Authentication of remotely originating network messages

US 7,290,141 B2
Filed: 06/27/2002
Issued: 10/30/2007
Est. Priority Date: 06/27/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A device, comprising:

a database configured to store information corresponding to ranges of sequence numbers associated with pairs of users and remote devices, and to store sliding window information corresponding to each range of sequence numbers; and

a processor configured to control operation of the device, and further configured to;

(i) receive a first message comprising a user identification (ID) and a first remote device ID,(ii) assign a first available range of sequence numbers to the user ID and first remote device ID pair,(iii) receive a second message comprising the user ID and a second remote device ID, and(iv) assign a second available range of sequence numbers to the user ID and second remote device ID pair,wherein the first available range of sequence numbers and the second available range of sequence numbers each comprise a sub-part of a range of sequence numbers assigned to the user ID, and wherein the size of each of the first available range of sequence numbers and the second available range of sequence numbers is proportional to an access frequency used by the user ID.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for authenticating messages received from users across multiple remote devices are provided. A residential gateway authenticates a user using a modified digest authentication scheme by storing a sequence number in the nonce field. Access encryption keys and sequence number spaces may be assigned based on user or on user/remote device pairs. When sequence number spaces are assigned based on user, and the user uses multiple remote devices to access the residential gateway, the sequence number space may be divided into mini-sequence number spaces for each of the multiple remote devices. Access encryption may be two-tiered, such that a secondary key is generated based on a user'"'"'s primary key, and the secondary key is only valid for a limited amount of time before it expires and a new secondary key must be generated.

44 Citations

View as Search Results

17 Claims

1. A device, comprising:
- a database configured to store information corresponding to ranges of sequence numbers associated with pairs of users and remote devices, and to store sliding window information corresponding to each range of sequence numbers; and
  
  a processor configured to control operation of the device, and further configured to;
  
  (i) receive a first message comprising a user identification (ID) and a first remote device ID,(ii) assign a first available range of sequence numbers to the user ID and first remote device ID pair,(iii) receive a second message comprising the user ID and a second remote device ID, and(iv) assign a second available range of sequence numbers to the user ID and second remote device ID pair,wherein the first available range of sequence numbers and the second available range of sequence numbers each comprise a sub-part of a range of sequence numbers assigned to the user ID, and wherein the size of each of the first available range of sequence numbers and the second available range of sequence numbers is proportional to an access frequency used by the user ID.
- View Dependent Claims (2, 3, 4, 5, 6, 8)
- - 2. The device of claim 1, wherein the first and second received messages each comprises encrypted data, and wherein the processor is further configured to, for each of the first and second received messages, decrypt the encrypted data using a decryption key corresponding to the user ID.
  - 3. The device of claim 2, wherein the encrypted data comprises networked appliance information.
  - 4. The device of claim 1, wherein each received message comprises encrypted data, and wherein the processor is further configured to:
    - (v) decrypt the encrypted data in the first received message using a first decryption key corresponding to the user ID and first remote device ID pair; and
      
      (vi) decrypt the encrypted data in the second received message using a second decryption key, different from the first decryption key, corresponding to the user ID and second remote device ID pair.
  - 5. The device of claim 1, wherein the first available range of sequence numbers and the second available range of sequence numbers are mutually exclusive.
  - 6. The device of claim 1, wherein the first available range of sequence numbers and the second available range of sequence numbers are of equal size.
  - 8. The device of claim 1, where the size of each of the first available range of sequence numbers is proportional to the access frequency used by the user ID using a first remote device having the first remote device ID, and the second available range of sequence numbers is proportional to an access frequency used by the user ID using a second remote device having the second remote device ID.

7. A device, comprising:
- a database configured to store information corresponding to ranges of sequence numbers associated with pairs of users and remote devices, and to store sliding window information corresponding to each range of sequence numbers; and
  
  a processor configured to control operation of the device, and further configured to;
  
  (i) receive a first message comprising a user identification (ID) and a first remote device ID,(ii) assign a first available range of sequence numbers to the user ID and first remote device ID pair,(iii) receive a second message comprising the user ID and a second remote device ID, and(iv) assign a second available range of sequence numbers to the user ID and second remote device ID pair,wherein the first available range of sequence numbers and the second available range of sequence numbers each comprise a sub-part of a range of sequence numbers assigned to the user ID, where the size of each of the first available range of sequence numbers is proportional to an access frequency used by a first remote device having the first remote device ID, and the second available range of sequence numbers is proportional to an access frequency used by a second remote device having the second remote device ID.

9. A device, comprising:
- a sequence number database configured to store information corresponding to ranges of sequence numbers associated with pairs of users and remote devices, and to store sliding window information corresponding to each range of sequence numbers, said sliding window information indicating whether each message within the sliding window has or has not been received;
  
  a processor configured to control operation of the device, and further configured to;
  
  (i) receive a message comprising a first authentication credential, a user identification (ID) and a predetermined sequence number;
  
  (ii) retrieve a secret corresponding at least to the user ID;
  
  (iii) generate a second authentication credential based on information comprising the retrieved secret and the predetermined sequence number;
  
  (iv) compare the first and second authentication credentials,(v) query the database for the received sequence number; and
  
  (vi) accept the message when the first and second authentication credentials match and(1) the sequence number is within the corresponding window of sequence numbers and is marked as not received, or(2) the sequence number is above the corresponding window of sequence numbers;
  
  (vii) move the corresponding window of sequence numbers up to the sequence number when in step (vi) the sequence number is above the window of allowed sequence numbers; and
  
  (viii) mark the received sequence number as received within the window.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The device of claim 9, wherein in step (i) the received message comprises encrypted data, and the processor is further configured to select a decryption key based on the user ID and a device ID corresponding to a device used to send the message.
  - 11. The device of claim 9, wherein in step (i) the message comprises a networked appliance message.
  - 12. The device of claim 9, wherein in step (i) the authentication credential is stored in a response field.
  - 13. The device of claim 9, wherein in step (ii) the secret corresponds to a combination of the user ID and a device ID corresponding to a device used to send the message.

14. A devices, comprising:
- a user database configured to store user authentication information;
  
  a sequence number database configured to store information corresponding to ranges of sequence numbers associated with pairs of users and remote devices, and configured to store sliding window information corresponding to each range of sequence numbers, said sliding window information indicating whether messages having sequence numbers within the sliding window have or have not been received; and
  
  a processor configured to control operation of the device, and further configured to;
  
  (i) receive a networked appliance control message comprising a first authentication credential value, a user identification (ID) and a sequence number;
  
  (ii) query the sequence number database for the sequence number;
  
  (iii) reject the networked appliance control message when the sequence number is below the corresponding window of sequence numbers, or the sequence number is within the corresponding window of sequence numbers and is marked as received;
  
  (iv) query the user database for a password corresponding to the user ID;
  
  (v) generate a second authentication credential based on information including the password and the sequence number;
  
  (vi) compare the first and second authentication credentials;
  
  (vii) reject the networked appliance control message when the two authentication credentials do not match;
  
  (viii) accept networked appliance control message when the authentication credentials match and, either, the sequence number is within the corresponding window of sequence numbers and is marked as not received, or the sequence number is above the corresponding window of sequence numbers;
  
  (ix) move the corresponding window of sequence numbers up to the sequence number when in step (viii) the sequence number is above the window of allowed sequence numbers and the authentication credentials match; and
  
  (x) mark the sequence number as received within the window.
- View Dependent Claims (15)
- - 15. The device of claim 14, wherein the networked appliance message comprises encrypted data, and the processor is further configured to decrypt the message using a decryption key based on the user ID and a device ID corresponding to the remote access device used to send the message.

16. A device, comprising:
- a storage apparatus configured to store user authentication information, to store information corresponding to ranges of sequence numbers associated with pairs of users and remote devices, and to store sliding window information corresponding to each range of sequence numbers, the sliding window information indicating whether messages having sequence numbers within a window have or have not been received; and
  
  a processor configured to control operation of the device, and further configured to;
  
  receive a plurality of networked appliance control messages each comprising a first authentication credential value, a user identification (ID) and a sequence number,for at least one of the messages, reject the message in response to the sequence number being below the window of sequence numbers or within the window of sequence numbers and indicated by the sliding window information as being associated with a message that has been received,for each message, determine a password associated with the user ID,for each message, generate a second authentication credential based on information including the password and the sequence number,for at least one of the messages, compare the first and second authentication credentials;
  
  for at least one of the messages, reject the message when the two authentication credentials do not match;
  
  for at least one of the messages, accept the message in response to the authentication credentials matching and, either;
  
  the sequence number being within the corresponding window of sequence numbers and marked as not received or the sequence number being above the window of sequence numbers,for at least one of the messages, move the window of sequence numbers to a position depending upon the sequence number in response to the sequence number being above the window of sequence numbers and the authentication credentials matching, andfor at least one of the message, update the sliding window information to indicate that a message having the sequence number has been received.

17. A computer-readable medium storing computer-executable instructions that instruct a computer to perform steps, the steps comprising:
- receiving a plurality of networked appliance control messages each comprising a first authentication credential value, a user identification (ID) and a sequence number;
  
  for at least one of the messages, rejecting the message in response to the sequence number being below a predetermined window of sequence numbers or within the window of sequence numbers and indicated by stored sliding window information as being associated with a message that has been received;
  
  for each message, determining a password associated with the user ID;
  
  for each message, generating a second authentication credential based on information including the password and the sequence number;
  
  for at least one of the messages, comparing the first and second authentication credentials;
  
  for at least one of the messages, rejecting the message when the two authentication credentials do not match;
  
  for at least one of the messages, accepting the message in response to the authentication credentials matching and, either;
  
  the sequence number being within the corresponding window of sequence numbers and marked as not received or the sequence number being above the window of sequence numbers;
  
  for at least one of the messages, moving the window of sequence numbers to a position depending upon the sequence number in response to the sequence number being above the window of sequence numbers and the authentication credentials matching; and
  
  for at least one of the message, updating the sliding window information to indicate that a message having the sequence number has been received.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Solutions and Networks US LLC (Nokia Corporation)
Original Assignee
Nokia, Inc. (Nokia Corporation)
Inventors
Sengodan, Senthil, Chan, Tat
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
NOBAHAR, ABDULHAKIM

Application Number

US10/180,096
Publication Number

US 20040003241A1
Time in Patent Office

1,951 Days
Field of Search

713/184, 713/168, 380/262, 380/45
US Class Current

713/168
CPC Class Codes

H04L 2209/80   Wireless network architectu...

H04L 63/0428   wherein the data content is...

H04L 63/064   Hierarchical key distributi...

H04L 63/08   for authentication of entit...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3271   using challenge-response

Authentication of remotely originating network messages

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

44 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

Authentication of remotely originating network messages

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

44 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others