System and method for adaptive cryptographically synchronized authentication

US 6,976,168 B1
Filed: 07/21/2000
Issued: 12/13/2005
Est. Priority Date: 07/23/1999
Status: Expired due to Term

First Claim

Patent Images

1. A system for authenticating message data to be exchanged between a sender and a receiver, comprising:

a controller that dynamically selects one of a plurality of authentication mechanisms to be used in providing authentication for an exchange of message data; and

an authentication module that generates an authentication tag using said selected authentication mechanism, said authentication tag being appended to said message data;

wherein a portion of a message associated with the message data is processed using a first function that is utilized at least in part to produce the authentication tag;

wherein said portion of said message processed is selected by using a pseudorandom probabilistic function;

wherein said message is partitioned into regions, each region including a number of message parts, and providing one message part from each region as input to said first function.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for implementing adaptive cryptographically synchronized authentication is disclosed. The authentication system includes a controller that dynamically selects one of a plurality of authentication mechanisms to be used in providing authentication for an exchange of message data. The variation in the level of authentication assurance can be based on one or more factors such as the current security conditions and the available CPU utilization.

Citations

19 Claims

1. A system for authenticating message data to be exchanged between a sender and a receiver, comprising:
- a controller that dynamically selects one of a plurality of authentication mechanisms to be used in providing authentication for an exchange of message data; and
  
  an authentication module that generates an authentication tag using said selected authentication mechanism, said authentication tag being appended to said message data;
  
  wherein a portion of a message associated with the message data is processed using a first function that is utilized at least in part to produce the authentication tag;
  
  wherein said portion of said message processed is selected by using a pseudorandom probabilistic function;
  
  wherein said message is partitioned into regions, each region including a number of message parts, and providing one message part from each region as input to said first function.

2. A system for authenticating message data to be exchanged between a sender and a receiver, comprising:
- a controller that dynamically selects one of a plurality of authentication mechanisms to be used in providing authentication for an exchange of message data;
  
  a security association and key management module that establishes security associations for said plurality of authentication mechanisms; and
  
  an authentication module that includes support for said plurality of authentication mechanisms, wherein said authentication module generates an authentication tag using an authentication mechanism selected by said control, said authentication tag being appended to said message data;
  
  wherein a portion of a message associated with the message data is processed using a first function that is utilized at least in part to produce the authentication tag;
  
  wherein said portion of said message processed is selected by using a pseudorandom probabilistic function;
  
  wherein said message is partitioned into regions, each region including a number of message parts, and providing one message part from each region as input to said first function.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 3. The system of claim 2, wherein said controller receives an input identifying a processor load.
  - 4. The system of claim 3, wherein said security association and key management module operates in accordance with IKE.
  - 5. The system of claim 2, wherein said controller receives an input identifying an authentication error level.
  - 6. The system of claim 2, wherein said controller receives an input identifying network defense alarms.
  - 7. The system of claim 2, wherein said controller receives an input identifying a security policy.
  - 8. The system of claim 2, wherein said controller includes a network security service resource and one or more security association resource managers contexts, each of said one or more security resource managers contexts being established for a corresponding network application and being responsible for establishing and maintaining an authentication mechanism for a corresponding associated network application, said network security service resource being responsible for providing resource and security constraints within which each of said one or more security resource managers contexts operates.
  - 9. The system of claim 2, wherein said security association and key management module generates an authentication key for authenticating said message data.
  - 10. The system of claim 2, wherein said security association and key management module generates a confidentiality key for securing control messages.
  - 11. The system of claim 2, wherein said security association and key management module operates in accordance with the Internet Key Exchange standard.
  - 12. The system of claim 2, wherein said authentication module operates in accordance with the IPsec standards.
  - 13. The system of claim 2, further comprising a security association and key management module that establishes and maintains said plurality of authentication mechanisms.
  - 14. The system of claim 2, wherein said message includes a number of message parts, said message parts are 64 bit words.
  - 15. The system of claim 2, wherein said first function is a keyed hash function.
  - 16. The system of claim 2, wherein said first function is one of an MD4 hashing function, a bucket hashing function, a multilinear modular hashing function, a cyclic redundancy code-based hashing function, and an alternative hash algorithm.
  - 17. The system of claim 2, wherein said portion of said message processed is selected by truncating said message processed is selected by truncating said message.

18. A system for authenticating message data to be exchanged between a sender and a receiver, comprising:
- a controller that dynamically selects one of a plurality of authentication mechanisms to be used in providing authentication for an exchange of message data;
  
  a security association and key management module that establishes security associations for said plurality of authentication mechanisms; and
  
  an authentication module that includes support for said plurality of authentication mechanisms, wherein said authentication module generates an authentication tag using an authentication mechanism selected by said control, said authentication tag being appended to said message data;
  
  wherein a portion of a message associated with the message data is processed using a first function that is utilized at least in part to produce the authentication tag;
  
  wherein said portion of said message processed is selected by using a pseudorandom probabilistic function;
  
  wherein means is included for partitioning said message into regions, each region including a number of message parts, and providing one message part from each region as input to said first function.

19. A system for authenticating message data to be exchanged between a sender and a receiver, comprising:
- a controller that dynamically selects one of a plurality of authentication mechanisms to be used in providing authentication for an exchange of message data;
  
  a security association and key management module that establishes security associations for said plurality of authentication mechanisms; and
  
  an authentication module that includes support for said plurality of authentication mechanisms, wherein said authentication module generates an authentication tag using an authentication mechanism selected by said control, said authentication tag being appended to said message data;
  
  wherein a portion of a message associated with the message data is processed using a first function that is utilized at least in part to produce the authentication tag;
  
  wherein said portion of said message processed is selected by using a pseudorandom probabilistic function;
  
  wherein said portion of said message processed is selected by;
  
  defining a message selection percentage p; and
  
  using said pseudorandom probabilistic function, uniform over an interval [1,2L], where L=1/p and p is a message selection percentage, to determine offsets between message parts which are provided as input to said first function.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Carman, David W., Branstad, Dennis K.
Primary Examiner(s)
Morse, Gregory
Assistant Examiner(s)
HENEGHAN, MATTHEW E

Application Number

US09/621,060
Time in Patent Office

1,971 Days
Field of Search

713/175, 713/176, 713/201, 380/280
US Class Current

713/175
CPC Class Codes

H04L 63/105   Multiple levels of security

H04L 63/12   Applying verification of th...

H04L 9/0643   Hash functions, e.g. MD5, S...

H04L 9/0841   involving Diffie-Hellman or...

H04L 9/3242   involving keyed hash functi...

System and method for adaptive cryptographically synchronized authentication

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for adaptive cryptographically synchronized authentication

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links