Authentication of remotely originating network messages
First Claim
1. A device, comprising:
- a database configured to store information corresponding to ranges of sequence numbers associated with pairs of users and remote devices, and to store sliding window information corresponding to each range of sequence numbers; and
a processor configured to control operation of the device, and further configured to;
(i) receive a first message comprising a user identification (ID) and a first remote device ID,(ii) assign a first available range of sequence numbers to the user ID and first remote device ID pair,(iii) receive a second message comprising the user ID and a second remote device ID, and(iv) assign a second available range of sequence numbers to the user ID and second remote device ID pair,wherein the first available range of sequence numbers and the second available range of sequence numbers each comprise a sub-part of a range of sequence numbers assigned to the user ID, and wherein the size of each of the first available range of sequence numbers and the second available range of sequence numbers is proportional to an access frequency used by the user ID.
4 Assignments
0 Petitions
Accused Products
Abstract
A method and system for authenticating messages received from users across multiple remote devices are provided. A residential gateway authenticates a user using a modified digest authentication scheme by storing a sequence number in the nonce field. Access encryption keys and sequence number spaces may be assigned based on user or on user/remote device pairs. When sequence number spaces are assigned based on user, and the user uses multiple remote devices to access the residential gateway, the sequence number space may be divided into mini-sequence number spaces for each of the multiple remote devices. Access encryption may be two-tiered, such that a secondary key is generated based on a user'"'"'s primary key, and the secondary key is only valid for a limited amount of time before it expires and a new secondary key must be generated.
44 Citations
17 Claims
-
1. A device, comprising:
-
a database configured to store information corresponding to ranges of sequence numbers associated with pairs of users and remote devices, and to store sliding window information corresponding to each range of sequence numbers; and a processor configured to control operation of the device, and further configured to; (i) receive a first message comprising a user identification (ID) and a first remote device ID, (ii) assign a first available range of sequence numbers to the user ID and first remote device ID pair, (iii) receive a second message comprising the user ID and a second remote device ID, and (iv) assign a second available range of sequence numbers to the user ID and second remote device ID pair, wherein the first available range of sequence numbers and the second available range of sequence numbers each comprise a sub-part of a range of sequence numbers assigned to the user ID, and wherein the size of each of the first available range of sequence numbers and the second available range of sequence numbers is proportional to an access frequency used by the user ID. - View Dependent Claims (2, 3, 4, 5, 6, 8)
-
-
7. A device, comprising:
-
a database configured to store information corresponding to ranges of sequence numbers associated with pairs of users and remote devices, and to store sliding window information corresponding to each range of sequence numbers; and a processor configured to control operation of the device, and further configured to; (i) receive a first message comprising a user identification (ID) and a first remote device ID, (ii) assign a first available range of sequence numbers to the user ID and first remote device ID pair, (iii) receive a second message comprising the user ID and a second remote device ID, and (iv) assign a second available range of sequence numbers to the user ID and second remote device ID pair, wherein the first available range of sequence numbers and the second available range of sequence numbers each comprise a sub-part of a range of sequence numbers assigned to the user ID, where the size of each of the first available range of sequence numbers is proportional to an access frequency used by a first remote device having the first remote device ID, and the second available range of sequence numbers is proportional to an access frequency used by a second remote device having the second remote device ID.
-
-
9. A device, comprising:
-
a sequence number database configured to store information corresponding to ranges of sequence numbers associated with pairs of users and remote devices, and to store sliding window information corresponding to each range of sequence numbers, said sliding window information indicating whether each message within the sliding window has or has not been received; a processor configured to control operation of the device, and further configured to; (i) receive a message comprising a first authentication credential, a user identification (ID) and a predetermined sequence number; (ii) retrieve a secret corresponding at least to the user ID; (iii) generate a second authentication credential based on information comprising the retrieved secret and the predetermined sequence number; (iv) compare the first and second authentication credentials, (v) query the database for the received sequence number; and (vi) accept the message when the first and second authentication credentials match and (1) the sequence number is within the corresponding window of sequence numbers and is marked as not received, or (2) the sequence number is above the corresponding window of sequence numbers; (vii) move the corresponding window of sequence numbers up to the sequence number when in step (vi) the sequence number is above the window of allowed sequence numbers; and (viii) mark the received sequence number as received within the window. - View Dependent Claims (10, 11, 12, 13)
-
-
14. A devices, comprising:
-
a user database configured to store user authentication information; a sequence number database configured to store information corresponding to ranges of sequence numbers associated with pairs of users and remote devices, and configured to store sliding window information corresponding to each range of sequence numbers, said sliding window information indicating whether messages having sequence numbers within the sliding window have or have not been received; and a processor configured to control operation of the device, and further configured to; (i) receive a networked appliance control message comprising a first authentication credential value, a user identification (ID) and a sequence number; (ii) query the sequence number database for the sequence number; (iii) reject the networked appliance control message when the sequence number is below the corresponding window of sequence numbers, or the sequence number is within the corresponding window of sequence numbers and is marked as received; (iv) query the user database for a password corresponding to the user ID; (v) generate a second authentication credential based on information including the password and the sequence number; (vi) compare the first and second authentication credentials; (vii) reject the networked appliance control message when the two authentication credentials do not match; (viii) accept networked appliance control message when the authentication credentials match and, either, the sequence number is within the corresponding window of sequence numbers and is marked as not received, or the sequence number is above the corresponding window of sequence numbers; (ix) move the corresponding window of sequence numbers up to the sequence number when in step (viii) the sequence number is above the window of allowed sequence numbers and the authentication credentials match; and (x) mark the sequence number as received within the window. - View Dependent Claims (15)
-
-
16. A device, comprising:
-
a storage apparatus configured to store user authentication information, to store information corresponding to ranges of sequence numbers associated with pairs of users and remote devices, and to store sliding window information corresponding to each range of sequence numbers, the sliding window information indicating whether messages having sequence numbers within a window have or have not been received; and a processor configured to control operation of the device, and further configured to; receive a plurality of networked appliance control messages each comprising a first authentication credential value, a user identification (ID) and a sequence number, for at least one of the messages, reject the message in response to the sequence number being below the window of sequence numbers or within the window of sequence numbers and indicated by the sliding window information as being associated with a message that has been received, for each message, determine a password associated with the user ID, for each message, generate a second authentication credential based on information including the password and the sequence number, for at least one of the messages, compare the first and second authentication credentials; for at least one of the messages, reject the message when the two authentication credentials do not match; for at least one of the messages, accept the message in response to the authentication credentials matching and, either;
the sequence number being within the corresponding window of sequence numbers and marked as not received or the sequence number being above the window of sequence numbers,for at least one of the messages, move the window of sequence numbers to a position depending upon the sequence number in response to the sequence number being above the window of sequence numbers and the authentication credentials matching, and for at least one of the message, update the sliding window information to indicate that a message having the sequence number has been received.
-
-
17. A computer-readable medium storing computer-executable instructions that instruct a computer to perform steps, the steps comprising:
-
receiving a plurality of networked appliance control messages each comprising a first authentication credential value, a user identification (ID) and a sequence number; for at least one of the messages, rejecting the message in response to the sequence number being below a predetermined window of sequence numbers or within the window of sequence numbers and indicated by stored sliding window information as being associated with a message that has been received; for each message, determining a password associated with the user ID; for each message, generating a second authentication credential based on information including the password and the sequence number; for at least one of the messages, comparing the first and second authentication credentials; for at least one of the messages, rejecting the message when the two authentication credentials do not match; for at least one of the messages, accepting the message in response to the authentication credentials matching and, either;
the sequence number being within the corresponding window of sequence numbers and marked as not received or the sequence number being above the window of sequence numbers;for at least one of the messages, moving the window of sequence numbers to a position depending upon the sequence number in response to the sequence number being above the window of sequence numbers and the authentication credentials matching; and for at least one of the message, updating the sliding window information to indicate that a message having the sequence number has been received.
-
Specification