Out-of Band Authentication Method and System for Communication Over a Data Network

US 20090210707A1
Filed: 05/15/2006
Published: 08/20/2009
Est. Priority Date: 05/15/2006
Status: Active Grant

First Claim

Patent Images

1-22. -22. (canceled)

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for out-of-band authentication of messages transmitted, e.g. as packets, on a communication network, whereby a first stream of data is received by a sender control module from a sender; the first stream of data is transmitted over a first channel, e.g. a non-secure data channel, toward a receiver control module; the sender control module generates authentication data of the first stream of data; the authentication data are transmitted from the sender control module to the receiver control module on a second channel, e.g. a secure data channel, distinct from the first channel; and a stream of data received by the receiver control module is checked using the authentication data. Before sending the authentication data, the sender control module transmits a control message including synchronization data to the receiver control module over the second channel.

Citations

44 Claims

1-22. -22. (canceled)

23. A method for out-of-band authentication of data streams transmitted over a communication network comprising a sender, a receiver, a sender control module, and a receiver control module, comprising the steps of:
- transmitting a first stream of data over a first channel connecting the sender with the receiver;
  
  receiving, by said sender control module, said first stream of data from said sender;
  
  generating authentication data of said first stream of data by said sender control module;
  
  transmitting said authentication data from the sender control module to the receiver control module over a second channel connecting the sender control module with the receiver control module;
  
  checking authenticity of a second stream of data received over said first channel by said receiver control module using said authentication data; and
  
  exchanging a control message comprising synchronization data between the sender control module and the receiver control module over said second channel.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 24. The method of claim 23, wherein the step of exchanging a control message is carried out before transmitting said authentication data.
  - 25. The method of claim 23, wherein the step of exchanging a control message comprises an extraction step, wherein the sender module extracts a pattern from said first stream of data, said synchronization data univocally identifying said extracted pattern.
  - 26. The method of claim 25, wherein the step of checking the authenticity of the second stream of data comprises a synchronization step, wherein the receiver control module looks for said extracted pattern in said second stream of data on the basis of said synchronization data.
  - 27. The method of claim 25, wherein said synchronization data comprises said extracted pattern or a packet sequence number.
  - 28. The method of claim 25, wherein the step of generating authentication data comprises the step of calculating, by said sender control module, first hash values of first portions of said first stream of data following said extracted pattern, and the step of transmitting said authentication data comprises the step of transmitting said first hash values over said second channel, andwherein the step of checking authenticity of the second stream of data comprises loading into the receiver control module the second stream of data, calculating second hash values for second portions of the second stream of data and comparing said second hash values with received first hash values.
  - 29. The method of claim 28, wherein said control message also comprises a hash function, and wherein said first and second hash values are calculated by said sender control module and said receiver control module using said hash function.
  - 30. The method of claim 25, wherein the step of receiving said first stream of data comprises dividing said first stream of data into first blocks of a fixed length;
    - the step of generating authentication data comprises calculating hash values of said first blocks; and
      
      the step of checking authenticity of the received stream of data comprises dividing the second stream of data into second blocks of a fixed length, calculating hash values of said second blocks, and comparing said authentication data with said hash values of said second blocks.
  - 31. The method of claim 30, wherein the step of receiving a first stream of data further comprises accumulating said first blocks into a sender buffer;
    - the step of generating authentication data comprises loading a block of said first blocks from said sender buffer; and
      
      the step of checking authenticity of the received stream of data comprises accumulating said second blocks into a receiver data buffer, accumulating said authentication data in a receiver control buffer, and loading a block of said second blocks from said receiver data buffer.
  - 32. The method of claim 23, wherein said control message further comprises a length information of said patterns.
  - 33. The method of claim 23, wherein, if during said step of checking authenticity of the second stream of data, the receiver control module detects an error between said authentication data and the second stream of data, the receiver control module sends a resynchronization request to said sender control module.
  - 34. The method of claim 33, wherein said resynchronization request comprises second synchronization data univocally identifying a second extracted pattern of the second stream of data.
  - 35. The method of claim 34, wherein the second synchronization data comprises a hash value of said second extracted pattern of the second stream of data.
  - 36. The method of claim 23, wherein said second channel is a secure channel.

37. A system for out-of-band authenticating streams of data transmitted over a communication network, comprising:
- a sender control module configured to receive a first stream of data from a sender and to generate authentication data;
  
  a receiver control module configured to check said authentication data;
  
  a first channel connecting said sender to said receiver configured to transmit said first stream of data from said sender toward said receiver; and
  
  a second channel connecting said sender module and said receiver module configured to transmit said authentication data,wherein said sender control module and said receiver control module comprise respective synchronization units exchanging control message and synchronization data.
- View Dependent Claims (38, 39, 40, 41, 42, 43, 44)
- - 38. The system of claim 37, wherein said synchronization unit of said sender control module comprises a sender buffer configured to load first portions of the first stream of data and a sender processor configured to extract a pattern from said first portions and to transmit said control message to said receiver control module over said second channel, said synchronization data univocally identifying said extracted pattern.
  - 39. The system of claim 38, wherein said synchronization unit of said receiver control module comprises a receiver data buffer configured to load second portions of a second stream of data received over said first channel and a receiver processor configured to receive said control message from said second channel and to receive said second portions from said receiver data buffer, wherein said receiver processor is configured to look for said extracted pattern from said second portions on the basis of said synchronization data.
  - 40. The system of claim 38, wherein said synchronization data comprises said extracted pattern or a packet sequence number.
  - 41. The system of claim 39, wherein said sender processor comprises a first calculator configured to calculate first hash values of said first portions following said extracted portion and a transmitter element configured to transmit said first hash values on said secure channel and said receiver module comprises a receiver control buffer connected to said receiver processor and said secure channel and configured to load said first hash values, said receiver processor comprising a second calculator configured to calculate second hash values for said second portions and a comparator configured to compare the first hash values with the second hash values.
  - 42. The system of claim 37, wherein said control message also comprises a hash function and wherein said sender processor and said receiver processor are configured to calculate said first and second hash values using said hash function.
  - 43. The system of claim 37, wherein said sender control module is part of a first local area network comprising said sender, and said receiver control module is part of a second local area network comprising said receiver.
  - 44. The system of claim 37, wherein said sender control module and said receiver control module are part of said communication network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telecom Italia S.p.A.
Original Assignee
Telecom Italia S.p.A.
Inventors
De Lutiis, Paolo, Moiso, Corrado, Di Caprio, Gaetano

Granted Patent

US 8,572,382 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/170
CPC Class Codes

H04L 63/123   received data contents, e.g...

H04L 63/126   the source of the received ...

H04L 63/18   using different networks or...

Out-of Band Authentication Method and System for Communication Over a Data Network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

44 Claims

Specification

Solutions

Use Cases

Quick Links

Out-of Band Authentication Method and System for Communication Over a Data Network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

44 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links