Approaches for automatically switching message authentication keys

US 8,140,851 B1
Filed: 02/24/2006
Issued: 03/20/2012
Est. Priority Date: 02/24/2006
Status: Active Grant

First Claim

Patent Images

1. A method, the method comprising:

testing a date-time value received in each of a plurality of data segments on a connection at a first endpoint of two endpoints;

wherein the first endpoint of the two endpoints is configured to use the date-time value to determine when a data segment that carries the date-time value was sent by the other endpoint of the two endpoints;

wherein the plurality of data segments are received after an establishment of the connection, and wherein the date-time value represents an amount of time elapsed since the connection was established; and

selecting a next message authentication key, from among a plurality of stored message authentication keys stored at the first endpoint, for use in authenticating subsequently received data segments, when the date-time value matches a specified characteristic;

wherein the method is performed by one or more computing devices.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Approaches are disclosed for switching transport protocol connection keys. A method of automatically changing a message authentication key at each of two endpoints of a connection in a telecommunications network comprises testing a date-time value received in each of a plurality of data segments on the connection; and selecting a next message authentication key, from among a plurality of stored message authentication keys, for use in authenticating subsequently received data segments, when the date-time value matches a specified characteristic.

33 Citations

View as Search Results

20 Claims

1. A method, the method comprising:
- testing a date-time value received in each of a plurality of data segments on a connection at a first endpoint of two endpoints;
  
  wherein the first endpoint of the two endpoints is configured to use the date-time value to determine when a data segment that carries the date-time value was sent by the other endpoint of the two endpoints;
  
  wherein the plurality of data segments are received after an establishment of the connection, and wherein the date-time value represents an amount of time elapsed since the connection was established; and
  
  selecting a next message authentication key, from among a plurality of stored message authentication keys stored at the first endpoint, for use in authenticating subsequently received data segments, when the date-time value matches a specified characteristic;
  
  wherein the method is performed by one or more computing devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method as recited in claim 1, wherein the specified characteristic is a date-time value greater than an initial date-time value that was received from a second endpoint of the two endpoints when the connection was established.
  - 3. A method as recited in claim 1, wherein the specified characteristic is an expiration date of a first password.
  - 4. A method as recited in claim 1, wherein determining whether the date-time value matches a specified characteristic includes determining that a current time according to a second endpoint of the two endpoints has exceeded an expiration date of a first password.
  - 5. A method as recited in claim 1, wherein determining whether the date-time value matches a specified characteristic includes determining that a current time according to a second endpoint of the two endpoints has exceeded an expiration date of a first password by comparing a current value of a received data segment with a value of a data segment received at a time the connection was established and determining a time elapsed according to the second endpoint since the connection was established.
  - 6. A method as recited in claim 1, wherein the connection is a transport control protocol (TCP) connection, and wherein the date-time value is a TCP timestamp value.
  - 7. A method as recited in claim 1, wherein the next message authentication key is a hash algorithm key value for performing hash-based message authentication of a TCP segment.
  - 8. A method as recited in claim 1, wherein the next message authentication key is a MD5 hash algorithm key value for performing hash-based message authentication of a TCP segment.

9. An apparatus comprising:
- a processor;
  
  a network interface coupled to the processor and coupled to the network for receiving packet flows therefrom;
  
  a volatile or non-volatile computer-readable storage medium coupled to the processor and comprising one or more stored sequences of instructions which, when executed by the processor, cause the processor to perform the steps of;
  
  testing a date-time value received in each of a plurality of data segments on a connection at a first endpoint of two endpoints;
  
  wherein the first endpoint of the two endpoints is configured to use the date-time value to determine when a data segment that carries the date-time value was sent by the other endpoint of the two endpoints;
  
  wherein the plurality of data segments are received after an establishment of the connection, and wherein the date-time value represents an amount of time elapsed since the connection was established; and
  
  selecting a next message authentication key, from among a plurality of stored message authentication keys stored at the first endpoint, for use in authenticating subsequently received data segments, when the date-time value matches a specified characteristic.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. An apparatus as recited in claim 9, wherein the specified characteristic is a date-time value greater than an initial date-time value that was received from a second endpoint of the two endpoints when the connection was established.
  - 11. An apparatus as recited in claim 9, wherein the specified characteristic is an expiration date of a first password.
  - 12. An apparatus as recited in claim 9, wherein the one or more stored sequences of instructions include instructions, which, when executed by the processor, cause the processor to perform determining that a current time according to a second endpoint of the two endpoints has exceeded an expiration date of a first password.
  - 13. An apparatus as recited in claim 9, wherein the one or more stored sequences of instructions include instructions, which, when executed by the processor, cause the processor to perform determining that a current time according to a second endpoint of the two endpoints has exceeded an expiration date of a first password by comparing a current value of a received data segment with a value of a data segment received at a time the connection was established and determining a time elapsed according to the second endpoint since the connection was established.
  - 14. An apparatus as recited in claim 9, wherein the connection is a transport control protocol (TCP) connection, and wherein the date-time value is a TCP timestamp value.
  - 15. An apparatus as recited in claim 9, wherein the next message authentication key is a hash algorithm key value for performing hash-based message authentication of a TCP segment.
  - 16. An apparatus as recited in claim 9, wherein the next message authentication key is a MD5 hash algorithm key value for performing hash-based message authentication of a TCP segment.

17. A non-transitory computer-readable tangible storage medium carrying one or more sequences of instructions, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- testing a date-time value received in each of a plurality of data segments on a connection at a first endpoint of two endpoints;
  
  wherein the first endpoint of the two endpoints is configured to use the date-time value to determine when a data segment that carries the date-time value was sent by the other endpoint of the two endpoints;
  
  wherein the plurality of data segments are received after an establishment of the connection, and wherein the date-time value represents an amount of time elapsed since the connection was established; and
  
  selecting a next message authentication key, from among a plurality of stored message authentication keys stored at the first endpoint, for use in authenticating subsequently received data segments, when the date-time value matches a specified characteristic.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer-readable tangible storage medium of claim 17, wherein the one or more stored sequences of instructions include instructions, which, when executed by the processor, cause the processor to perform determining that the current time according to a second endpoint of the two endpoints has exceeded an expiration date of the first password.
  - 19. The non-transitory computer-readable tangible storage medium of claim 17, wherein the one or more stored sequences of instructions include instructions, which, when executed by the processor, cause the processor to perform determining that a current time according to a second endpoint of the two endpoints has exceeded an expiration date of a first password by comparing a current value of a received data segment with a value of a data segment received at a time the connection was established and determining a time elapsed according to the second endpoint since the connection was established.
  - 20. The non-transitory computer-readable tangible storage medium of claim 17, wherein the next message authentication key is a hash algorithm key value for performing hash-based message authentication of a TCP segment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Mynam, Satish K., Appanna, Chandrashekhar, Djernaes, Martin
Primary Examiner(s)
Srivastava, Vivek
Assistant Examiner(s)
TRUONG, THONG P

Application Number

US11/361,451
Time in Patent Office

2,216 Days
Field of Search

705/67, 705/50, 713/171, 713/168, 713/170, 713/172, 713/178, 380/281, 709/246
US Class Current

713/178
CPC Class Codes

H04L 9/0891 Revocation or update of sec...

H04L 9/3297 involving time stamps, e.g....

Approaches for automatically switching message authentication keys

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

33 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Approaches for automatically switching message authentication keys

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links