Encryption using alternate authentication key

US 8,713,311 B1
Filed: 11/07/2012
Issued: 04/29/2014
Est. Priority Date: 11/07/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for changing authentication keys when transmitting data, the method comprising:

receiving a first data packet comprising a first sender-generated authentication value generated using a first authentication key, and a first message encrypted using a first encryption key;

receiving an indication that subsequent data packets will include authentication values generated using a second authentication key;

receiving a second data packet comprising a second sender-generated authentication value and an encrypted second message;

applying the second authentication key to the second data packet to generate a recipient-generated authentication value;

when the recipient-generated authentication value that is generated using the second authentication key matches the second sender-generated authentication value, decrypting the encrypted second message; and

when the recipient-generated authentication value that is generated using the second authentication key does not match the second sender-generated authentication value;

applying the first authentication key to the second data packet to generate another recipient-generated authentication value; and

when the recipient-generated authentication value that is generated using the first authentication key matches the second sender-generated authentication value, decrypting the encrypted message using the first encryption key,wherein the first authentication key and the second authentication key comprise Message Authentication Code (MAC) keys, andwherein the first authentication key and the first encryption key are included in a first cipher specification.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods for changing authentication keys when transmitting data are provided. In one aspect, a method includes receiving a first data packet including a first sender-generated authentication value generated using a first authentication key, and a first message encrypted using a first encryption key, and receiving an indication that subsequent packets will include authentication values generated using a second authentication key. The method also includes receiving a second packet includes a second sender-generated authentication value and an encrypted second message, and applying the second authentication key to the second packet to generate a recipient-generated authentication value. The encrypted second message is decrypted if these two authentication values match. Otherwise, the first authentication key is applied to the second packet to generate another recipient-generated authentication value. If these two authentication values match, the encrypted message is decrypted using the first encryption key. Systems and machine-readable media are also provided.

90 Citations

View as Search Results

18 Claims

1. A computer-implemented method for changing authentication keys when transmitting data, the method comprising:
- receiving a first data packet comprising a first sender-generated authentication value generated using a first authentication key, and a first message encrypted using a first encryption key;
  
  receiving an indication that subsequent data packets will include authentication values generated using a second authentication key;
  
  receiving a second data packet comprising a second sender-generated authentication value and an encrypted second message;
  
  applying the second authentication key to the second data packet to generate a recipient-generated authentication value;
  
  when the recipient-generated authentication value that is generated using the second authentication key matches the second sender-generated authentication value, decrypting the encrypted second message; and
  
  when the recipient-generated authentication value that is generated using the second authentication key does not match the second sender-generated authentication value;
  
  applying the first authentication key to the second data packet to generate another recipient-generated authentication value; and
  
  when the recipient-generated authentication value that is generated using the first authentication key matches the second sender-generated authentication value, decrypting the encrypted message using the first encryption key,wherein the first authentication key and the second authentication key comprise Message Authentication Code (MAC) keys, andwherein the first authentication key and the first encryption key are included in a first cipher specification.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-implemented method of claim 1, wherein the indication that subsequent data packets will include authentication values generated using the second authentication key is received over an encrypted channel.
  - 3. The computer-implemented method of claim 1, wherein the method further comprises transmitting an acknowledgement that the indication that subsequent data packets will include authentication values generated using the second authentication key has been received prior to applying the second authentication key to the second data packet to generate the recipient-generated authentication value.
  - 4. The computer-implemented method of claim 1, wherein the first authentication key comprises a public authentication key and the second authentication key comprises a private authentication key.
  - 5. The computer-implemented method of claim 1, wherein the first cipher specification comprises an Authenticated Encryption with Associated Data (AEAD) block cipher mode.
  - 6. The computer-implemented method of claim 1, wherein receiving the indication that subsequent data packets will include authentication values generated using the second authentication key comprises receiving an indication that subsequent data packets will be generated according to a second cipher specification comprising the second authentication key and a second encryption key, and wherein decrypting the encrypted second message comprises decrypting the encrypted second message using the second encryption key.
  - 7. The computer-implemented method of claim 1, wherein receiving the indication that subsequent data packets will include authentication values generated using the second authentication key comprises receiving a cipher specification notification.
  - 8. The computer-implemented method of claim 1, wherein the first data packet comprises a first packet number, and the second data packet comprises a second packet number that succeeds the first packet number.
  - 9. The computer-implemented method of claim 8, wherein when the recipient-generated authentication value that is generated using the second authentication key matches the second sender-generated authentication value, applying the second authentication key to each data packet comprising a packet number successive to the first packet number.

10. A system for changing authentication keys when transmitting data, the system comprising:
- a memory comprising instructions; and
  
  a processor configured to execute the instructions to;
  
  receive a first data packet comprising a first sender-generated authentication value generated using a first authentication key, and a first message encrypted using a first encryption key;
  
  receive a cipher specification notification indicating that subsequent data packets will include authentication values generated using a second authentication key;
  
  receive a second data packet comprising a second sender-generated authentication value and an encrypted second message;
  
  apply the second authentication key to the second data packet to generate a recipient-generated authentication value;
  
  when the recipient-generated authentication value that is generated using the second authentication key matches the second sender-generated authentication value, decrypt the encrypted second message; and
  
  when the recipient-generated authentication value that is generated using the second authentication key does not match the second sender-generated authentication value;
  
  apply the first authentication key to the second data packet to generate another recipient-generated authentication value; and
  
  when the recipient-generated authentication value that is generated using the first authentication key matches the second sender-generated authentication value, decrypt the encrypted message using the first encryption key,wherein the first authentication key and the second authentication key comprise Message Authentication Code (MAC) keys, andwherein the first authentication key and the first encryption key are included in a first cipher specification.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The system of claim 10, wherein the indication that subsequent data packets will include authentication values generated using the second authentication key is received over an encrypted channel.
  - 12. The system of claim 10, wherein the processor is further configured to transmit an acknowledgement that the indication that subsequent data packets will include authentication values generated using the second authentication key has been received prior to applying the second authentication key to the second data packet to generate the recipient-generated authentication value.
  - 13. The system of claim 10, wherein the first authentication key comprises a public authentication key and the second authentication key comprises a private authentication key.
  - 14. The system of claim 10, wherein the first cipher specification comprises an Authenticated Encryption with Associated Data (AEAD) block cipher mode.
  - 15. The system of claim 10, wherein the processor being configured to receive the indication that subsequent data packets will include authentication values generated using the second authentication key comprises the processor being configured to receive an indication that subsequent data packets will be generated according to a second cipher specification comprising the second authentication key and a second encryption key, and wherein the processor being configured to decrypt the encrypted second message comprises the processor being configured to decrypt the encrypted second message using the second encryption key.
  - 16. The system of claim 10, wherein the first data packet comprises a first packet number, and the second data packet comprises a second packet number that succeeds the first packet number.
  - 17. The system of claim 16, wherein when the recipient-generated authentication value that is generated using the second authentication key matches the second sender-generated authentication value, applying the second authentication key to each data packet comprising a packet number successive to the first packet number.

18. A non-transitory machine-readable storage medium comprising machine-readable instructions for causing a processor to execute a method for changing authentication keys when transmitting data, the method comprising:
- receiving a first data packet comprising a first sender-generated authentication value generated using a first Message Authentication Code (MAC) authentication key, and a first message encrypted using a first encryption key;
  
  receiving a cipher specification notification message over an encrypted channel that subsequent data packets will be generated according to a second cipher specification comprising a second MAC authentication key and a second encryption key;
  
  transmitting an acknowledgement that the second cipher specification notification has been received;
  
  receiving a second data packet comprising a second sender-generated authentication value and an encrypted second message;
  
  applying the second authentication key to the second data packet to generate a recipient-generated authentication value;
  
  when the recipient-generated authentication value that is generated using the second authentication key matches the second sender-generated authentication value, decrypting the encrypted second message using the second MAC encryption key; and
  
  when the recipient-generated authentication value that is generated using the second authentication key does not match the second sender-generated authentication value;
  
  applying the first authentication key to the second data packet to generate another recipient-generated authentication value; and
  
  when the recipient-generated authentication value that is generated using the first authentication key matches the second sender-generated authentication value, decrypting the encrypted message using the first encryption key,wherein the first MAC authentication key and the first encryption key are included in a first cipher specification.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google Inc. (Alphabet Inc.)
Inventors
Roskind, James
Primary Examiner(s)
ABYANEH, ALI S

Application Number

US13/671,508
Time in Patent Office

538 Days
Field of Search

713/161, 713/171, 726/2, 726/5, 380/255, 380/277
US Class Current

713/161
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/123   received data contents, e.g...

Encryption using alternate authentication key

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

90 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Encryption using alternate authentication key

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

90 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links