Apparatus and method for implementing spoofing-and replay-attack-resistant virtual zones on storage area networks
First Claim
1. A method of transmitting data from a transmitting node to a receiving node in a computer-based storage network, comprising:
- at the transmitting node;
generating a data frame at the transmitting node;
inserting a source identifier, a destination identifier, and a transmission time stamp into the data frame;
computing a first authentication code using a first key value retrieved from a first key table, the source identifier, destination identifier, and transmission time stamp;
inserting the authentication code into the data frame; and
transmitting the data frame; and
at the receiving node;
receiving the data frame;
retrieving a second key value from a second key table;
computing a second authentication code using a key value retrieved from a key table, the source identifier, destination identifier, and transmission time stamp; and
rejecting the data frame if the second authentication code does not correspond to the first authentication code.
5 Assignments
0 Petitions
Accused Products
Abstract
A storage area network resistant to spoofing attack has several nodes each having a port, and storage area network interconnect interconnecting the ports. Each port is provided with a hash function generator for providing and verifying an authentication code for frames transmitted over the storage area network, and a key table for providing a key to the hash function generator. The authentication code is generated by applying a hash function to the key and to at least an address portion of each frame. In each node, the key is selected from that node'"'"'s key table according to address information of the frame.
-
Citations
13 Claims
-
1. A method of transmitting data from a transmitting node to a receiving node in a computer-based storage network, comprising:
-
at the transmitting node; generating a data frame at the transmitting node; inserting a source identifier, a destination identifier, and a transmission time stamp into the data frame; computing a first authentication code using a first key value retrieved from a first key table, the source identifier, destination identifier, and transmission time stamp; inserting the authentication code into the data frame; and transmitting the data frame; and at the receiving node; receiving the data frame; retrieving a second key value from a second key table; computing a second authentication code using a key value retrieved from a key table, the source identifier, destination identifier, and transmission time stamp; and rejecting the data frame if the second authentication code does not correspond to the first authentication code. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
Specification