Apparatus and method for implementing spoofing-and replay-attack-resistant virtual zones on storage area networks

US 6,973,568 B2
Filed: 09/21/2004
Issued: 12/06/2005
Est. Priority Date: 10/06/2000
Status: Expired due to Term

First Claim

Patent Images

1. A method of transmitting data from a transmitting node to a receiving node in a computer-based storage network, comprising:

at the transmitting node;

generating a data frame at the transmitting node;

inserting a source identifier, a destination identifier, and a transmission time stamp into the data frame;

computing a first authentication code using a first key value retrieved from a first key table, the source identifier, destination identifier, and transmission time stamp;

inserting the authentication code into the data frame; and

transmitting the data frame; and

at the receiving node;

receiving the data frame;

retrieving a second key value from a second key table;

computing a second authentication code using a key value retrieved from a key table, the source identifier, destination identifier, and transmission time stamp; and

rejecting the data frame if the second authentication code does not correspond to the first authentication code.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A storage area network resistant to spoofing attack has several nodes each having a port, and storage area network interconnect interconnecting the ports. Each port is provided with a hash function generator for providing and verifying an authentication code for frames transmitted over the storage area network, and a key table for providing a key to the hash function generator. The authentication code is generated by applying a hash function to the key and to at least an address portion of each frame. In each node, the key is selected from that node'"'"'s key table according to address information of the frame.

Citations

13 Claims

1. A method of transmitting data from a transmitting node to a receiving node in a computer-based storage network, comprising:
- at the transmitting node;
  
  generating a data frame at the transmitting node;
  
  inserting a source identifier, a destination identifier, and a transmission time stamp into the data frame;
  
  computing a first authentication code using a first key value retrieved from a first key table, the source identifier, destination identifier, and transmission time stamp;
  
  inserting the authentication code into the data frame; and
  
  transmitting the data frame; and
  
  at the receiving node;
  
  receiving the data frame;
  
  retrieving a second key value from a second key table;
  
  computing a second authentication code using a key value retrieved from a key table, the source identifier, destination identifier, and transmission time stamp; and
  
  rejecting the data frame if the second authentication code does not correspond to the first authentication code.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising:
    - rejecting the data frame if the transmission time stamp of a first received frame corresponds to the transmission time stamp of a second received frame.
  - 3. The method of claim 1, further comprising:
    - computing a transmit time for the received data frame; and
      
      rejecting the received data frame if the transmit time exceeds a threshold.
  - 4. The method of claim 3, wherein the threshold is based on a transmit time of one or more previously transmitted frames.
  - 5. The method of claim 1, whereinthe transmitted frame further comprises a destination process identifier;
    - andthe first and second authentication codes are computed based in part upon the destination process identifier.
  - 6. The method of claim 1, wherein the first authentication code is generated by applying a first hash function using a key value from a key table associated with a port of the transmitting node.
  - 7. The method of claim 1, wherein the data frame includes a data field identifying a source address and a destination address for the transmitted frame.
  - 8. The method of claim 1, wherein the second authentication code is generated by applying a hash function using a key value from a key table associated with a port of the receiving node.
  - 9. The method of claim 1, wherein rejecting the data frame if the second authentication code does not correspond to the first authentication code comprises determining a correlation between the first authentication code and the second authentication code.
  - 10. The method of claim 1 further comprising, determining an elapsed time period between transmission of the frame and receipt of the frame.
  - 11. The method of claim 1, further comprising rejecting the frame if the transmission time of the frame exceeds the transmission time of one more additional received frames by a threshold.
  - 12. The method of claim 1, wherein the first key value is retrieved from the first key table based on a network address of the transmitting node.
  - 13. The method of claim 1, whereinthe data frame further comprises an association header,a portion of the frame used to generate the authentication code comprises at least a portion of the association header, andthe first key value is selected from the key table using at least a portion of the association header in addition to a source identifier of the frame.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Hagerman, Douglas L.
Primary Examiner(s)
Zand, Kambiz

Application Number

US10/945,644
Publication Number

US 20050044354A1
Time in Patent Office

441 Days
Field of Search

713/153, 713/154, 713/176, 713/179, 713/181, 380/261, 380/262
US Class Current

713/153
CPC Class Codes

H04L 61/00   Network arrangements, proto...

H04L 61/35   involving non-standard use ...

H04L 63/08   for authentication of entit...

H04L 63/12   Applying verification of th...

H04L 63/1466   Active attacks involving in...

H04L 67/1097   for distributed storage of ...

H04L 69/329   in the application layer [O...

Apparatus and method for implementing spoofing-and replay-attack-resistant virtual zones on storage area networks

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and method for implementing spoofing-and replay-attack-resistant virtual zones on storage area networks

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links