System and method for efficiently implementing an authenticated communications channel that facilitates tamper detection
First Claim
1. A communications system comprising a plurality of communication devices interconnected by a network, two of said communication devices engaging in a communication session to transfer message packets therebetween,A. said two communication devices prior to said communication session initially engaging in a session establishment operation in which one of said two communication devices generates a session key and transfers the session key privately to the other of said two communication devices, B. the two communication devices, during the communication session, transferring data therebetween in at least one message packet, i. one of said two communication devices generating said at least one message packet to include said data and a hash value generated by applying a selected hash function to said data and said session key, and ii. the other of said two communication devices, upon receiving said at least one message packet, generating a hash value from the data in said message packet and said session key, and comparing the generated hash value to the hash value in the message packet.
2 Assignments
0 Petitions
Accused Products
Abstract
A communication system includes communication devices which communicate during a communication session. During communication session establishment, the devices exchange a session key in an encrypted manner for privacy. When one device has information to transfer to the other device, the one device will append the session key to the information and apply a hash function thereto to generate a hash value, and generate a message packet for transfer to the other device that includes an information portion containing the information and a hash value portion containing the hash value. When the other device receives the message packet, it will append the session key to the information from the information portion of the packet that it receives, and generate a hash value therefrom. If the receiving device determines that the generated hash value corresponds to the hash value received in the message packet, properties of the hash function that is used to generate the hash values enable it to conclude that the message packet was not tampered with during the transfer and that it originated from the one device. The system avoids the necessity of computation-intensive encryption and decryption for message packet transfer during a communication session.
-
Citations
75 Claims
-
1. A communications system comprising a plurality of communication devices interconnected by a network, two of said communication devices engaging in a communication session to transfer message packets therebetween,
A. said two communication devices prior to said communication session initially engaging in a session establishment operation in which one of said two communication devices generates a session key and transfers the session key privately to the other of said two communication devices, B. the two communication devices, during the communication session, transferring data therebetween in at least one message packet, i. one of said two communication devices generating said at least one message packet to include said data and a hash value generated by applying a selected hash function to said data and said session key, and ii. the other of said two communication devices, upon receiving said at least one message packet, generating a hash value from the data in said message packet and said session key, and comparing the generated hash value to the hash value in the message packet.
-
14. A communication device for transferring data to another device over a network, the communication device comprising:
-
A. a hash generator for generating a hash value by applying said selected hash function to said data and a session key; and
B. a message generator for generating a message packet for transfer over said network, the message packet including said data and said hash value as generated by said hash generator, the message generator transferring the generated message packet over said network. - View Dependent Claims (15, 16, 17, 18)
A. a session key control portion including;
i. a session key generator for generating said session key; and
ii. a session key encryptor for performing an encryption operation in connection with said session key generated by said session key generator, thereby to generate an encrypted session key; and
B. the message generator transferring the encrypted session key to said other device.
-
-
16. A communication device as defined in claim 15 in which said session key control portion further comprises a session key store for storing the session key generated by said session key generator.
-
17. A communication device as defined in claim 14 further comprising:
-
A. a message receiver for receiving an encrypted session key from said other device; and
B. a session key control portion including a session key decryptor for performing an decryption operation in connection with said session key received by said message transfer portion, thereby to provide a session key.
-
-
18. A communication device as defined in claim 17 further comprising a session key store for storing the session key decrypted by said session key decryptor.
-
19. A communication device for receiving data from another device over a network, the communication device comprising:
-
A. a message receiver for receiving a message packet over said network, the message packet including said data and a hash value; and
B. a hash verifier for generating a hash value by applying said selected hash function to said data and said session key, the hash verifier comparing the generated hash value to the hash value in the received message packet. - View Dependent Claims (20, 21, 22, 23, 24, 25)
A. a session key control portion including;
i. a session key generator for generating said session key; and
i. a session key encryptor for performing an encryption operation in connection with said session key generated by said session key generator, thereby to generate an encrypted session key; and
B. the message generator transferring the encrypted session key to said other device.
-
-
23. A communication device as defined in claim 22 in which said session key control portion further comprises a session key store for storing the session key generated by said session key generator.
-
24. A communication device as defined in claim 19 further comprising:
-
A. a message receiver for receiving an encrypted session key from said other device; and
B. a session key control portion including a session key decryptor for performing an decryption operation in connection with said session key received by said message transfer portion, thereby to provide a session key.
-
-
25. A communication device as defined in claim 24 further comprising a session key store for storing the session key decrypted by said session key decryptor.
-
26. A method of operating a communications system comprising a plurality of communication devices interconnected by a network, two of said communication devices engaging in a communication session to transfer message packets therebetween, comprising the steps of
A. enabling the said two communication devices prior to said communication session to initially engage in a session establishment operation in which one of said two communication devices generates a session key and transfers the session key privately to the other of said two communication devices, B. enabling the two communication devices, during the communication sessions, to transfer data therebetween in at least one message packet, in the process i. enabling one of said two communication devices generating said at least one message packet to include said data and a hash value generated by applying a selected hash function to said data and said session key, and ii. enabling the other of said two communication devices, upon receiving said at least one message packet, generating a hash value from the data in said message packet and said session key, and comparing the generated hash value to the hash value in the message packet.
-
39. A method of transferring data to another device over a network comprising the steps of:
-
A. generating a hash value by applying said selected hash function to said data and a session key; and
B. generating a message packet for transfer over said network, the message packet including said data and said hash value. - View Dependent Claims (40, 41, 42, 43)
A. generating said session key;
B. performing an encryption operation in connection with said session key, thereby to generate an encrypted session key; and
C. transferring the encrypted session key to said other device.
-
-
41. A method as defined in claim 40 further comprising the step of storing the session key generated during the session key generating step.
-
42. A method as defined in claim 39 further comprising the steps of:
-
A. receiving an encrypted session key from said other device; and
B. performing an decryption operation in connection with said encrypted session key, thereby to provide said session key.
-
-
43. A method as defined in claim 42 further comprising the step of storing the session key generated during the session key decryption step.
-
44. A method of receiving data from another device over a network, comprising the steps of:
-
A. receiving a message packet over said network, the message packet including said data and a hash value;
B. generating a hash value by applying said selected hash function to said data and a session key; and
C. comparing the generated hash value to the hash value in the received message packet. - View Dependent Claims (45, 46, 47, 48, 49, 50)
A. generating said session key;
B. performing an encryption operation in connection with said session key, thereby to generate an encrypted session key; and
C. transferring the encrypted session key to said other device.
-
-
48. A method as defined in claim 47 further comprising the step of storing the session key generated during the session key generating step.
-
49. A method as defined in claim 44 further comprising the steps of:
-
A. receiving an encrypted session key from said other device; and
B. performing an decryption operation in connection with said encrypted session key, thereby to provide said session key.
-
-
50. A method as defined in claim 49 further comprising the step of storing the session key generated during the session key decryption step.
-
51. A computer program product for use in connection with two communication devices interconnected by a network, to control the transfer of message packets therebetween, the computer program product comprising a communication device-readable medium having encoded thereon:
-
A. a session establishment module for enabling said two communication devices prior to said communication session to initially engage in a session establishment operation in which one of said two communication devices generates a session key and transfers the session key privately to the other of said two communication devices, B. a session control module for enabling the two communication devices to transfer data therebetween in at least one message packet during the communication session;
the session control module enablingi. one of said two communication devices to generate said at least one message packet to include said data and a hash value generated by applying a selected hash function to said data and said session key, and ii. the other of said two communication devices, upon receiving said at least one message packet, generating a hash value from the data in said message packet and said session key, and comparing the generated hash value to the hash value in the message packet. - View Dependent Claims (52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63)
A. a session key control portion including;
i. a session key generator module for enabling the communication device to generate said session key; and
ii. a session key encryptor module for enabling the communication device to perform an encryption operation in connection with said session key generated under control of said session key generator module, thereby to generate an encrypted session key; and
B. a message transfer portion for enabling the one of said two communication devices to transfer the encrypted session key to said other of said two communication devices.
-
-
57. A computer program product as defined in claim 56 in which said session establishment module enables said one of said two communication devices to establish a session key store for storing the session key generated under control of said session key generator module.
-
58. A computer program product as defined in claim 51 in which said session establishment module includes:
-
A. a message transfer portion for enabling said one of said two communication devices to receive the encrypted session key from said other of said two communication devices; and
B. a session key control portion including a session key decryptor for enabling said communication device to perform a decryption operation in connection with said session key received by said message transfer portion, thereby to provide a session key.
-
-
59. A computer program product as defined in claim 58 in which said session establishment module enables said other of said two communication devices to establish a session key store for storing the session key generated under control of said session key decryptor module.
-
60. A computer program product as defined in claim 51 in which said session control module includes:
-
A. a hash generator module for enabling the one of said communication devices to generate a hash value by applying said selected hash function to said data and said session key; and
B. a message generator portion for enabling said one of said communication devices to generate a message packet including said data and said hash value as generated by said hash generator, and enable said one of said communication devices to transfer the generated message packet to said other of two communication devices.
-
-
61. A computer program product as defined in claim 51 in which said session control module includes:
-
A. a message receiver module for enabling the other of said two communication devices to receive a message packet including said data and a hash value; and
B. a hash verifier module for enabling the other of said two communication devices to generate a hash value by applying said selected hash function to said data and said session key, and compare the generated hash value to the hash value in the received message packet.
-
-
62. A computer program product as defined in claim 61 in which the hash verifier module enables the communication device to determine whether the message packet originated from the other of said two communication devices based on the comparison between the generated hash value and the hash value in the message packet.
-
63. A computer program product as defined in claim 61 in which the hash verifier module enables the communication device to determine whether the message packet was tampered with during the transfer over the network based on the comparison between the generated hash value and the hash value in the message packet.
-
64. A computer program product for enabling a communication device to generate a message packet to transfer data to another device over a network, the computer program product including a communication device readable medium having encoded thereon:
-
A. a hash generator module for enabling the communication device to generate a hash value by applying said selected hash function to said data and a session key;
B. a message generator module for enabling the communication device to generate a message packet for transfer over said network, the message packet including said data and said hash value as generated by said hash generator; and
C. transfer the generated message packet over said network. - View Dependent Claims (65, 66, 67, 68)
A. a session key control portion including;
i. a session key generator module for enabling the communication device to generate said session key; and
ii. a session key encryptor module for enabling the communication device to perform an encryption operation in connection with said session key generated under control of said session key generator module, thereby to generate an encrypted session key; and
B. a message transfer portion for enabling the one of said two communication devices to transfer the encrypted session key to said other of said two communication devices.
-
-
66. A computer program product as defined in claim 65 in which said session establishment module enables said one of said two communication devices to establish a session key store for storing the session key generated under control of said session key generator module.
-
67. A computer program product as defined in claim 64 in which said session establishment module includes:
-
A. a message transfer portion for enabling said one of said two communication devices to receive the encrypted session key from said other of said two communication devices; and
B. a session key control portion including a session key decryptor for enabling said communication device to perform a decryption operation in connection with said session key received by said message transfer portion, thereby to provide a session key.
-
-
68. A computer program product as defined in claim 67 in which said session establishment module enables said other of said two communication devices further comprises a session key store for storing the session key decrypted by said session key decryptor.
-
69. A computer program product for enabling a communication device to receive a message packet from another device over a network, the computer program product including a communication device readable medium having encoded thereon:
-
A. a message receiver for receiving a message packet over said network, the message packet including said data and a hash value; and
B. a hash verifier for generating a hash value by applying said selected hash function to said data and said session key, the hash verifier comparing the generated hash value to the hash value in the received message packet. - View Dependent Claims (70, 71, 72, 73, 74, 75)
A. a session key control portion including;
i. a session key generator module for enabling the communication device to generate said session key; and
ii. a session key encryptor module for enabling the communication device to perform an encryption operation in connection with said session key generated under control of said session key generator module, thereby to generate an encrypted session key; and
B. a message transfer portion for enabling the one of said two communication devices to transfer the encrypted session key to said other of said two communication devices.
-
-
73. A computer program product as defined in claim 72 in which said session establishment module enables said one of said two communication devices to establish a session key store for storing the session key generated under control of said session key generator module.
-
74. A computer program product as defined in claim 69 in which said session establishment module includes:
-
A. a message transfer portion for enabling said one of said two communication devices to receive the encrypted session key from said other of said two communication devices; and
B. a session key control portion including a session key decryptor for enabling said communication device to perform a decryption operation in connection with said session key received by said message transfer portion, thereby to provide a session key.
-
-
75. A computer program product as defined in claim 74 in which said session establishment module enables said other of said two communication devices further comprises a session key store for storing the session key decrypted by said session key decryptor.
Specification