Methods and systems for unilateral authentication of messages
First Claim
1. A system comprising:
- an access module configured to access authentication information made available by a first computing device, the authentication information including content data, a public key of the first computing device, a first network address of the first computing device, and a digital signature;
a deriving module configured to derive a portion of a second network address from the public key of the first computing device by taking a portion of a value derived by hashing a combination of the public key and a modifier;
a validation module configured to validate the digital signature using the public key;
an accepting module configured to accept the content data when the derived portion of the second network address matches a corresponding portion of the first network address and when the digital signature is valid; and
one or more processing units configured to execute the access module, the deriving module, the validation module, and the accepting module.
1 Assignment
0 Petitions
Accused Products
Abstract
Disclosed is an authentication mechanism that enables an information recipient to ascertain that the information comes from the sender it purports to be from. This mechanism integrates a private/public key pair with selection by the sender of a portion of its address. The sender derives its address from its public key, for example, by using a hash of the key. The recipient verifies the association between the address and the sender'"'"'s private key. The recipient may retrieve the key from an insecure resource and know that it has the correct key because only that key can produce the sender'"'"'s address in the message. The hash may be made larger than the sender-selectable portion of the address. The recipient may cache public key/address pairs and use the cache to detect brute force attacks and to survive denial of service attacks. The mechanism may be used to optimize security negotiation algorithms.
27 Citations
20 Claims
-
1. A system comprising:
-
an access module configured to access authentication information made available by a first computing device, the authentication information including content data, a public key of the first computing device, a first network address of the first computing device, and a digital signature; a deriving module configured to derive a portion of a second network address from the public key of the first computing device by taking a portion of a value derived by hashing a combination of the public key and a modifier; a validation module configured to validate the digital signature using the public key; an accepting module configured to accept the content data when the derived portion of the second network address matches a corresponding portion of the first network address and when the digital signature is valid; and one or more processing units configured to execute the access module, the deriving module, the validation module, and the accepting module. - View Dependent Claims (2, 3, 4)
-
-
5. A system comprising:
-
a hashing module configured to hash a public key; a comparing module configured to compare a portion of a value produced by the hashing module with another portion of a network address other than a node-selectable portion; a choosing module configured to; choose a modifier when the portion and the another portion do not match, and append the modifier to the public key; and one or more processing units configured to execute the hashing module, the comparing module, and the choosing module. - View Dependent Claims (6, 7, 8, 9, 10)
-
-
11. A system comprising:
-
an access module configured to access authentication information made available by a first computing device, the authentication information including content data, a public key of the first computing device, a modifier, a first network address of the first computing device, and a digital signature; an appending module configured to append the modifier to the public key of the first computing device and to derive a portion of a second network address from a combination of the public key of the first computing device and the modifier; a validation module configured to validate the digital signature by using the public key of the first computing device; a caching module configured to cache a public key/network address association comprising the public key in association with the first network address when the derived portion of the second network address matches a corresponding portion of the first network address and when the validation shows that the digital signature was generated from at least one of;
the content data or a hash value of data including the content data; andone or more processing units configured to execute the access module, the appending module, the validation module, and the caching module. - View Dependent Claims (12, 13, 14, 15, 16)
-
-
17. A system comprising:
-
an access module configured to access authentication information made available by a first computing device, the authentication information including content data, a public key of the first computing device, and a network address of the first computing device; a comparing module configured to compare the public key and the network address of the first computing device with a public key/network address association in a cache; an accepting module configured to accept the content data when the public key and the network address of the first computing device match the public key/network address association in the cache; and one or more processing units configured to execute the access module, the comparing module, and the accepting module. - View Dependent Claims (18, 19, 20)
-
Specification