System and method for secure messaging in a hybrid peer-to-peer network
First Claim
Patent Images
1. A method for changing an encryption key by a first endpoint operating in a hybrid peer-to-peer network comprising:
- retrieving, by a first endpoint, a profile from an access server following an authentication process, wherein the profile identifies a plurality of endpoints that includes a second endpoint as endpoints that have each previously granted the first endpoint permission to communicate with that endpoint and contains a unique encryption key for each of the plurality of endpoints that is online but not for any of the plurality of endpoints that are offline, and wherein a key for any particular endpoint of the plurality of endpoints that was offline when the profile is retrieved will be received by the first endpoint directly from the particular endpoint when the particular endpoint logs into the hybrid peer-to-peer network;
receiving, by the first endpoint, an instruction to change from a first encryption key to a second encryption key;
sending, by the first endpoint, a first message to the second endpoint that the first endpoint is going to change to the second encryption key, wherein the first message is defined for use with a transactional state model and includes information representing the second encryption key, and wherein the first message is encrypted using the unique encryption key for the second endpoint contained in the profile;
receiving, by the first endpoint, in response to the first message, a second message from the second endpoint indicating that the second endpoint received the first message, wherein the second message is defined for use with the transactional state model;
sending, by the first endpoint, a third message to the second endpoint acknowledging receipt of the second message, wherein the third message is defined for use with the transactional state model;
changing, by the first endpoint, from the first encryption key to the second encryption key, wherein all incoming messages for the first endpoint are to be encrypted using the second encryption key;
receiving, by the first endpoint, a fourth message from the second endpoint, wherein the fourth message is encrypted using the second encryption key;
applying a first key iteration of the second encryption key to the fourth message to determine if the first key iteration will decrypt the fourth message, wherein the second encryption key is used by the first endpoint to form a plurality of key iterations, and wherein each of the plurality of key iterations is a valid encryption key for the first endpoint;
if the first key iteration will not decrypt the fourth message, rotating the second encryption key to form a next key iteration from the second encryption key;
applying the next key iteration to the fourth message to determine if the next key iteration will decrypt the fourth message;
as long as untried key iterations are available, continuing the steps of rotating and applying for each key iteration until the fourth message is decrypted; and
rejecting the fourth message if no untried key iterations exist and the fourth message is not decrypted.
1 Assignment
0 Petitions
Accused Products
Abstract
An improved system and method are disclosed for peer-to-peer communications. In one example, the method enables endpoints to securely send and receive messages to one another within a hybrid peer-to-peer environment.
274 Citations
19 Claims
-
1. A method for changing an encryption key by a first endpoint operating in a hybrid peer-to-peer network comprising:
-
retrieving, by a first endpoint, a profile from an access server following an authentication process, wherein the profile identifies a plurality of endpoints that includes a second endpoint as endpoints that have each previously granted the first endpoint permission to communicate with that endpoint and contains a unique encryption key for each of the plurality of endpoints that is online but not for any of the plurality of endpoints that are offline, and wherein a key for any particular endpoint of the plurality of endpoints that was offline when the profile is retrieved will be received by the first endpoint directly from the particular endpoint when the particular endpoint logs into the hybrid peer-to-peer network; receiving, by the first endpoint, an instruction to change from a first encryption key to a second encryption key; sending, by the first endpoint, a first message to the second endpoint that the first endpoint is going to change to the second encryption key, wherein the first message is defined for use with a transactional state model and includes information representing the second encryption key, and wherein the first message is encrypted using the unique encryption key for the second endpoint contained in the profile; receiving, by the first endpoint, in response to the first message, a second message from the second endpoint indicating that the second endpoint received the first message, wherein the second message is defined for use with the transactional state model; sending, by the first endpoint, a third message to the second endpoint acknowledging receipt of the second message, wherein the third message is defined for use with the transactional state model; changing, by the first endpoint, from the first encryption key to the second encryption key, wherein all incoming messages for the first endpoint are to be encrypted using the second encryption key; receiving, by the first endpoint, a fourth message from the second endpoint, wherein the fourth message is encrypted using the second encryption key; applying a first key iteration of the second encryption key to the fourth message to determine if the first key iteration will decrypt the fourth message, wherein the second encryption key is used by the first endpoint to form a plurality of key iterations, and wherein each of the plurality of key iterations is a valid encryption key for the first endpoint; if the first key iteration will not decrypt the fourth message, rotating the second encryption key to form a next key iteration from the second encryption key; applying the next key iteration to the fourth message to determine if the next key iteration will decrypt the fourth message; as long as untried key iterations are available, continuing the steps of rotating and applying for each key iteration until the fourth message is decrypted; and rejecting the fourth message if no untried key iterations exist and the fourth message is not decrypted. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 19)
-
-
12. A method for receiving a secure message by a first endpoint operating in a hybrid peer-to-peer network comprising:
-
obtaining, by the first endpoint, a second base encryption key associated with the first endpoint after receiving an order from an access server to change from a first base encryption key to a second base encryption key, wherein the second base encryption key is to be used by the first endpoint to form a plurality of known key iterations that match a plurality of identical known key iterations that are available for use by a second endpoint to encrypt a message for the first endpoint, wherein the second endpoint uses the second base encryption key for the plurality of identical known key iterations, and wherein the first and second endpoints both use an identical rotation process to form the known key iterations; receiving, by the first endpoint, an encrypted message from the second endpoint, wherein the encrypted message was encrypted by the second endpoint using one of the plurality of known key iterations and wherein the first endpoint does not know which of the identical known key iterations was used to encrypt the encrypted message because the rotation process is not synchronized between the first and second endpoints; applying, by the first endpoint, a first key iteration of the second base encryption key to the encrypted message to determine if the first key iteration will decrypt the encrypted message; if the first key iteration will not decrypt the message, rotating, by the first endpoint, the encryption key to form a next key iteration from the second base encryption key using the rotation process; applying, by the first endpoint, the next key iteration to the encrypted message to determine if the next key iteration will decrypt the encrypted message; as long as untried key iterations are available, continuing the steps of rotating and applying by the first endpoint for each key iteration until the message is decrypted; and rejecting, by the first endpoint, the encrypted message if no untried key iterations exist and the message is not decrypted. - View Dependent Claims (13, 14, 15)
-
-
16. A system comprising:
-
a network interface; a processor coupled to the network interface; and a memory coupled to the processor and containing a plurality of instructions for execution by the processor, the instructions including instructions for configuring a first endpoint stored at least partially in the memory for secure communications between the first endpoint and a second endpoint by; obtaining, by the first endpoint, a second base encryption key associated with the first endpoint after receiving an order from an access server to change from a first base encryption key to a second base encryption key, wherein the second base encryption key is to be used by the first endpoint to form a plurality of known key iterations that match a plurality of identical known key iterations that are available for use by a second endpoint to encrypt a message for the first endpoint, wherein the second endpoint uses the second base encryption key for the plurality of identical known key iterations, and wherein the first and second endpoints both use an identical rotation process to form the known key iterations; receiving, by the first endpoint, an encrypted message from the second endpoint, wherein the encrypted message was encrypted by the second endpoint using one of the plurality of known key iterations and wherein the first endpoint does not know which of the identical known key iterations was used to encrypt the encrypted message because the rotation process is not synchronized between the first and second endpoints; receiving, by the first endpoint, an encrypted message from a second endpoint; applying a first key iteration of the second base encryption key to the encrypted message to determine if the first key iteration will decrypt the encrypted message; if the first key iteration will not decrypt the message, rotating the encryption key to form a next key iteration from the second base encryption key using the rotation process; applying the next key iteration to the encrypted message to determine if the next key iteration will decrypt the encrypted message; as long as untried key iterations are available, continuing the steps of rotating and applying for each key iteration until the message is decrypted; and rejecting the encrypted message if no untried key iterations exist and the message is not decrypted. - View Dependent Claims (17, 18)
-
Specification