System for efficiently handling cryptographic messages containing nonce values

US 7,856,660 B2
Filed: 08/21/2001
Issued: 12/21/2010
Est. Priority Date: 08/21/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A method of processing out-of-order message packets, comprising:

obtaining a maximum largest nonce value;

comparing, with said secure communication module of said receiving client device, a nonce value of a received out-of-order message packet with a largest nonce value yet seen;

adjusting, with said secure communication module of said receiving client device, a size of a range of acceptable nonce values within a single replay attack acceptance window, where said size of said range is based on said largest nonce value yet seen;

comparing, with said secure communication module of said receiving client device, said largest nonce value yet seen with said maximum largest nonce value; and

resetting said largest nonce value yet seen and generating a new cryptographic key when said largest nonce value yet seen exceeds said maximum largest nonce value.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for determining the validity of a received cryptographic message while ensuring for out-of-order messages is utilized to provide for secure communications among peers in a network. In particular, a secure communication module may be configured to accept the cryptographic message in response to a received nonce value of the received message is greater than the largest nonce value yet seen. Otherwise, when the received nonce value is not the largest nonce value yet seen, the secure communication module may be configured to compare the received nonce value with a nonce acceptance window. If the received nonce value falls outside the nonce acceptance window, the secure communication module may be further configured to reject the received message and assume that a replay attack has been detected. If the received nonce value falls within the nonce acceptance window, the secure communication module may be further configured to determine if the received nonce value has been seen before by comparing the received nonce value with a replay window mask. If the received nonce has been seen before, the secure communication module may be further configured to reject the received message and assume a replay attack. Otherwise, the secure communication module may be further configured to accept the message and add the received nonce value to the replay window mask.

37 Citations

View as Search Results

43 Claims

1. A method of processing out-of-order message packets, comprising:
- obtaining a maximum largest nonce value;
  
  comparing, with said secure communication module of said receiving client device, a nonce value of a received out-of-order message packet with a largest nonce value yet seen;
  
  adjusting, with said secure communication module of said receiving client device, a size of a range of acceptable nonce values within a single replay attack acceptance window, where said size of said range is based on said largest nonce value yet seen;
  
  comparing, with said secure communication module of said receiving client device, said largest nonce value yet seen with said maximum largest nonce value; and
  
  resetting said largest nonce value yet seen and generating a new cryptographic key when said largest nonce value yet seen exceeds said maximum largest nonce value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method according to claim 1, further comprising:
    - designating, with said secure communication module of said receiving client device, said nonce value as said largest nonce value yet seen if said nonce value exceeds said largest nonce value yet seen.
  - 3. The method according to claim 1, further comprising:
    - replacing, with said secure communication module of said receiving client device, said largest nonce value yet seen with said nonce value if said nonce value exceeds said largest nonce value yet seen.
  - 4. The method according to claim 1, further comprising:
    - adjusting, with said secure communication module of said receiving client device, a single replay attack acceptance window if said nonce value exceeds said largest nonce value yet seen.
  - 5. The method according to claim 1, further comprising:
    - designating, with said secure communication module of said receiving client device, said received out-of-order message packet as a replay attack.
  - 6. The method according to claim 1, further comprising:
    - comparing, with said secure communication module of said receiving client device, said nonce value to a window mask value if said nonce value falls within said single replay attack acceptance window; and
      
      rejecting, with said secure communication module of said receiving client device, said received out-of-order message packet if said nonce value is within said window mask value.
  - 7. The method according to claim 6, further comprising:
    - designating, with said secure communication module of said receiving client device, said received out-of-order message packet as part of a replay attack.
  - 8. The method according to claim 1, further comprising:
    - comparing, with said secure communication module of said receiving client device, said nonce value to a window mask value if said nonce value falls within said single replay attack acceptance window; and
      
      accepting, with said secure communication module of said receiving client device, said received out-of-order message packet if said nonce value is outside said single replay attach acceptance window.
  - 9. The method according to claim 8, further comprising:
    - designating, with said secure communication module of said receiving client device, said nonce value as a largest nonce value yet seen.

10. An apparatus for processing out-of-order message packets, said apparatus comprising:
- a receiving communication interface configured to transmit and receive a plurality of packets; and
  
  a receiving controller, wherein said receiving controller is configured to;
  
  obtain a maximum largest nonce value;
  
  compare a nonce value of a received out-of-order message packet and a largest nonce value yet seen;
  
  adjust a size of a range of acceptable nonce values within a single replay attack acceptance window, where said size of said range is based on said largest nonce value yet seen;
  
  compare said largest nonce value yet seen with said maximum largest nonce value; and
  
  resetting said largest yet seen and generating a new cryptographic key when said largest nonce value yet seen exceeds said maximum largest nonce value.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The apparatus according to claim 10, wherein:
    - said receiving controller is further configured to designate said nonce value as said largest nonce value yet seen if said nonce value exceeds said largest nonce value yet seen.
  - 12. The apparatus according to claim 10, wherein:
    - said receiving controller is further configured to adjust a single replay attack acceptance window if said largest nonce value yet seen exceeds said largest nonce value yet seen.
  - 13. The apparatus according to claim 10, wherein:
    - said receiving controller is further configured to replace said largest nonce value yet seen with said nonce value if said nonce value exceeds said largest nonce value yet seen.
  - 14. The apparatus according to claim 10, wherein:
    - said receiving controller is further configured to designate said received out-of-order message packet as part of a replay attack.
  - 15. The apparatus according to claim 10, wherein said controller is further configured to:
    - compare said nonce value to a window mask value if said nonce value falls within a single replay attack acceptance window; and
      
      reject said received out-of-order message packet if said nonce value falls outside said single replay attack acceptance window.
  - 16. The apparatus according to claim 15, wherein:
    - said receiving controller is further configured to designate said received out-of-order message packet as part of a replay attack.
  - 17. The apparatus according to claim 10, wherein said controller is configured to:
    - compare said nonce value to a replay attack acceptance window value if said nonce value falls within said single replay attack acceptance window; and
      
      accept said received out-of-order message packet if said nonce value falls within said single replay attack acceptance window.
  - 18. The apparatus according to claim 17, wherein:
    - said receiving controller is further configured to mark said nonce value as said largest nonce value yet seen.

19. A non-transitory computer readable storage medium on which is embedded one or more computer programs, said one or more computer programs implementing a method of processing out-of-order message packets, said one or more computer programs comprising a set of instructions for:
- obtaining a maximum largest nonce value;
  
  comparing, with said secure communication module of said receiving client device, a nonce value of a received out-of-order message packet and a largest nonce value yet seen;
  
  adjusting, with said secure communication module of said receiving client device, a size of a range of acceptable nonce values within a single replay attack acceptance window, where said size of said range is based on said largest nonce value yet seen;
  
  comparing, with said secure communication module of said receiving client device, said largest nonce value yet seen with said maximum largest nonce value; and
  
  resetting said largest nonce value yet seen and generating a new cryptographic key when said largest nonce value yet seen exceeds said maximum largest nonce value.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The computer readable storage medium in according to claim 19, said one or more computer programs further comprising a set of instructions for:
    - designating, with said secure communication module of said receiving client device, said nonce value as said largest nonce value yet seen if said nonce value exceeds said largest nonce value yet seen.
  - 21. The computer readable storage medium in according to claim 19, said one or more computer programs further comprising a set of instructions for:
    - replacing, with said secure communication module of said receiving client device, said largest nonce value yet seen with said nonce value if said nonce value exceeds said largest nonce value yet seen.
  - 22. The computer readable storage medium in according to claim 19, said one or more computer programs further comprising a set of instructions for:
    - adjusting, with said secure communication module of said receiving client device, a single replay attack acceptance window based on said nonce value if said nonce value exceeds said largest nonce value yet seen.
  - 23. The computer readable storage medium in according to claim 19, said one or more computer programs further comprising a set of instructions for:
    - designating, with said secure communication module of said receiving client device, said received out-of-order message packet as a replay attack.
  - 24. The computer readable storage medium in according to claim 19, said one or more computer programs further comprising a set of instructions for:
    - comparing, with said secure communication module of said receiving client device, said nonce value to a window mask value if said nonce value falls within a single replay attack acceptance window; and
      
      rejecting, with said secure communication module of said receiving client device, said received out-of-order message packet if said nonce value falls outside said single replay attack acceptance window.
  - 25. The computer readable storage medium in according to claim 24, said one or more computer programs further comprising a set of instructions for:
    - designating, with said secure communication module of said receiving client device, said received out-of-order message packet as part of a replay attack.
  - 26. The computer readable storage medium in according to claim 19, said one or more computer programs further comprising a set of instructions for:
    - comparing, with said secure communication module of said receiving client device, said nonce value to a window mask value if said nonce value falls within a single replay attack acceptance window; and
      
      accepting, with said secure communication module of said receiving client device, said received out-of-order message packet if said nonce value falls within said single replay attack acceptance window.
  - 27. The computer readable storage medium in according to claim 26, said one or more computer programs further comprising a set of instructions for:
    - designating, with said secure communication module of said receiving client device, said nonce value as said largest nonce value yet seen.

28. A system for processing out-of-order message packets in a peer-to-peer configuration, comprising:
- a first peer configured to provide secure communication;
  
  a second peer configured to provide said secure communication; and
  
  a receiving secure communication module configured to be executed by said first peer and second peer, wherein said receiving secure communication module is configured to;
  
  obtain a maximum largest nonce value;
  
  compare a nonce value of a received out-of-order packet to a largest nonce value yet seen;
  
  adjust a size of a range of acceptable nonce values within a single replay attack mask, where said size of said range is based on said largest nonce value yet seen;
  
  compare said largest nonce value yet seen with said maximum largest nonce value; and
  
  reset said largest nonce value yet seen and generate a new cryptographic key when said largest nonce value yet seen exceeds said maximum largest nonce value.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35)
- - 29. The system according to claim 28, wherein:
    - said receiving secure communication module is further configured to designate said nonce value as said largest nonce value yet seen if said nonce value exceeds said largest nonce value yet seen.
  - 30. The system according to claim 28, wherein:
    - said receiving secure communication module is further configured to adjust a single replay attack mask based on said largest nonce value yet seen if said nonce value exceeds said largest nonce value yet seen.
  - 31. The system according to claim 28, wherein:
    - said receiving secure communication module is further configured to reject said received out-of-order packet if said nonce value falls outside a single replay attack mask.
  - 32. The system according to claim 31, wherein:
    - said receiving secure communication module is further configured to designate said received out-of-order packet as part of a replay attack.
  - 33. The system according to claim 32, wherein:
    - said receiving secure communication module is further configured to reject said received out-of-order packet if said nonce value falls outside a single replay attack mask.
  - 34. The system according to claim 33, wherein:
    - said receiving secure communication module is further configured to designate said received out-of-order packet as part of a replay attack.
  - 35. The system according to claim 28, wherein:
    - said receiving secure communication module is further configured to reject said received out-of-order packet if said nonce value falls outside a single replay attack mask; and
      
      said receiving secure communication module is further configured to designate said received out-of-order packet as part of a replay attack.

36. A receiving interceptor device for processing out-of-order message packets, said receiving interceptor device comprising:
- a network interface;
  
  an expected sequence register configured to enumerate an expected sequence number of a message packet received out-of-order from a second network device; and
  
  a receiving controller, wherein said receiving controller is configured to;
  
  obtain a maximum largest nonce value;
  
  compare a nonce value to of a received out-of-order message packet with a largest nonce value yet seen;
  
  adjust a size of a range of acceptable nonce values within a single replay attack mask, where said size of said range is based on said largest nonce value yet seen;
  
  compare said largest nonce value yet seen with said maximum largest nonce value; and
  
  reset said largest nonce value yet seen and generate a new cryptographic key when said largest nonce value yet seen exceeds said maximum largest nonce value.
- View Dependent Claims (37, 38, 39, 40, 41, 42, 43)
- - 37. The receiving interceptor device according to claim 36, wherein:
    - said controller is further configured to designate said sequence number as said largest nonce value yet seen if said sequence number exceeds said largest sequence number yet seen.
  - 38. The receiving interceptor device according to claim 36, wherein:
    - said controller is further configured to adjust said single replay attack mask based on said largest nonce value yet seen if said sequence number exceeds said largest nonce value yet seen.
  - 39. The receiving interceptor device according to claim 36, wherein:
    - said controller is further configured to reject said received out-of-order packet if said sequence number falls outside a single replay attack mask.
  - 40. The receiving interceptor device according to claim 36, wherein:
    - said controller is further configured to designate said received out-of-order packet as part of a replay attack.
  - 41. The receiving interceptor device according to claim 36, wherein:
    - said controller is further configured to reject said received out-of-order packet if said sequence number falls outside a single replay attack mask.
  - 42. The receiving interceptor device according to claim 41, wherein:
    - said controller is further configured to designate said received out-of-order packet as part of a replay attack.
  - 43. The receiving interceptor device according to claim 36, wherein:
    - said controller is further configured to reject said received out-of-order packet if said sequence number falls outside a single replay attack mask; and
      
      said controller is further configured to designate said received out-of-order packet as part of a replay attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
TeleCommunication Systems Inc (Comtech Telecommunications Corporation)
Original Assignee
TeleCommunication Systems Inc (Comtech Telecommunications Corporation)
Inventors
Voris, Jim, Lagimonier, Todd
Primary Examiner(s)
PYZOCHA, MICHAEL J

Application Number

US09/932,982
Publication Number

US 20030041265A1
Time in Patent Office

3,409 Days
Field of Search

713/170, 713/171, 726/22
US Class Current

726/22
CPC Class Codes

H04L 63/04   for providing a confidentia...

H04L 63/0876   based on the identity of th...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 9/321   involving a third party or ...

H04W 12/02   Protecting privacy or anony...

H04W 12/041   Key generation or derivation

H04W 12/121   Wireless intrusion detectio...

System for efficiently handling cryptographic messages containing nonce values

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

37 Citations

43 Claims

Specification

Use Cases

Quick Links

Others

System for efficiently handling cryptographic messages containing nonce values

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

43 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others