System for efficiently handling cryptographic messages containing nonce values in a wireless connectionless environment without compromising security

US 20030041265A1
Filed: 08/21/2001
Published: 02/27/2003
Est. Priority Date: 08/21/2001
Status: Active Grant

First Claim

Patent Images

1. A method of processing messages, comprising:

comparing a nonce value of a received message with a largest nonce value yet seen;

comparing said nonce value to an acceptance window in response to said nonce value not exceeding said largest nonce value yet seen; and

rejecting said received message in response to said nonce value falling outside said acceptance window.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for determining the validity of a received cryptographic message while ensuring for out-of-order messages is utilized to provide for secure communications among peers in a network. In particular, a secure communication module may be configured to accept the cryptographic message in response to a received nonce value of the received message is greater than the largest nonce value yet seen. Otherwise, when the received nonce value is not the largest nonce value yet seen, the secure communication module may be configured to compare the received nonce value with a nonce acceptance window. If the received nonce value falls outside the nonce acceptance window, the secure communication module may be further configured to reject the received message and assume that a replay attack has been detected. If the received nonce value falls within the nonce acceptance window, the secure communication module may be further configured to determine if the received nonce value has been seen before by comparing the received nonce value with a replay window mask. If the received nonce has been seen before, the secure communication module may be further configured to reject the received message and assume a replay attack. Otherwise, the secure communication module may be further configured to accept the message and add the received nonce value to the replay window mask.

54 Citations

View as Search Results

43 Claims

1. A method of processing messages, comprising:
- comparing a nonce value of a received message with a largest nonce value yet seen;
  
  comparing said nonce value to an acceptance window in response to said nonce value not exceeding said largest nonce value yet seen; and
  
  rejecting said received message in response to said nonce value falling outside said acceptance window.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method according to claim 1, further comprising:
    - designating said nonce value as a nonce value seen in response to said nonce value exceeding said largest nonce value yet seen.
  - 3. The method according to claim 1, further comprising:
    - replacing said largest nonce value yet seen with said nonce value in response to said nonce value exceeding said largest nonce value yet seen.
  - 4. The method according to claim 1, further comprising:
    - adjusting an acceptance window based on said nonce value in response to said nonce value exceeding said largest nonce value yet seen.
  - 5. The method according to claim 1, further comprising designating said received message as a replay attack.
  - 6. The method according to claim 1, further comprising:
    - comparing said nonce value to a window mask value in response to said nonce value falling within said acceptance window; and
      
      rejecting said received message in response to an outcome of said comparison of said nonce value to said window mask value being true.
  - 7. The method according to claim 6, further comprising:
    - designating said received message as part of a replay attack.
  - 8. The method according to claim 1, further comprising:
    - comparing said nonce value to a window mask value in response to said nonce value falling within said acceptance window; and
      
      accepting said received message in response to an outcome of said comparison of said nonce value to said window mask value being false.
  - 9. The method according to claim 8, further comprising:
    - designating said nonce value as a nonce value seen.

10. An apparatus for processing messages, said apparatus comprising:
- a communication interface configured to transmit and receive a plurality of packets; and
  
  a controller, wherein said controller is configured to;
  
  compare a nonce value of a received message and a largest nonce value yet seen;
  
  compare said nonce value to an acceptance window in response to said nonce value not exceeding said largest nonce value yet seen; and
  
  reject said received message in response to said nonce value falling outside said acceptance window.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The apparatus according to claim 10, wherein said controller is further configured to designate said nonce value as said largest nonce value yet seen in response to said nonce value exceeding said largest nonce value yet seen.
  - 12. The apparatus according to claim 10, wherein said controller is further configured to adjust an acceptance window in response to said largest nonce value yet seen in response to said nonce value exceeding said largest nonce value yet seen.
  - 13. The apparatus according to claim 10, wherein said controller is further configured to replace said largest nonce value yet seen with said nonce value in response to said nonce value exceeding said largest nonce value yet seen.
  - 14. The apparatus according to claim 10, wherein said controller is further configured to designate said received message as part of a replay attack.
  - 15. The apparatus according to claim 10, wherein said controller is further configured to:
    - compare said nonce value to a window mask value in response to said nonce value falling within said acceptance window; and
      
      reject said received message in response to an outcome of said comparison of said nonce value to said window mask value being true.
  - 16. The apparatus according to claim 15, wherein said controller is further configured to designate said received message as part of a replay attack.
  - 17. The apparatus according to claim 10, wherein said controller is configured to:
    - compare said nonce value to a window mask value in response to said nonce value falling within said acceptance window; and
      
      accept said received message in response to an outcome of said comparing of said nonce value to said window mask value being false.
  - 18. The apparatus according to claim 17, wherein said controller is further configured to mark said nonce value as a nonce value seen.

19. A computer readable storage medium on which is embedded one or more computer programs, said one or more computer programs implementing a method of processing messages, said one or more computer programs comprising a set of instructions for:
- comparing a nonce value of a received message and a largest nonce value yet seen;
  
  comparing said nonce value to an acceptance window in response to said nonce value not exceeding said largest nonce value yet seen; and
  
  rejecting said received message in response to said nonce value not falling within said acceptance window.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The computer readable storage medium in according to claim 19, said one or more computer programs further comprising a set of instructions for:
    - designating said nonce value as a nonce value seen in response to said nonce value exceeding said largest nonce value yet seen.
  - 21. The computer readable storage medium in according to claim 19, said one or more computer programs further comprising a set of instructions for:
    - replacing said largest nonce value yet seen with said nonce value in response to said nonce value exceeding said largest nonce value yet seen.
  - 22. The computer readable storage medium in according to claim 19, said one or more computer programs further comprising a set of instructions for:
    - adjusting an acceptance window based on said nonce value in response to said nonce value exceeding said largest nonce value yet seen.
  - 23. The computer readable storage medium in according to claim 19, said one or more computer programs further comprising a set of instructions for:
    - designating said received message as a replay attack.
  - 24. The computer readable storage medium in according to claim 19, said one or more computer programs further comprising a set of instructions for:
    - comparing said nonce value to a window mask value in response to said nonce value falling within said acceptance window; and
      
      rejecting said received message in response to an outcome of said comparison of said nonce value to said window mask value being true.
  - 25. The computer readable storage medium in according to claim 24, said one or more computer programs further comprising a set of instructions for:
    - designating said received message as part of a replay attack.
  - 26. The computer readable storage medium in according to claim 19, said one or more computer programs further comprising a set of instructions for:
    - comparing said nonce value to a window mask value in response to said nonce value falling within said acceptance window; and
      
      accepting said received message in response to an outcome of said comparing of said nonce value to said window mask value being false.
  - 27. The computer readable storage medium in according to claim 26, said one or more computer programs further comprising a set of instructions for:
    - designating said nonce value as a nonce value seen.

28. A system for processing messages in a peer-to-peer configuration, comprising:
- a first peer configured to provide secure communication;
  
  a second peer configured to provide said secure communication; and
  
  a secure communication module configured to be executed by said first peer and second peer, wherein said secure communication module is configured to;
  
  compare said nonce value to a filter in response to a nonce value of a received packet not exceeding a largest nonce value yet seen;
  
  compare said nonce value to a replay mask; and
  
  accept said received packet in response to said comparison of said nonce value and said replay mask being false.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35)
- - 29. The system according to claim 28, wherein said secure communication module is further configured to designate said nonce value as said largest nonce value yet seen in response to said nonce value exceeding said largest nonce value yet seen.
  - 30. The system according to claim 28, wherein said secure communication module is further configured to adjust said filter based on said largest nonce value yet seen in response to said nonce value exceeding said largest nonce value yet seen.
  - 31. The system according to claim 28, wherein said secure communication module is further configured to reject said received packet in response to said nonce value falling outside said filter.
  - 32. The system according to claim 31, wherein said secure communication module is further configured to designate said received packet as part of a replay attack.
  - 33. The system according to claim 32, wherein said secure communication module is further configured to reject said received packet in response to said comparison of said nonce value and said replay mask being true.
  - 34. The system according to claim 33, wherein said secure communication module is further configured to designate said received packet as part of a replay attack.
  - 35. The system according to claim 28, wherein said secure communication module is further configured to reject said received packet in response to said nonce value fails to fall within said filter and said secure communication module is further configured to designate said received packet as part of a replay attack.

36. An interceptor device for processing messages, said interceptor device comprising:
- a network interface;
  
  an expected sequence register configured to enumerate an expected sequence number of a packet received from a second network device;
  
  a memory configured to store a replay mask; and
  
  a controller, wherein said controller is configured to;
  
  compare said nonce value to a filter in response to a sequence number of a received packet via said network interface does not exceed a largest sequence number yet seen retrieved from said expected sequence register;
  
  compare said sequence number to said replay mask retrieved from said memory; and
  
  accept said received packet in response to said comparison of said sequence number and said replay mask is false.
- View Dependent Claims (37, 38, 39, 40, 41, 42, 43)
- - 37. The interceptor device according to claim 36, wherein said controller is further configured to designate said sequence number as said largest sequence number yet seen in response to said sequence number exceeding said largest sequence number yet seen.
  - 38. The interceptor device according to claim 36, wherein said controller is further configured to adjust said filter based on said largest sequence number yet seen in response to said sequence number exceeding said largest sequence number yet seen.
  - 39. The interceptor device according to claim 36, wherein said controller is further configured to reject said received packet in response to said sequence number falling outside said filter.
  - 40. The interceptor device according to claim 36, wherein said controller is further configured to designate said received packet as part of a replay attack.
  - 41. The interceptor device according to claim 36, wherein said controller is further configured to reject said received packet in response to said comparison of said sequence number and said replay mask being true.
  - 42. The interceptor device according to claim 41, wherein said controller is further configured to designate said received packet as part of a replay attack.
  - 43. The interceptor device according to claim 36, wherein said controller is further configured to reject said received packet in response to said sequence number falling outside said filter and said controller is further configured to designate said received packet as part of a replay attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
TeleCommunication Systems Inc (Comtech Telecommunications Corporation)
Original Assignee
TeleCommunication Systems Inc (Comtech Telecommunications Corporation)
Inventors
Lagimonier, Todd, Voris, Jim

Granted Patent

US 7,856,660 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 63/04   for providing a confidentia...

H04L 63/0876   based on the identity of th...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 9/321   involving a third party or ...

H04W 12/02   Protecting privacy or anony...

H04W 12/041   Key generation or derivation

H04W 12/121   Wireless intrusion detectio...

System for efficiently handling cryptographic messages containing nonce values in a wireless connectionless environment without compromising security

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

54 Citations

43 Claims

Specification

Solutions

Use Cases

Quick Links

System for efficiently handling cryptographic messages containing nonce values in a wireless connectionless environment without compromising security

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

54 Citations

43 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links