Methods and systems for unilateral authentication of messages

US 7,134,019 B2
Filed: 11/13/2001
Issued: 11/07/2006
Est. Priority Date: 04/12/2001
Status: Active Grant

First Claim

Patent Images

1. A method for a first computing device to make authentication information available to a second computing device, the method comprising:

creating authentication information, the authentication information including content data, a public key of the first computing device, a network address of the first computing device derived from a portion of a combination of a hash of the public key and a modifier, and a digital signature, the digital signature generated by hashing a network address and at least a portion of the content data with a private key corresponding to the public key of the first computing device; and

making the authentication information available to the second computing device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is an authentication mechanism that enables an information recipient to ascertain that the information comes from the sender it purports to be from. This mechanism integrates a private/public key pair with selection by the sender of a portion of its address. The sender derives its address from its public key, for example, by using a hash of the key. The recipient verifies the association between the address and the sender'"'"'s private key. The recipient may retrieve the key from an insecure resource and know that it has the correct key because only that key can produce the sender'"'"'s address in the message. The hash may be made larger than the sender-selectable portion of the address. The recipient may cache public key/address pairs and use the cache to detect brute force attacks and to survive denial of service attacks. The mechanism may be used to optimize security negotiation algorithms.

58 Citations

View as Search Results

16 Claims

1. A method for a first computing device to make authentication information available to a second computing device, the method comprising:
- creating authentication information, the authentication information including content data, a public key of the first computing device, a network address of the first computing device derived from a portion of a combination of a hash of the public key and a modifier, and a digital signature, the digital signature generated by hashing a network address and at least a portion of the content data with a private key corresponding to the public key of the first computing device; and
  
  making the authentication information available to the second computing device.

2. A computer-readable storage medium containing instructions for performing a method for a first computing device to make authentication information available to a second computing device, the method comprising:
- creating authentication information, the authentication information including content data, a public key of the first computing device, a network address of the first computing device derived from a portion of a combination of a hash of the public key and a modifier, and a digital signature, the digital signature generated by hashing a network address and at least a portion of the content data; and
  
  making the authentication information available to the second computing device.

3. A method for a second computing device to authenticate content data made available by a first computing device, the method comprising:
- accessing authentication information made available by the first computing device, the authentication information including the content data, a public key of the first computing device, a first network address of the first computing device, and a digital signature;
  
  deriving a portion of a second network address from the public key of the first computing device by taking a portion of a value derived by hashing a combination of the public key and a modifier;
  
  validating the digital signature using the public key of the first computing device; and
  
  accepting the content data if the derived portion of the second network address matches a corresponding portion of the first network address and if the digital signature is valid.
- View Dependent Claims (4)
- - 4. The method of claim 3 wherein the second computing device accesses the public key of the first computing device over an unsecure channel to a key publishing device.

5. A computer-readable storage medium containing instructions for performing a method for a second computing device to authenticate content data made available by a first computing device, the method comprising:
- accessing authentication information made available by the first computing device, the authentication information including the content data, a public key of the first computing device, a first network address of the first computing device that has a node-selectable portion from a portion of a hash of a composite of the public key and a modifier, and a digital signature;
  
  deriving a node-selectable portion of a second network address by taking a portion of a hash of the public key of the first computing device;
  
  validating the digital signature using the public key of the first computing device;
  
  accepting the content data if the node-selectable portion of the second network address matches the node-selectable portion of the first network address and if the digital signature is valid; and
  
  wherein the second computing device accesses the public key of the first computing device over an unsecure channel.

6. A method for a computing device to derive a node-selectable portion of a network address from a public key of the computing device, the method comprising:
- hashing the public key;
  
  comparing a portion of a value produced by the hashing with a portion of the network address other than the node-selectable portion; and
  
  when the portions do not match, choosing a modifier, appending the modifier to the public key, and repeating the hashing and comparing steps.
- View Dependent Claims (7)
- - 7. The method of claim 6 wherein the portion of the network address other than the node-selectable portion comprises an element including a “
    - u”
      
      bit, “
      
      g”
      
      bit, and/or a portion of a route prefix.

8. A computer-readable storage medium containing instructions for performing a method for a computing device to derive a node-selectable portion of a network address from a public key of the computing device, the method comprising:
- hashing the public key;
  
  comparing a portion of a value produced by the hashing with a portion of the network address other than the node-selectable portion; and
  
  when the portions do not match, choosing a modifier, appending the modifier to the public key, and repeating the hashing and comparing steps.

9. A method for a computing device to derive a node-selectable portion of a network address from a public key of the computing device and from a route prefix of the network address of the computing device, the method comprising:
- hashing the public key and at least a portion of the route prefix of the network address;
  
  setting the node-selectable portion of the network address to a portion of the value produced by the hashing;
  
  checking to see if the network address as set is already in use; and
  
  if the network address as set is already in use, choosing a modifier, appending the modifier to the public key, and repeating the hashing, setting, and checking.

10. A computer-readable storage medium containing instructions for performing a method for a computing device to derive a node-selectable portion of a network address from a public key of the computing device and from a route prefix of the network address of the computing device, the method comprising:
- hashing the public key and at least a portion of the route prefix of the network address;
  
  setting the node-selectable portion of the network address to a portion of the value produced by the hashing;
  
  checking to see if the network address as set is already in use; and
  
  if the network address as set is already in use, choosing a modifier, appending the modifier to the public key, and repeating the hashing, setting, and checking.

11. A method for a second computing device to maintain a cache of at least one public key/network address association, the method comprising:
- accessing authentication information made available by the first computing device, the authentication information including content data, a public key of the first computing device, a modifier, a first network address of the first computing device, and a digital signature;
  
  appending the modifier to the public key of the first computing device and deriving a portion of a second network address from combination of the pubic key of the first computing device and the modifier;
  
  validating the digital signature by using the public key of the first computing device; and
  
  caching the pubic key in association with the first network address if the derived portion of the second network address matches a corresponding portion of the first network address and if the validating shows that the digital signature was generated from at least one of the content data and a hash value of data including the content data.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, further comprising:
    - determining whether to cache the public key in association with the first network address based on a time stamp in the authentication information.
  - 13. The method of claim 11 further comprising:
    - comparing the first network address against a network address in a public key/network address association already in the cache; and
      
      if the first network address matches the network address in the public key/network address association already in the cache, and if the public key does not match a public key of the public key/network address association already in the cache, then discarding the public key and first network address without caching them.
  - 14. The method of claim 13 further comprising:
    - if the first network address matches the network address in the public key/network address association already in the cache, and if the public key does not match a public key of the public key/network address association already in the cache, then removing from the cache the public key/network address association already in the cache.
  - 15. The method of claim 11 further comprising:
    - associating a timer with the caching of the public key/network address association;
      
      resetting the timer if a second public key/network address association, identical to the public key/network address association, is presented for caching; and
      
      if the timer expires, removing the public key/network address association from the cache.

16. A computer-readable storage medium containing instructions for performing a method for a second computing device to maintain a cache of at least one public key/network address association, the method comprising:
- accessing authentication information made available by the first computing device, the authentication information including the content data, a public key of the first computing device, a modifier, a first network address of the first computing device, and a digital signature;
  
  deriving a portion of a second network address from combination of the pubic key of the first computing device and the modifier;
  
  validating the digital signature by using the public key of the first computing device; and
  
  caching the pubic key in association with the first network address if the derived portion of the second network address matches a corresponding portion of the first network address and if the validating shows that the digital signature was generated from at least one of the content data and a hash value of data including the content data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
O'Shea, Gregory, Zill, Brian D., Thaler, David G., Shelest, Art, Roe, Michael
Primary Examiner(s)
Moazzami, Nasser
Assistant Examiner(s)
Parthasarathy, Pramila

Application Number

US10/010,352
Publication Number

US 20020152384A1
Time in Patent Office

1,820 Days
Field of Search

713/170, 713/176, 713/162, 713/160
US Class Current

713/170
CPC Class Codes

H04L 2101/604   Address structures or formats

H04L 2101/622   Layer-2 addresses, e.g. med...

H04L 2209/60   Digital content management,...

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 61/5007   Internet protocol [IP] addr...

H04L 61/5092   by self-assignment, e.g. pi...

H04L 9/3247   involving digital signatures

H04W 8/26   Network addressing or numbe...

Methods and systems for unilateral authentication of messages

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

58 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for unilateral authentication of messages

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

58 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links