System and method for efficiently implementing an authenticated communications channel that facilitates tamper detection

US 6,289,451 B1
Filed: 04/18/1997
Issued: 09/11/2001
Est. Priority Date: 04/18/1997
Status: Expired due to Term

First Claim

Patent Images

1. A communications system comprising a plurality of communication devices interconnected by a network, two of said communication devices engaging in a communication session to transfer message packets therebetween,A. said two communication devices prior to said communication session initially engaging in a session establishment operation in which one of said two communication devices generates a session key and transfers the session key privately to the other of said two communication devices, B. the two communication devices, during the communication session, transferring data therebetween in at least one message packet, i. one of said two communication devices generating said at least one message packet to include said data and a hash value generated by applying a selected hash function to said data and said session key, and ii. the other of said two communication devices, upon receiving said at least one message packet, generating a hash value from the data in said message packet and said session key, and comparing the generated hash value to the hash value in the message packet.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A communication system includes communication devices which communicate during a communication session. During communication session establishment, the devices exchange a session key in an encrypted manner for privacy. When one device has information to transfer to the other device, the one device will append the session key to the information and apply a hash function thereto to generate a hash value, and generate a message packet for transfer to the other device that includes an information portion containing the information and a hash value portion containing the hash value. When the other device receives the message packet, it will append the session key to the information from the information portion of the packet that it receives, and generate a hash value therefrom. If the receiving device determines that the generated hash value corresponds to the hash value received in the message packet, properties of the hash function that is used to generate the hash values enable it to conclude that the message packet was not tampered with during the transfer and that it originated from the one device. The system avoids the necessity of computation-intensive encryption and decryption for message packet transfer during a communication session.

Citations

75 Claims

1. A communications system comprising a plurality of communication devices interconnected by a network, two of said communication devices engaging in a communication session to transfer message packets therebetween,A. said two communication devices prior to said communication session initially engaging in a session establishment operation in which one of said two communication devices generates a session key and transfers the session key privately to the other of said two communication devices, B. the two communication devices, during the communication session, transferring data therebetween in at least one message packet, i. one of said two communication devices generating said at least one message packet to include said data and a hash value generated by applying a selected hash function to said data and said session key, and ii. the other of said two communication devices, upon receiving said at least one message packet, generating a hash value from the data in said message packet and said session key, and comparing the generated hash value to the hash value in the message packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. A communication system as defined in claim 1 in which the other of said two communication devices determines whether the message packet originated from the one of said two communication devices based on the comparison between the generated hash value and the hash value in the message packet.
  - 3. A communication system as defined in claim 1 in which the other of said two communication devices determines whether the message packet was tampered with during the transfer over the network based on the comparison between the generated hash value and the hash value in the message packet.
  - 4. A communication system as defined in claim 1 in which, during the session establishment operation, the one of said communication devices encrypts the session key prior to the transfer to the other of said two communication devices.
  - 5. A communication system as defined in claim 4 in which, during the session establishment operation, the other of said communication devices decrypts the encrypted session key after receiving the encrypted session key from the one of said two communication devices.
  - 6. A communication system as defined in claim 1 in which said one of said two communication devices comprises:
    - A. a session key control portion including;
      
      i. a session key generator for generating said session key; and
      
      ii. a session key encryptor for performing an encryption operation in connection with said session key generated by said session key generator, thereby to generate an encrypted session key; and
      
      B. a message transfer portion for transferring the encrypted session key to said other of said two communication devices.
  - 7. A communication system as defined in claim 6 in which said one of said two communication devices further comprises a session key store for storing the session key generated by said session key generator.
  - 8. A communication system as defined in claim 1 in which said other of said two communication devices comprises:
    - A. a message transfer portion for receiving the encrypted session key from said other of said two communication devices; and
      
      B. a session key control portion including a session key decryptor for performing a decryption operation in connection with said session key received by said message transfer portion, thereby to provide a session key.
  - 9. A communication system as defined in claim 8 in which said other of said two communication devices further comprises a session key store for storing the session key decrypted by said session key decryptor.
  - 10. A communication system as defined in claim 1 in which said one of said two communication devices comprises a message transfer portion comprising:
    - A. a hash generator for generating a hash value by applying said selected hash function to said data and said session key; and
      
      B. a message generator for generating a message packet including said data and said hash value as generated by said hash generator, the message generator transferring the generated message packet to said other of two communication devices.
  - 11. A communication system as defined in claim 1 in which said one of said two communication devices comprises a message transfer portion comprising:
    - A. a message receiver for receiving a message packet including said data and a hash value; and
      
      B. a hash verifier for generating a hash value by applying said selected hash function to said data and said session key, the hash verifier comparing the generated hash value to the hash value in the received message packet.
  - 12. A communication system as defined in claim 11 in which the hash verifier determines whether the message packet originated from the other of said two communication devices based on the comparison between the generated hash value and the hash value in the message packet.
  - 13. A communication system as defined in claim 11 in which the hash verifier determines whether the message packet was tampered with during the transfer over the network based on the comparison between the generated hash value and the hash value in the message packet.

14. A communication device for transferring data to another device over a network, the communication device comprising:
- A. a hash generator for generating a hash value by applying said selected hash function to said data and a session key; and
  
  B. a message generator for generating a message packet for transfer over said network, the message packet including said data and said hash value as generated by said hash generator, the message generator transferring the generated message packet over said network.
- View Dependent Claims (15, 16, 17, 18)
- - 15. A communication device as defined in claim 14 further comprising:
16. A communication device as defined in claim 15 in which said session key control portion further comprises a session key store for storing the session key generated by said session key generator.
17. A communication device as defined in claim 14 further comprising:
- A. a message receiver for receiving an encrypted session key from said other device; and
  
  B. a session key control portion including a session key decryptor for performing an decryption operation in connection with said session key received by said message transfer portion, thereby to provide a session key.
18. A communication device as defined in claim 17 further comprising a session key store for storing the session key decrypted by said session key decryptor.

19. A communication device for receiving data from another device over a network, the communication device comprising:
- A. a message receiver for receiving a message packet over said network, the message packet including said data and a hash value; and
  
  B. a hash verifier for generating a hash value by applying said selected hash function to said data and said session key, the hash verifier comparing the generated hash value to the hash value in the received message packet.
- View Dependent Claims (20, 21, 22, 23, 24, 25)
- - 20. A communication device as defined in claim 19, the communication device determining whether the message packet originated from the one of said two communication devices based on the comparison between the generated hash value and the hash value in the message packet.
  - 21. A communication device as defined in claim 19, the communication device determining whether the message packet was tampered with during the transfer over the network based on the comparison between the generated hash value and the hash value in the message packet.
  - 22. A communication device as defined in claim 19 further comprising:
23. A communication device as defined in claim 22 in which said session key control portion further comprises a session key store for storing the session key generated by said session key generator.
24. A communication device as defined in claim 19 further comprising:
- A. a message receiver for receiving an encrypted session key from said other device; and
  
  B. a session key control portion including a session key decryptor for performing an decryption operation in connection with said session key received by said message transfer portion, thereby to provide a session key.
25. A communication device as defined in claim 24 further comprising a session key store for storing the session key decrypted by said session key decryptor.

26. A method of operating a communications system comprising a plurality of communication devices interconnected by a network, two of said communication devices engaging in a communication session to transfer message packets therebetween, comprising the steps ofA. enabling the said two communication devices prior to said communication session to initially engage in a session establishment operation in which one of said two communication devices generates a session key and transfers the session key privately to the other of said two communication devices, B. enabling the two communication devices, during the communication sessions, to transfer data therebetween in at least one message packet, in the process i. enabling one of said two communication devices generating said at least one message packet to include said data and a hash value generated by applying a selected hash function to said data and said session key, and ii. enabling the other of said two communication devices, upon receiving said at least one message packet, generating a hash value from the data in said message packet and said session key, and comparing the generated hash value to the hash value in the message packet.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 27. A method as defined in claim 26 further comprising the step of enabling the other of said two communication devices to determine whether the message packet originated from the one of said two communication devices based on the comparison between the generated hash value and the hash value in the message packet.
  - 28. A method as defined in claim 26 further comprising the step of enabling the other of said two communication devices to determine whether the message packet was tampered with during the transfer over the network based on the comparison between the generated hash value and the hash value in the message packet.
  - 29. A method as defined in claim 26 further comprising the step of, during the session establishment operation, enabling the one of said communication devices to encrypt the session key prior to the transfer to the other of said two communication devices.
  - 30. A method as defined in claim 29 further comprising the step of, during the session establishment operation, enabling the other of said communication devices to decrypt the encrypted session key after receiving the encrypted session key from the one of said two communication devices.
  - 31. A method as defined in claim 26 further comprising the step of enabling said one of said two communication devices to:
    - A. generate said session key;
      
      B. perform an encryption operation in connection with said session key, thereby to generate an encrypted session key; and
      
      C. transfer the encrypted session key to said other of said two communication devices.
  - 32. A method as defined in claim 31 further comprising the step of enabling said one of said two communication devices to store the session key.
  - 33. A method as defined in claim 26 further comprising the step of enabling said other of said two communication devices to:
    - A. receive the encrypted session key from said other of said two communication devices; and
      
      B. perform a decryption operation in connection with said received session key, thereby to provide a session key.
  - 34. A method as defined in claim 33 further comprising the step of enabling said other of said two communication devices to store the session key.
  - 35. A method as defined in claim 26 further comprising the step of enabling said one of said two communication devices to:
    - A. generate a hash value by applying said selected hash function to said data and said session key;
      
      B. generate a message packet including said data and said generated hash value, and C. transfer the generated message packet over said network.
  - 36. A method as defined in claim 26 further comprising the step of enabling said one of said two communication devices to:
    - A. receive a message packet including said data and a hash value;
      
      B. generate a hash value by applying said selected hash function to said data and said session key; and
      
      C. comparing the generated hash value to the hash value in the received message packet.
  - 37. A method as defined in claim 36 further comprising the step of enabling said one of said two communication devices to determine whether the message packet originated from the other of said two communication devices based on the comparison between the generated hash value and the hash value in the message packet.
  - 38. A method as defined in claim 36 further comprising the step of enabling said one of said two communication devices to determine whether the message packet was tampered with during the transfer over the network based on the comparison between the generated hash value and the hash value in the message packet.

39. A method of transferring data to another device over a network comprising the steps of:
- A. generating a hash value by applying said selected hash function to said data and a session key; and
  
  B. generating a message packet for transfer over said network, the message packet including said data and said hash value.
- View Dependent Claims (40, 41, 42, 43)
- - 40. A method as defined in claim 39 further comprising the steps of:
41. A method as defined in claim 40 further comprising the step of storing the session key generated during the session key generating step.
42. A method as defined in claim 39 further comprising the steps of:
- A. receiving an encrypted session key from said other device; and
  
  B. performing an decryption operation in connection with said encrypted session key, thereby to provide said session key.
43. A method as defined in claim 42 further comprising the step of storing the session key generated during the session key decryption step.

44. A method of receiving data from another device over a network, comprising the steps of:
- A. receiving a message packet over said network, the message packet including said data and a hash value;
  
  B. generating a hash value by applying said selected hash function to said data and a session key; and
  
  C. comparing the generated hash value to the hash value in the received message packet.
- View Dependent Claims (45, 46, 47, 48, 49, 50)
- - 45. A method as defined in claim 44, further comprising the step of determining that the message packet originated from a particular other device based on the comparison between the generated hash value and the hash value in the message packet.
  - 46. A method as defined in claim 44, further comprising the step of determining that the message packet was not tampered with during the transfer over the network based on the comparison between the generated hash value and the hash value in the message packet.
  - 47. A method as defined in claim 44 further comprising the steps of:
48. A method as defined in claim 47 further comprising the step of storing the session key generated during the session key generating step.
49. A method as defined in claim 44 further comprising the steps of:
- A. receiving an encrypted session key from said other device; and
  
  B. performing an decryption operation in connection with said encrypted session key, thereby to provide said session key.
50. A method as defined in claim 49 further comprising the step of storing the session key generated during the session key decryption step.

51. A computer program product for use in connection with two communication devices interconnected by a network, to control the transfer of message packets therebetween, the computer program product comprising a communication device-readable medium having encoded thereon:
- A. a session establishment module for enabling said two communication devices prior to said communication session to initially engage in a session establishment operation in which one of said two communication devices generates a session key and transfers the session key privately to the other of said two communication devices, B. a session control module for enabling the two communication devices to transfer data therebetween in at least one message packet during the communication session;
  
  the session control module enabling i. one of said two communication devices to generate said at least one message packet to include said data and a hash value generated by applying a selected hash function to said data and said session key, and ii. the other of said two communication devices, upon receiving said at least one message packet, generating a hash value from the data in said message packet and said session key, and comparing the generated hash value to the hash value in the message packet.
- View Dependent Claims (52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63)
- - 52. A computer program product as defined in claim 51 in which the session control module enables the other of said two communication devices to determine whether the message packet originated from the one of said two communication devices based on the comparison between the generated hash value and the hash value in the message packet.
  - 53. A computer program product as defined in claim 51 in which the session control module enables the other of said two communication devices to determine whether the message packet was tampered with during the transfer over the network based on the comparison between the generated hash value and the hash value in the message packet.
  - 54. A computer program product as defined in claim 51 in which the session establishment module enables the one of said communication devices to encrypt the session key prior to the transfer to the other of said two communication devices.
  - 55. A computer program product as defined in claim 54 in which the session establishment module enables the other of said communication devices to decrypt the encrypted session key after receiving the encrypted session key from the one of said two communication devices.
  - 56. A computer program product as defined in claim 51 in which the session establishment module includes:
57. A computer program product as defined in claim 56 in which said session establishment module enables said one of said two communication devices to establish a session key store for storing the session key generated under control of said session key generator module.
58. A computer program product as defined in claim 51 in which said session establishment module includes:
- A. a message transfer portion for enabling said one of said two communication devices to receive the encrypted session key from said other of said two communication devices; and
  
  B. a session key control portion including a session key decryptor for enabling said communication device to perform a decryption operation in connection with said session key received by said message transfer portion, thereby to provide a session key.
59. A computer program product as defined in claim 58 in which said session establishment module enables said other of said two communication devices to establish a session key store for storing the session key generated under control of said session key decryptor module.
60. A computer program product as defined in claim 51 in which said session control module includes:
- A. a hash generator module for enabling the one of said communication devices to generate a hash value by applying said selected hash function to said data and said session key; and
  
  B. a message generator portion for enabling said one of said communication devices to generate a message packet including said data and said hash value as generated by said hash generator, and enable said one of said communication devices to transfer the generated message packet to said other of two communication devices.
61. A computer program product as defined in claim 51 in which said session control module includes:
- A. a message receiver module for enabling the other of said two communication devices to receive a message packet including said data and a hash value; and
  
  B. a hash verifier module for enabling the other of said two communication devices to generate a hash value by applying said selected hash function to said data and said session key, and compare the generated hash value to the hash value in the received message packet.
62. A computer program product as defined in claim 61 in which the hash verifier module enables the communication device to determine whether the message packet originated from the other of said two communication devices based on the comparison between the generated hash value and the hash value in the message packet.
63. A computer program product as defined in claim 61 in which the hash verifier module enables the communication device to determine whether the message packet was tampered with during the transfer over the network based on the comparison between the generated hash value and the hash value in the message packet.

64. A computer program product for enabling a communication device to generate a message packet to transfer data to another device over a network, the computer program product including a communication device readable medium having encoded thereon:
- A. a hash generator module for enabling the communication device to generate a hash value by applying said selected hash function to said data and a session key;
  
  B. a message generator module for enabling the communication device to generate a message packet for transfer over said network, the message packet including said data and said hash value as generated by said hash generator; and
  
  C. transfer the generated message packet over said network.
- View Dependent Claims (65, 66, 67, 68)
- - 65. A computer program product as defined in claim 64 further comprising:
66. A computer program product as defined in claim 65 in which said session establishment module enables said one of said two communication devices to establish a session key store for storing the session key generated under control of said session key generator module.
67. A computer program product as defined in claim 64 in which said session establishment module includes:
- A. a message transfer portion for enabling said one of said two communication devices to receive the encrypted session key from said other of said two communication devices; and
  
  B. a session key control portion including a session key decryptor for enabling said communication device to perform a decryption operation in connection with said session key received by said message transfer portion, thereby to provide a session key.
68. A computer program product as defined in claim 67 in which said session establishment module enables said other of said two communication devices further comprises a session key store for storing the session key decrypted by said session key decryptor.

69. A computer program product for enabling a communication device to receive a message packet from another device over a network, the computer program product including a communication device readable medium having encoded thereon:
- A. a message receiver for receiving a message packet over said network, the message packet including said data and a hash value; and
  
  B. a hash verifier for generating a hash value by applying said selected hash function to said data and said session key, the hash verifier comparing the generated hash value to the hash value in the received message packet.
- View Dependent Claims (70, 71, 72, 73, 74, 75)
- - 70. A computer program product as defined in claim 69, in which the session control module enables the communication device to determine whether the message packet originated from another communication device based on the comparison between the generated hash value and the hash value in the message packet.
  - 71. A computer program product as defined in claim 69 in which the session control module enables the communication device to determine whether the message packet was tampered with during the transfer over the network based on the comparison between the generated hash value and the hash value in the message packet.
  - 72. A computer program product as defined in claim 69 further comprising:
73. A computer program product as defined in claim 72 in which said session establishment module enables said one of said two communication devices to establish a session key store for storing the session key generated under control of said session key generator module.
74. A computer program product as defined in claim 69 in which said session establishment module includes:
- A. a message transfer portion for enabling said one of said two communication devices to receive the encrypted session key from said other of said two communication devices; and
  
  B. a session key control portion including a session key decryptor for enabling said communication device to perform a decryption operation in connection with said session key received by said message transfer portion, thereby to provide a session key.
75. A computer program product as defined in claim 74 in which said session establishment module enables said other of said two communication devices further comprises a session key store for storing the session key decrypted by said session key decryptor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Dice, David
Primary Examiner(s)
CANGIALOSI, SALVATORE A

Application Number

US08/844,211
Time in Patent Office

1,607 Days
Field of Search

380/25, 380/30, 713/168, 713/170
US Class Current

713/168
CPC Class Codes

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

H04L 9/0838   Key agreement, i.e. key est...

H04L 9/3236   using cryptographic hash fu...

System and method for efficiently implementing an authenticated communications channel that facilitates tamper detection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

75 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for efficiently implementing an authenticated communications channel that facilitates tamper detection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

75 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links