Methods and systems for unilateral authentication of messages

US 8,473,744 B2
Filed: 11/01/2006
Issued: 06/25/2013
Est. Priority Date: 04/12/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A system comprising:

an access module configured to access authentication information made available by a first computing device, the authentication information including content data, a public key of the first computing device, a first network address of the first computing device, and a digital signature;

a deriving module configured to derive a portion of a second network address from the public key of the first computing device by taking a portion of a value derived by hashing a combination of the public key and a modifier;

a validation module configured to validate the digital signature using the public key;

an accepting module configured to accept the content data when the derived portion of the second network address matches a corresponding portion of the first network address and when the digital signature is valid; and

one or more processing units configured to execute the access module, the deriving module, the validation module, and the accepting module.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is an authentication mechanism that enables an information recipient to ascertain that the information comes from the sender it purports to be from. This mechanism integrates a private/public key pair with selection by the sender of a portion of its address. The sender derives its address from its public key, for example, by using a hash of the key. The recipient verifies the association between the address and the sender'"'"'s private key. The recipient may retrieve the key from an insecure resource and know that it has the correct key because only that key can produce the sender'"'"'s address in the message. The hash may be made larger than the sender-selectable portion of the address. The recipient may cache public key/address pairs and use the cache to detect brute force attacks and to survive denial of service attacks. The mechanism may be used to optimize security negotiation algorithms.

27 Citations

View as Search Results

20 Claims

1. A system comprising:
- an access module configured to access authentication information made available by a first computing device, the authentication information including content data, a public key of the first computing device, a first network address of the first computing device, and a digital signature;
  
  a deriving module configured to derive a portion of a second network address from the public key of the first computing device by taking a portion of a value derived by hashing a combination of the public key and a modifier;
  
  a validation module configured to validate the digital signature using the public key;
  
  an accepting module configured to accept the content data when the derived portion of the second network address matches a corresponding portion of the first network address and when the digital signature is valid; and
  
  one or more processing units configured to execute the access module, the deriving module, the validation module, and the accepting module.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1 wherein the access module is configured to access the public key of the first computing device over an insecure channel to a device including at least one of:
    - the first computing device or a key publishing device.
  - 3. The system of claim 1, wherein the authentication information is provided in a single message.
  - 4. The system of claim 1, wherein the content data includes authenticated content data and non-authenticated content data.

5. A system comprising:
- a hashing module configured to hash a public key;
  
  a comparing module configured to compare a portion of a value produced by the hashing module with another portion of a network address other than a node-selectable portion;
  
  a choosing module configured to;
  
  choose a modifier when the portion and the another portion do not match, andappend the modifier to the public key; and
  
  one or more processing units configured to execute the hashing module, the comparing module, and the choosing module.
- View Dependent Claims (6, 7, 8, 9, 10)
- - 6. The system of claim 5, wherein the another portion comprises an element including one or more of:
    - a “
      
      u”
      
      bit, a “
      
      g”
      
      bit, or a portion of a route prefix.
  - 7. The system of claim 5, wherein the hashing module is further configured to obtain a further value by hashing a composite number that is obtained by appending the modifier to the public key.
  - 8. The system of claim 7, wherein the comparing module is further configured to compare a further portion of the further value to the another portion of the network address.
  - 9. The system of claim 8, wherein the choosing module is further configured to:
    - choose another modifier when the further portion and the another portion do not match; and
      
      append the another modifier to the public key and thereby produce an address of the system.
  - 10. The system of claim 7, further comprising:
    - a producing module configured to produce an address of the system using the further value.

11. A system comprising:
- an access module configured to access authentication information made available by a first computing device, the authentication information including content data, a public key of the first computing device, a modifier, a first network address of the first computing device, and a digital signature;
  
  an appending module configured to append the modifier to the public key of the first computing device and to derive a portion of a second network address from a combination of the public key of the first computing device and the modifier;
  
  a validation module configured to validate the digital signature by using the public key of the first computing device;
  
  a caching module configured to cache a public key/network address association comprising the public key in association with the first network address when the derived portion of the second network address matches a corresponding portion of the first network address and when the validation shows that the digital signature was generated from at least one of;
  
  the content data or a hash value of data including the content data; and
  
  one or more processing units configured to execute the access module, the appending module, the validation module, and the caching module.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The system of claim 11, wherein the content data comprises authenticated content data and non-authenticated content data.
  - 13. The system of claim 11, further comprising:
    - a determining module configured to determine whether to cache the public key in association with the first network address based on a time stamp in the authentication information.
  - 14. The system of claim 11, further comprising:
    - an associating module configured to associate a timer with the caching of the public key/network address association;
      
      a timer resetting module configured to reset the timer when a second public key/network address association, identical to the public key/network address association, is presented for caching; and
      
      a removing module configured to remove the public key/network address association from the cache when the timer expires.
  - 15. The system of claim 11, further comprising:
    - a comparing module configured to compare the first network address against another network address in another public key/network address association that is already in the cache; and
      
      a discarding module configured to discard the public key and the first network address without caching when the first network address matches the another network address in the another public key/network address association already in the cache, and when the public key does not match another public key of the another public key/network address association that is already in the cache.
  - 16. The system of claim 15, further comprising:
    - a cache removing module configured to remove the public key/network address association from the cache when the first network address matches the another network address in the another public key/network address association that is already in the cache, and when the public key does not match the another public key of the another public key/network address association that is already in the cache.

17. A system comprising:
- an access module configured to access authentication information made available by a first computing device, the authentication information including content data, a public key of the first computing device, and a network address of the first computing device;
  
  a comparing module configured to compare the public key and the network address of the first computing device with a public key/network address association in a cache;
  
  an accepting module configured to accept the content data when the public key and the network address of the first computing device match the public key/network address association in the cache; and
  
  one or more processing units configured to execute the access module, the comparing module, and the accepting module.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, further comprising:
    - a determining module configured to determine whether to accept the content data based on a time stamp in the authentication information.
  - 19. The system of claim 17, further comprising:
    - a discarding module configured to discard a message received from a second computing device when;
      
      a second network address of the second computing device matches another network address in the cache, anda second public key of the second computing device does not match another public key associated with the another network address in the cache.
  - 20. The system of claim 19, further comprising:
    - a cache removing module configured to remove another public key/network address association between the another network address and the another public key in an instance when the message is discarded.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Shelest, Art, Thaler, David G., O'Shea, Gregory, Roe, Michael, Zill, Brian D.
Primary Examiner(s)
Parthasarathy, Pramila

Application Number

US11/555,573
Publication Number

US 20070061574A1
Time in Patent Office

2,428 Days
Field of Search

None
US Class Current

713/170
CPC Class Codes

H04L 2101/604   Address structures or formats

H04L 2101/622   Layer-2 addresses, e.g. med...

H04L 2209/60   Digital content management,...

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 61/5007   Internet protocol [IP] addr...

H04L 61/5092   by self-assignment, e.g. pi...

H04L 9/3247   involving digital signatures

H04W 8/26   Network addressing or numbe...

Methods and systems for unilateral authentication of messages

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

27 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for unilateral authentication of messages

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links