component during the session.
a. The Client Process
[0290] This experiment may implement a transfer of files from a
client to a server. Implementing the other way around is generally
straightforward and can be achieved in two ways: either by
switching the XPSL specification or adding the components that are
responsible for sending files to the XPSL specification of the
server. The client FSM, shown in FIG. 61, may have two loops at
states 5, 7 and 8. Each iteration of the first loop may be
responsible for transferring a single file. The second loop may be
responsible for fragmenting large file sizes (greater than 2 14).
However, when it is preferred to simplify the output of the
verification process, the second loop is not implemented. SSL#16
secure session may start the process of protecting application data
at state 5. At this state, the client may request a file name from
the user of the experiment. The file may have to be located in the
home directory of the experiment programs. At state 7, the client
may load the file, produce an SHA1 hash value, append the hash
value to the file, add the SSL header, encrypt the file using DES,
and send the encrypted file to the server. FIG. 63 illustrates the
list of actions in the XPSL specification of state 7. FIG. 64 shows
the format of an SSL packet that is prepared by the client for
transfer.
b. The Server Process
[0291] FIG. 61 and the Computer Program Listing Appendix show the
FSM and the XPSL specification of a server process, respectively.
After the handshake is complete, the server process may wait for
TCP connections. TCP listen socket may be implemented at state 5
through a component called TCPListen. The files received on this
socket may be sent by the client and may be encrypted. FIG. 65
shows a Java implementation of the TCPListen component. In state 6,
the received file may be decrypted, the TCP header and the hash
value may be striped out, and the hash value may be calculated
again by the server for comparison with the received value. FIG. 66
shows an XPSL specification of state 6. Java statements that are
embedded within the XPSL specification may be used for
simplification or for helping users of the experiments in verifying
the output.
[0292] Similar to the client process, a loop may be placed between
states 5 and 7. One purpose of this loop is to repeat the process
of receiving SSL protected files from the client. Human
intervention may not be needed. The loop may be indefinite until an
empty file is received from the client, which may indicate a
request for the end of the connection. It may not be necessary to
implement the process of assembling large files at state 7 because
the fragmentation process might not be implemented in the client
process.
[0293] E. The Components Library
[0294] Preferably, the present invention uses CBSE. To run these
experiments, a library that comprises all the necessary operations
may be developed. The library may contain about 86 components and
24 data objects. All may be written in Java and may follow the
object-oriented programming paradigm. Therefore, messages and data
structures are preferably designed as objects that are passed to
the components for processing. Moreover, objects that are shared by
more than one protocol (e.g., error message) may be implemented as
part of the component library for easier accessibility. Similarly,
objects that are shared by more than one component may also be
included as part of the component library (e.g., StringObject,
BytesObject and TCP diagram). The interfaces and brief description
of these components may be found in the Computer Program Listing
Appendix.
[0295] Most of the components have been developed for the purpose
of these experiments. However, some may wrap standard Java crypto
functions or modified pieces of borrowed code. The component's
interfaces and brief description may be provided in the Computer
Program Listing Appendix, which lists all the components that are
used by the three protocols: NSAP, TCP's 3-way handshake and SSL
Handshake. The information there may also indicate whether the
component is general, or specific to NSAP, TCP or SSL.
[0296] As an example, FIG. 67 shows an encryption component. This
component takes as input three file names and an RSA public key.
The first file name is for the file to be encrypted. The second
file name is for the encrypted file. The third file name is for the
public RSA key file name. This component uses the RSA public key to
encrypt a generated 3DES shared key. The generated 3DES shared key
may be used to encrypt the file. An objective is to send the
encrypted file along with the encrypted key to the owner of the
public RSA key. The owner of the RSA public key may use his private
key to decrypt the 3DES shared key and the file.
[0297] V. Related Work
[0298] Related work in the area of communication protocols may be
found in several research projects: x-kernel, Cactus, Ensemble and
the Click router. The x-kernel is an operating system communication
kernel designed to provide configurable communication services in
which a communication protocol represents a unit of composition.
The x-kernel architecture may be extendable. For example, Horus and
Coyote are extensions and applications of the x-kernel architecture
to the area of group communications. The present invention differs
from these research works in that none of them has proposed high
level protocol specifications so users may exchange and produce
implementations automatically.
[0299] In security protocols, the Conduits+framework has been used
to implement IPsec. Cactus is another framework that may be used to
implement a security system called SecCom. Conduits+ and SecComm
differ from the present invention in two aspects. The first aspect
is that the specification of the required configuration may be
transmitted through the header information of the messages. In
contrast, the specification of the present invention may be coded
in a separate document so that it may be transmitted independently
of the messages in a secure fashion. Second, the event-driven
approach in Cactus to activate components at runtime may add a
layer of delay to the system. In contrast, the sequence of
operations in the present invention may be predetermined before
runtime based on the specification of the protocol leading to the
efficient execution of the selected components.
[0300] Protocol implementations may be derived automatically from
abstract specifications in languages, such as SDL, Esterel,
Estelle, LOTOS, Promela++, SMURPH and Cicero. However these
languages follow a low level procedural programming paradigm.
Therefore, protocol developers need to work out all the details of
the operations of the protocols. Conversely, the present invention
tends to capitalize on CBSE to produce a high level specification.
Therefore, most of the details of the operations of a protocol are
usually hidden inside the components:
[0301] Automatic Protocol Generation (APG) work produces protocol
designs in an automated way. The APG process takes as input a set
of requirements and produces a set of proposed protocol designs.
Quite the opposite, unlike APG, the present invention may take a
design (i.e., the output of the APG process) and may convert it
into a specification used to automatically generate executable code
for a protocol.
[0302] Cryptographic libraries implement security services as
independent components. Examples of such libraries include IBM's
CCA, RSA's Cryptokit, Microsoft's CryptoAPI, Sun's JCA/JCE,
X/Open's GCS-API and Intel's CSSM-API. However, there is no high
level and easy way for producing useful valid compositions out of
these libraries. Resolving this issue, the present invention may
add a layer of mechanisms that facilitate the generation of useful
compositions out of these components.
[0303] UML is also used for the purpose of automatic code
generation. The UML approach differs from the technique taught by
the present invention in two aspects: 1) the present invention is
simple because it may depend on FSMs, which provide a simpler
graphical representation for protocols than UML diagrams, and 2)
the present invention may use XSLT to generate code automatically
from an XML-based specification, while UML code generation
solutions tend to be proprietary and are based on UML graphical
representations. It should be noted that XML Metadata Interchange
(XMI) may be used as a model interchange format for UMI, but it is
not part of the code generation process.
[0304] Related work that includes the use of XML to produce program
code, such as Libxm12, may also be found. In such works, an
instrument designer produces an XML document that describes the
instrument's services. This XML document may be used to produce a
user information document in HTML format and source code for the
instrument embedded services. Generally, the XML description is
just a listing of the services, where each service may be
associated with a piece of C code that is loaded from a library by
an XSLT transformer.
[0305] The present invention distinctly contrasts such works by
extending such works to the area of protocol implementations in
conjunction with the use of CBSE. The XML specification in the
present invention may be based on FSMs to provide a detailed
description of the flow of control, handling of data objects and
the set of operations.
[0306] FSMs have also been used to generate code for protocols. For
example, a C++ code skeleton for the flow of control of the
protocol may be generated directly out of the FSM diagrams. The
present invention is distinguishable from this technique in that
the present invention may encode FSMs in XML, allowing for
automatic code generation in any programming language.
[0307] The foregoing descriptions of the preferred embodiments of
the present invention have been presented for purposes of
illustration and description. They are not intended to be
exhaustive or to limit the invention to the precise forms
disclosed, and obviously many modifications and variations are
possible in light of the above teaching without departing from the
scope of this invention and its broader aspects. The illustrated
embodiments were chosen and described in order to best explain the
principles of the invention and its practical application to
thereby enable others skilled in the art to best utilize the
invention in various embodiments and with various modifications as
are suited to the particular use contemplated. For example, one
skilled in the art will recognize that the present invention may be
used in search engines, databases and docket systems. Additionally,
the present invention may also be used in banks, stock trades,
manufacturing of vehicles (e.g., cars, planes, boats, etc.),
production plants (e.g., paper mills, oil, etc.), human resources,
payroll, etc.
[0308] A portion of the disclosure of this patent document contains
material which is subject to copyright protection. The copyright
owner has no objection to the facsimile reproduction by anyone of
the patent document or the patent disclosure, as it appears in the
Patent and Trademark Office patent file or records, but otherwise
reserves all copyright rights whatsoever.
* * * * *