Methods and systems for network security using a cryptographic firewall
First Claim
1. A method for accessing network resources protected by a security device, comprising:
- at a security device having one or more processors and memory storing one or more programs for execution by the one or more processors;
establishing a network connection with a client system;
after establishing the network connection, receiving from the client system a first packet, the first packet including;
an identifier,a first counter value, wherein the first counter value is one of a plurality of incremental counts generated by a system counter, anda first one-time password hash generated by the client system based on the identifier, the first counter value, and a seed;
based on the identifier received from the client system, retrieving from a trusted data store the seed and a second counter value,wherein the identifier and the seed are provided to the client system by the trusted data store based on authenticating the client system;
based on the first counter value being larger than the second counter value;
generating a second one-time password hash based on the identifier, the first counter value, and the seed;
determining whether the first one-time password hash and the second one-time password hash match; and
in accordance with a determination that the first one-time password hash and the second one-time password hash match, granting, to the client system, access to one or more network resources protected by the security device via the network connection.
3 Assignments
0 Petitions
Accused Products
Abstract
A method is performed at a security device. The method includes establishing a network connection with a client system. After establishing the network connection, the security device receives a first packet from the client system. The first packet includes an identifier, a first counter value, and a first one-time password hash generated by the client system. Based on the identifier received, the security device retrieves from a trusted data store the seed and a second counter value. If the first counter value is larger than the second counter value, the security device generates a second one-time password hash based on the identifier, the first counter value, and the seed. In accordance with a determination that the first and second one-time password hashes match, the security device grants, to the client system, access to one or more network resources protected by the security device via the network connection.
138 Citations
20 Claims
-
1. A method for accessing network resources protected by a security device, comprising:
at a security device having one or more processors and memory storing one or more programs for execution by the one or more processors; establishing a network connection with a client system; after establishing the network connection, receiving from the client system a first packet, the first packet including; an identifier, a first counter value, wherein the first counter value is one of a plurality of incremental counts generated by a system counter, and a first one-time password hash generated by the client system based on the identifier, the first counter value, and a seed; based on the identifier received from the client system, retrieving from a trusted data store the seed and a second counter value, wherein the identifier and the seed are provided to the client system by the trusted data store based on authenticating the client system; based on the first counter value being larger than the second counter value; generating a second one-time password hash based on the identifier, the first counter value, and the seed; determining whether the first one-time password hash and the second one-time password hash match; and in accordance with a determination that the first one-time password hash and the second one-time password hash match, granting, to the client system, access to one or more network resources protected by the security device via the network connection. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
15. A security device, comprising:
-
one or more processors; and memory storing one or more programs for execution by the one or more processors, the one or more programs including instructions for; establishing a network connection with a client system; after establishing the network connection, receiving from the client system a first packet, the first packet including; an identifier, a first counter value, wherein the first counter value is one of a plurality of incremental counts generated by a system counter, and a first one-time password hash generated by the client system based on the identifier, the first counter value, and a seed; based on the identifier received from the client system, retrieving from a trusted data store the seed and a second counter value, wherein the identifier and the seed are provided to the client system by the trusted data store based on authenticating the client system; based on the first counter value being larger than the second counter value; generating a second one-time password hash based on the identifier, the first counter value, and the seed; determining whether the first one-time password hash and the second one-time password hash match; and in accordance with a determination that the first one-time password hash and the second one-time password hash match, granting, to the client system, access to one or more network resources protected by the security device via the network connection. - View Dependent Claims (16, 17, 18, 19)
-
-
20. A non-transitory computer readable storage medium, storing one or more programs for execution by one or more processors, the one or more programs including instructions for:
-
establishing a network connection with a client system; after establishing the network connection, receiving from the client system a first packet, the first packet including; an identifier, a first counter value, wherein the first counter value is one of a plurality of incremental counts generated by a system counter, and a first one-time password hash generated by the client system based on the identifier, the first counter value, and a seed; based on the identifier received from the client system, retrieving from a trusted data store the seed and a second counter value, wherein the identifier and the seed are provided to the client system by the trusted data store based on authenticating the client system; based on the first counter value being larger than the second counter value; generating a second one-time password hash based on the identifier, the first counter value, and the seed; determining whether the first one-time password hash and the second one-time password hash match; and in accordance with a determination that the first one-time password hash and the second one-time password hash match, granting, to the client system, access to one or more network resources via the network connection.
-
Specification