Out-of band authentication method and system for communication over a data network

US 8,572,382 B2
Filed: 05/15/2006
Issued: 10/29/2013
Est. Priority Date: 05/15/2006
Status: Active Grant

First Claim

Patent Images

1. A method for out-of-band authentication of data streams transmitted over a communication network comprising a sender, a receiver, a sender control module, and a receiver control module, comprising the steps of:

transmitting a first stream of data over a first channel connecting the sender with the receiver;

receiving, by said sender control module, said first stream of data from said sender;

extracting, by said sender control module, a first pattern from said first stream of data, said first pattern comprising a sequence of message units from said first stream of data;

generating authentication data of said first stream of data by said sender control module based on said first pattern extracted from said first stream of data;

transmitting said authentication data from the sender control module to the receiver control module over a second channel connecting the sender control module with the receiver control module;

checking authenticity of a second stream of data received over said first channel by said receiver control module using said authentication data;

exchanging a control message comprising first synchronization data between the sender control module and the receiver control module over said second channel;

sending, by the receiver control module, a resynchronization request to said sender control module,wherein said resynchronization request comprises second synchronization data univocally identifying a second pattern extracted from the second stream of data, andwherein the second synchronization data comprises a hash value of said second pattern extracted from the second stream of data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for out-of-band authentication of messages transmitted, e.g. as packets, on a communication network, whereby a first stream of data is received by a sender control module from a sender; the first stream of data is transmitted over a first channel, e.g. a non-secure data channel, toward a receiver control module; the sender control module generates authentication data of the first stream of data; the authentication data are transmitted from the sender control module to the receiver control module on a second channel, e.g. a secure data channel, distinct from the first channel; and a stream of data received by the receiver control module is checked using the authentication data. Before sending the authentication data, the sender control module transmits a control message including synchronization data to the receiver control module over the second channel.

26 Citations

View as Search Results

20 Claims

1. A method for out-of-band authentication of data streams transmitted over a communication network comprising a sender, a receiver, a sender control module, and a receiver control module, comprising the steps of:
- transmitting a first stream of data over a first channel connecting the sender with the receiver;
  
  receiving, by said sender control module, said first stream of data from said sender;
  
  extracting, by said sender control module, a first pattern from said first stream of data, said first pattern comprising a sequence of message units from said first stream of data;
  
  generating authentication data of said first stream of data by said sender control module based on said first pattern extracted from said first stream of data;
  
  transmitting said authentication data from the sender control module to the receiver control module over a second channel connecting the sender control module with the receiver control module;
  
  checking authenticity of a second stream of data received over said first channel by said receiver control module using said authentication data;
  
  exchanging a control message comprising first synchronization data between the sender control module and the receiver control module over said second channel;
  
  sending, by the receiver control module, a resynchronization request to said sender control module,wherein said resynchronization request comprises second synchronization data univocally identifying a second pattern extracted from the second stream of data, andwherein the second synchronization data comprises a hash value of said second pattern extracted from the second stream of data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the step of exchanging a control message is carried out before transmitting said authentication data.
  - 3. The method of claim 1, wherein said first synchronization data univocally identifies said first pattern.
  - 4. The method of claim 3, wherein the step of checking the authenticity of the second stream of data comprises a synchronization step, wherein the receiver control module looks for said first pattern in said second stream of data on the basis of said first synchronization data.
  - 5. The method of claim 3, wherein said first synchronization data comprises said first pattern or a packet sequence number.
  - 6. The method of claim 3, wherein the step of generating authentication data comprises the step of calculating, by said sender control module, first hash values of first portions of said first stream of data following said first pattern, and the step of transmitting said authentication data comprises the step of transmitting said first hash values over said second channel, andwherein the step of checking authenticity of the second stream of data comprises loading into the receiver control module the second stream of data, calculating second hash values for second portions of the second stream of data and comparing said second hash values with received first hash values.
  - 7. The method of claim 6, wherein said control message also comprises a hash function, and wherein said first and second hash values are calculated by said sender control module and said receiver control module using said hash function.
  - 8. The method of claim 3, wherein the step of receiving said first stream of data comprises dividing said first stream of data into first blocks of a fixed length;
    - the step of generating authentication data comprises calculating hash values of said first blocks; and
      
      the step of checking authenticity of the second stream of data comprises dividing the second stream of data into second blocks of a fixed length, calculating hash values of said second blocks, and comparing said authentication data with said hash values of said second blocks.
  - 9. The method of claim 8, wherein the step of receiving a first stream of data further comprises accumulating said first blocks into a sender buffer;
    - the step of generating authentication data comprises loading a block of said first blocks from said sender buffer; and
      
      the step of checking authenticity of the second stream of data comprises accumulating said second blocks into a receiver data buffer, accumulating said authentication data in a receiver control buffer, and loading a block of said second blocks from said receiver data buffer.
  - 10. The method of claim 3, wherein said control message further comprises a length information of said first pattern.
  - 11. The method of claim 1, further comprising:
    - during said step of checking authenticity of the second stream of data, detecting, by the receiver control module, an error between said authentication data and the second stream of data.
  - 12. The method of claim 1, wherein said second channel is a secure channel.

13. A system for out-of-band authenticating streams of data transmitted over a communication network, comprising:
- a sender control module comprising a processor configured to receive a first stream of data from a sender and to;
  
  extract a first pattern from said first stream of data, said first pattern comprising a sequence of message units from said first stream of data, andgenerate authentication data of said first stream of data based on said first pattern extracted from said first stream of data;
  
  a receiver control module comprising a processor configured to check said authentication data;
  
  a first channel connecting said sender to a receiver, the first channel configured to transmit said first stream of data from said sender toward said receiver; and
  
  a second channel connecting said sender module and said receiver module configured to transmit said authentication data,wherein said processor of said receiver control module is further configured to send a resynchronization request to said sender control module,wherein said resynchronization request comprises synchronization data univocally identifying a second pattern extracted from a second stream of data, andwherein said synchronization data comprises a hash value of said second pattern extracted from the second stream of data.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The system of claim 13, wherein said sender control module comprises a synchronization unit including a sender buffer configured to load first portions of the first stream of data and a sender processor configured to extract said first pattern from said first portions and to transmit a control message to said receiver control module over said second channel.
  - 15. The system of claim 14, wherein said receiver control module comprises a synchronization unit including a receiver data buffer configured to load second portions of the second stream of data received over said first channel and a receiver processor configured to receive said control message from said second channel and to receive said second portions from said receiver data buffer, wherein said receiver processor is configured to look for said first pattern from said second portions on the basis of said synchronization data.
  - 16. The system of claim 14, wherein said synchronization data comprises said second pattern or a packet sequence number.
  - 17. The system of claim 15, wherein said sender processor comprises a first calculator configured to calculate first hash values of said first portions following said extracted first pattern and a transmitter element configured to transmit said first hash values on a secure channel and said receiver module comprises a receiver control buffer connected to said receiver processor and said secure channel and configured to load said first hash values, said receiver processor comprising a second calculator configured to calculate second hash values for said second portions and a comparator configured to compare the first hash values with the second hash values.
  - 18. The system of claim 13, wherein said control message also comprises a hash function and wherein said sender processor and said receiver processor are configured to calculate said first and second hash values using said hash function.
  - 19. The system of claim 13, wherein said sender control module is part of a first local area network comprising said sender, and said receiver control module is part of a second local area network comprising said receiver.
  - 20. The system of claim 13, wherein said sender control module and said receiver control module are part of said communication network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telecom Italia S.p.A.
Original Assignee
Telecom Italia S.p.A.
Inventors
De Lutiis, Paolo, Moiso, Corrado, Di Caprio, Gaetano
Primary Examiner(s)
SIMITOSKI, MICHAEL J

Application Number

US12/227,281
Publication Number

US 20090210707A1
Time in Patent Office

2,724 Days
Field of Search

713/170, 713/179, 380/223, 380/274, 726/22
US Class Current

713/170
CPC Class Codes

H04L 63/123   received data contents, e.g...

H04L 63/126   the source of the received ...

H04L 63/18   using different networks or...

Out-of band authentication method and system for communication over a data network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

26 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Out-of band authentication method and system for communication over a data network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links