Method and apparatus for verifying data timeliness with time-based derived cryptographic keys

US 7,392,382 B1
Filed: 04/21/2003
Issued: 06/24/2008
Est. Priority Date: 04/21/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-implemented method of verifying data timeliness with time-based derived cryptographic keys, the method comprising:

receiving a master key;

receiving an identity of a current time interval;

wherein the master key and the identity of the current time interval are received from a key server;

deriving a first interval key based on both the master key and a first time interval; and

decrypting first data that was encrypted with the first interval keywherein the first time interval is determined based on a first time and the identity of the current time interval;

during a first interval of time, encrypting, with the first interval key, all data that is to be communicated to a particular group of recipients during the first interval of time;

deriving a second interval key based on both the master key and a second time that differs from the first time; and

during a second interval of time that occurs after the first interval of time, encrypting, with the second interval key, all data that is to be communicated to the particular group of recipients during the second interval of time.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of verifying data timeliness with time-based derived cryptographic keys is disclosed. A master key is received. Based on both the master key and a current time, an interval key is derived. Data, which was encrypted with the interval key, is decrypted with the interval key.

Citations

28 Claims

1. A computer-implemented method of verifying data timeliness with time-based derived cryptographic keys, the method comprising:
- receiving a master key;
  
  receiving an identity of a current time interval;
  
  wherein the master key and the identity of the current time interval are received from a key server;
  
  deriving a first interval key based on both the master key and a first time interval; and
  
  decrypting first data that was encrypted with the first interval keywherein the first time interval is determined based on a first time and the identity of the current time interval;
  
  during a first interval of time, encrypting, with the first interval key, all data that is to be communicated to a particular group of recipients during the first interval of time;
  
  deriving a second interval key based on both the master key and a second time that differs from the first time; and
  
  during a second interval of time that occurs after the first interval of time, encrypting, with the second interval key, all data that is to be communicated to the particular group of recipients during the second interval of time.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising the computer-implemented steps of:
    - receiving the first data from a first sender;
      
      receiving, from a second sender that differs from the first sender, second data that was encrypted with the first interval key, wherein the second data differs from the first data; and
      
      decrypting the second data with the first interval key.
  - 3. The method of claim 1, wherein the first data does not contain a timestamp.
  - 4. The method of claim 1, further comprising the computer-implemented step of:
    - receiving a data packet that contains the first data;
      
      wherein the data packet comprises an Encapsulating Security Payload (ESP) packet.
  - 5. The method of claim 1, wherein deriving the first interval key comprises determining a value of a one-way function applied to a combination of the master key and a value that is associated with the first time.
  - 6. The method of claim 1, wherein deriving the first interval key comprises deriving the first interval key based on a source network address that is specified in a data packet that contains the first data.
  - 7. The method of claim 1, wherein deriving the first interval key based on the first time comprises deriving the first interval key based on a time of day at which an interval of a specified duration of time started.
  - 8. The method of claim 1, wherein deriving the first interval key based on the first time comprises deriving the first interval key based on a counter that indicates how many intervals of a specified duration of time have passed since a specified event occurred.
  - 9. The method of claim 1, further comprising the computer-implemented step of:
    - receiving an indication of an amount of time that remains in a time interval that corresponds to the first time.
  - 10. The method of claim 1, further comprising the computer-implemented step of:
    - preventing the first interval key from being used to decrypt data that is received after a specified period of time has passed since the first interval key was derived.

11. A computer-implemented method of verifying data timeliness with time-based derived cryptographic keys, the method comprising:
- receiving a master key from a key server;
  
  receiving, from the key server, an identity of a current time interval;
  
  receiving, from the key server, an indication of an amount of time remaining in the current time interval;
  
  setting a counter based on the identity of the current time interval;
  
  incrementing the counter upon determining that the difference between a current time and a time at which the indication was received is greater than or equal to the amount;
  
  deriving an interval key based on both the master key and the incremented counter;
  
  receiving, from a first sender that differs from the key server, first data that was encrypted with the interval key; and
  
  decrypting the first data with the interval key.
- View Dependent Claims (12, 13)
- - 12. The method of claim 11, wherein deriving the interval key comprises determining a value of a one-way function applied to a combination of the master key and the counter.
  - 13. The method of claim 11, further comprising the computer-implemented steps of:
    - receiving, from a second sender that differs from both the first sender and the key server, second data that was encrypted with the interval key; and
      
      decrypting the second data with the interval key;
      
      wherein the second data differs from the first data.

14. A computer-implemented method of verifying data timeliness with time-based derived cryptographic keys, the method comprising:
- receiving, through a network, a master key from a key server that sent the master key according to the Group Domain of Interpretation (GDOI) protocol in response to receiving a request to join a group;
  
  receiving, through the network, from the key server, an identity of a current time interval that is known to each member of the group;
  
  receiving, through the network, from the key server, an indication of an amount of time remaining in the current time interval;
  
  setting a counter based on the identity of the current time interval;
  
  receiving, through the network, from a first member of the group, a multicasted Encapsulating Security Protocol (ESP) packet that contains first data that the first member encrypted with a first interval key that the first member derived based on the master key, the identity, and an Internet Protocol (IP) address of the first member;
  
  deriving the first interval key based on the master key, the counter, and the IP address of the first member; and
  
  decrypting the first data with the first interval key.
- View Dependent Claims (15)
- - 15. The method of claim 14, further comprising the computer-implemented steps of:
    - receiving, through the network, from a second member of the group, a multicasted ESP packet that contains second data that that the second member encrypted with a second interval key that the second member derived based on the master key, the counter, and an IP address of the second member;
      
      deriving the second interval key based on the master key, the counter, and the IP address of the second member; and
      
      decrypting the second data with the second interval key.

16. A volatile or non-volatile computer-readable medium carrying one or more sequences of instructions for verifying data timeliness with time-based derived cryptographic keys, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- receiving a master key;
  
  receiving an identity of a current time interval;
  
  wherein the master key and the identity of the current time interval are received from a key server;
  
  deriving an interval key based on both the master key and a time interval; and
  
  decrypting data that was encrypted with the interval key;
  
  wherein the first time interval is determined based on a first time and the identity of the current time interval;
  
  during a first interval of time, encrypting, with the first interval key, all data that is to be communicated to a particular group of recipients during the first interval of time;
  
  deriving a second interval key based on both the master key and a second time that differs from the first time; and
  
  during a second interval of time that occurs after the first interval of time, encrypting, with the second interval key, all data that is to be communicated to the particular group of recipients during the second interval of time.

17. An apparatus for verifying data timeliness with time-based derived cryptographic keys, comprising:
- means for receiving a master key;
  
  means for receiving an identity of a current time interval;
  
  wherein the master key and the identity of the current time interval are received from a key server;
  
  means for deriving a first interval key based on both the master key and a first time interval; and
  
  means for decrypting first data that was encrypted with the first interval key;
  
  wherein the first time interval is determined based on a first time and the identity of the current time interval;
  
  means for encrypting, during a first interval of time, with the first interval key, all data that is to be communicated to a particular group of recipients during the first interval of time;
  
  means for deriving a second interval key based on both the master key and a second time that differs from the first time; and
  
  means for encrypting, during a second interval of time that occurs after the first interval of time, with the second interval key, all data that is to be communicated to the particular group of recipients during the second interval of time.
- View Dependent Claims (28)
- - 28. The apparatus of claim 17, further comprising:
    - means for deriving a second interval key based on both the master key and a second time that differs from the first time, wherein the second interval key differs from the first interval key; and
      
      means for decrypting second data that was encrypted with the second interval key.

18. An apparatus for verifying data timeliness with time-based derived cryptographic keys, comprising:
- a network interface that is coupled to a data network for receiving one or more packet flows therefrom;
  
  a processor; and
  
  one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
  
  receiving a master key;
  
  receiving an identity of a current time interval;
  
  wherein the master key and the identity of the current time interval are received from a key server;
  
  deriving a first interval key based on both the master key and a first time interval; and
  
  decrypting first data that was encrypted with the first interval key;
  
  wherein the first time interval is determined based on a first time and the identity of the current time interval;
  
  during a first interval of time, encrypting, with the first interval key, all data that is to be communicated to a particular group of recipients during the first interval of time;
  
  deriving a second interval key based on both the master key and a second time that differs from the first time; and
  
  during a second interval of time that occurs after the first interval of time, encrypting, with the second interval key, all data that is to be communicated to the particular group of recipients during the second interval of time.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 19. The apparatus of claim 18, wherein the one or more stored sequences of instructions further comprise:
    - instructions for receiving the first data from a first sender;
      
      instructions for receiving, from a second sender that differs from the first sender, second data that was encrypted with the first interval key, wherein the second data differs from the first data; and
      
      instructions for decrypting the second data with the first interval key.
  - 20. The apparatus of claim 18, wherein the first data does not contain a timestamp.
  - 21. The apparatus of claim 18, wherein the one or more stored sequences of instructions further comprise:
    - instructions for receiving a data packet that contains the first data;
      
      wherein the data packet comprises an Encapsulating Security Payload (ESP) packet.
  - 22. The apparatus of claim 18, wherein the one or more stored sequences of instructions further comprise instructions for determining a value of a one-way function applied to a combination of the master key and a value that is associated with the first time.
  - 23. The apparatus of claim 18, wherein the one or more stored sequences of instructions further comprise instructions for deriving the first interval key based on a source network address that is specified in a data packet that contains the first data.
  - 24. The apparatus of claim 18, wherein the one or more stored sequences of instructions further comprise instructions for deriving the first interval key based on a time of day at which an interval of a specified duration of time started.
  - 25. The apparatus of claim 18, wherein the one or more stored sequences of instructions further comprise instructions for deriving the first interval key based on a counter that indicates how many intervals of a specified duration of time have passed since a specified event occurred.
  - 26. The apparatus of claim 18, wherein the one or more stored sequences of instructions further comprise:
    - instructions for receiving an indication of an amount of time that remains in a time interval that corresponds to the first time.
  - 27. The apparatus of claim 18, wherein the one or more stored sequences of instructions further comprise:
    - instructions for preventing the first interval key from being used to decrypt data that is received after a specified period of time has passed since the first interval key was derived.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Weis, Brian, McGrew, David
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
YALEW, FIKREMARIAM A

Application Number

US10/420,100
Time in Patent Office

1,891 Days
Field of Search

713/163, 713/160, 380/277, 380/44
US Class Current

713/163
CPC Class Codes

H04L 9/088 Usage controlling of secret...

Method and apparatus for verifying data timeliness with time-based derived cryptographic keys

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for verifying data timeliness with time-based derived cryptographic keys

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links