Method and system for secure cable modem registration
First Claim
1. In a data-over-cable system including a plurality of network devices, a method of securely registering a network device, the method comprising the following steps:
- receiving a first configuration file on a first network device from a first protocol server, the first configuration file including a plurality of configuration parameters;
creating a first message on the first network device including one or more configuration parameters from the first configuration file;
adding a unique identifier for the first network device to the first message;
adding a selected time-value to the first message, wherein the selected time-value indicates a sending time for the first message;
calculating a message integrity check value using the unique identifier, the selected time-value and one or more configuration parameters from the first configuration file in a pre-determined order to uniquely identify the configuration information for the network device;
adding the message integrity check value to the first message; and
sending the first message from the first network device to a second network device, wherein the second network device uses the message integrity check value, the unique identifier of the first network device and the selected time-value to verify the integrity of the first message.
6 Assignments
0 Petitions
Accused Products
Abstract
A method and system for secure cable modem initialization in a data-over-cable system is provided. The method includes sending a unique identifier, such an Internet Protocol (“IP”) address and a selected time-value, such as an approximate message send time-value, in a registration request message. A message integrity check value is calculated using the unique identifier, the selected time-value and one or more configuration parameters in a pre-determined order. The message integrity check value is added to the registration request message. A cable modem termination system receives the registration request message and uses the message integrity check value to authenticate the message and determine if the registration request message was sent within a pre-determined period of time (e.g., 1 second) from a recognized cable modem. If not, the registration request message is discarded and a log file entry is added to a log file with information from the registration request message (e.g., network level and data-link level network addresses). The network address and selected time-value uniquely identify the cable modem and help prevent a rouge user from intercepting a valid cable modem registration request message and using it at a later time to register a rouge cable modem. The log file helps track rouge users attacking the data-over-cable system. The method and system provide improved security for registering cable modems in a data-over-cable system.
222 Citations
23 Claims
-
1. In a data-over-cable system including a plurality of network devices, a method of securely registering a network device, the method comprising the following steps:
-
receiving a first configuration file on a first network device from a first protocol server, the first configuration file including a plurality of configuration parameters;
creating a first message on the first network device including one or more configuration parameters from the first configuration file;
adding a unique identifier for the first network device to the first message;
adding a selected time-value to the first message, wherein the selected time-value indicates a sending time for the first message;
calculating a message integrity check value using the unique identifier, the selected time-value and one or more configuration parameters from the first configuration file in a pre-determined order to uniquely identify the configuration information for the network device;
adding the message integrity check value to the first message; and
sending the first message from the first network device to a second network device, wherein the second network device uses the message integrity check value, the unique identifier of the first network device and the selected time-value to verify the integrity of the first message. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
calculating a first message integrity check value using the unique identifier, the selected time-value, one or more configuration parameters from the first configuration file, and one or more additional configuration parameters not from the first configuration file in a pre-determined order;
adding the first message integrity check value to the first message;
calculating a second message integrity check value using the unique identifier, the selected time-value, one or more configuration parameters from the first configuration file, one or more additional configuration parameters not from the first configuration file and the first message integrity check value in a pre-determined order; and
adding the second message integrity check value to the first message as the message integrity check value.
-
-
10. A computer readable medium having stored therein instructions for causing a central processing unit to execute the method of claim 1.
-
11. In a data-over-cable system including a plurality of network devices, a method of registering a network device, the method comprising the following steps:
-
receiving a first message on a second network device from a first network device; and
determining whether the first message is valid using a first message integrity check value included in the first message, and if so, determining whether the first message was sent within a pre-determined time using a selected time-value from the first message, and if not, discarding the first message;
creating a log entry in a log file on the second network device with a plurality of information from the first message, wherein the log entry is used to determine where the discarded first message was sent from in the data-over-cable system; and
sending a second message to the first network device as a response to the first message indicating rejection of the first message. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
determining whether the first message was sent within a pre-determined time using a selected time-value from the first message, wherein the first message integrity check value includes a unique identifier and a selected time-value from the first network device, and if so, accepting the first message from the first network device; and
sending a second message to the first network device as a response to the first message indicating acceptance of the first message.
-
-
20. The method of claim 19 wherein the first message is a cable modem registration request message, the second message is a cable modem registration response message, the first network device is a cable modem, and the second network device is a cable modem termination system.
-
21. A computer readable medium having stored therein instructions for causing a central processing unit to execute the method of claim 11.
-
22. In a data-over-cable system including a plurality of cable modems, a method of securely registering a cable modem, the method comprising the following steps:
-
receiving a first configuration file on a cable modem from a Trivial File Transfer Protocol server, the first configuration file including a plurality of configuration parameters to configure the cable modem;
creating a registration request message on the cable modem including configuration parameters from the first configuration file;
adding an Internet Protocol address for the cable modem to the registration request message;
adding a selected time-value to the registration request message, wherein the selected time-value indicates a sending time of the registration request message;
calculating a message integrity check value using a cryptographic hashing function with the Internet Protocol address, the selected time-value and one or more configuration parameters from the first configuration file in a pre-determined order to uniquely identify the configuration parameters for the cable modem;
adding the message integrity check value to the registration request message; and
sending the registration request message from the cable modem to a cable modem termination system, wherein the cable modem termination system uses the registration request message integrity check value, the Internet Protocol address for the cable modem and a selected time-value indicating when the registration request message was sent from the cable modem to verify the integrity of the registration request message. - View Dependent Claims (23)
-
Specification