SCALABLE REPLAY COUNTERS FOR NETWORK SECURITY
First Claim
1. A method, comprising:
- maintaining, at an authenticator in a communication network, a persistent authenticator epoch value that the authenticator increments each time the authenticator restarts;
maintaining, at the authenticator, a persistent per-supplicant value for each supplicant of the authenticator, each per-supplicant value set to a current value of the authenticator epoch value each time the corresponding supplicant establishes a new security association with the authenticator; and
communicating at least one message from the authenticator to a particular supplicant, each message comprising a per-supplicant replay counter having a security association epoch counter and a message counter specific to the particular supplicant, wherein the security association epoch counter for each message is set as a difference between the authenticator epoch value and the per-supplicant value for the particular supplicant when the message is communicated, and wherein the message counter is is incremented for each message communicated.
1 Assignment
0 Petitions
Accused Products
Abstract
In one embodiment, an authenticator in a communication network maintains a persistent authenticator epoch value that increments each time the authenticator restarts. The authenticator also maintains a persistent per-supplicant value for each supplicant of the authenticator, each per-supplicant value set to a current value of the authenticator epoch value each time the corresponding supplicant establishes a new security association with the authenticator. To communicate messages from the authenticator to a particular supplicant, each message uses a per-supplicant replay counter having a security association epoch counter and a message counter specific to the particular supplicant. In particular, the security association epoch counter for each message is set as a difference between the authenticator epoch value and the per-supplicant value for the particular supplicant when the message is communicated, while the message counter is incremented for each message communicated.
-
Citations
20 Claims
-
1. A method, comprising:
-
maintaining, at an authenticator in a communication network, a persistent authenticator epoch value that the authenticator increments each time the authenticator restarts; maintaining, at the authenticator, a persistent per-supplicant value for each supplicant of the authenticator, each per-supplicant value set to a current value of the authenticator epoch value each time the corresponding supplicant establishes a new security association with the authenticator; and communicating at least one message from the authenticator to a particular supplicant, each message comprising a per-supplicant replay counter having a security association epoch counter and a message counter specific to the particular supplicant, wherein the security association epoch counter for each message is set as a difference between the authenticator epoch value and the per-supplicant value for the particular supplicant when the message is communicated, and wherein the message counter is is incremented for each message communicated. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An apparatus, comprising:
-
one or more network interfaces to communicate with a shared-media communication network; a processor coupled to the network interfaces and adapted to execute one or more processes; and a memory configured to store a process executable by the processor, the process, when executed by the apparatus as an authenticator, operable to; maintain a persistent authenticator epoch value that increments each time the authenticator restarts; maintain a persistent per-supplicant value for each supplicant of the authenticator, each per-supplicant value set to a current value of the authenticator epoch value each time the corresponding supplicant establishes a new security association with the authenticator; and communicate at least one message to a particular supplicant, each message using a per-supplicant replay counter having a security association epoch counter and a message counter specific to the particular supplicant, wherein the security association epoch counter for each message is set as a difference between the authenticator epoch value and the per-supplicant value for the particular supplicant when the message is communicated, and wherein the message counter is incremented for each message communicated. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A tangible, non-transitory, computer-readable media having software encoded thereon, the software, when executed by a processor on an authenticator in a computer network, operable to:
-
maintain a persistent authenticator epoch value that increments each time the authenticator restarts; maintain a persistent per-supplicant value for each supplicant of the authenticator, each per-supplicant value set to a current value of the authenticator epoch value each time the corresponding supplicant establishes a new security association with the authenticator; and communicate at least one message to a particular supplicant, each message using a per-supplicant replay counter having a security association epoch counter and a message counter specific to the particular supplicant, wherein the security association epoch counter for each message is set as a difference between the authenticator epoch value and the per-supplicant value for the particular supplicant when the message is communicated, and wherein the message counter is incremented for each message communicated.
-
Specification