Network encryption key rotation

US 8,989,379 B2
Filed: 01/09/2008
Issued: 03/24/2015
Est. Priority Date: 06/04/2007
Status: Active Grant

First Claim

Patent Images

1. A method for key rotation by a headend device, the method comprising:

providing an initial counter value to a station;

incrementing the initial counter value at the headend device based on a non-linear function to produce a headend incremented counter value; and

sending a key rotation communication from the headend device to the station, the key rotation communication comprising a new network encryption key and the headend incremented counter value, the key rotation communication to replace a previous network encryption key with the new network encryption key,wherein the headend incremented counter value authenticates the key rotation communication based, at least in part, on the headend incremented counter value matching a station incremented counter value that is derived from the initial counter value and the non-linear function.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for authenticating key rotation communications. Key rotation communications can include a key counter known to both a headend device and a station. Comparison between a local key counter and the key counter included in the key rotation communication can be used to authenticate the key rotation communication.

Citations

20 Claims

1. A method for key rotation by a headend device, the method comprising:
- providing an initial counter value to a station;
  
  incrementing the initial counter value at the headend device based on a non-linear function to produce a headend incremented counter value; and
  
  sending a key rotation communication from the headend device to the station, the key rotation communication comprising a new network encryption key and the headend incremented counter value, the key rotation communication to replace a previous network encryption key with the new network encryption key,wherein the headend incremented counter value authenticates the key rotation communication based, at least in part, on the headend incremented counter value matching a station incremented counter value that is derived from the initial counter value and the non-linear function.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the non-linear function is known to an authentication server included in the headend device and to a plurality of authorized stations including the station.
  - 3. The method of claim 1, further comprising providing the non-linear function to the station utilizing a secure mechanism.
  - 4. The method of claim 1, wherein distinct non-linear functions are provided to a plurality of stations including the station.
  - 5. The method of claim 1, further comprising providing the previous network encryption key to the station prior to sending the key rotation communication.
  - 6. The method of claim 5, wherein the initial counter value is provided at a same time as the previous network encryption key.
  - 7. The method of claim 1, wherein the headend device and the station are part of a powerline network.
  - 8. The method of claim 1, wherein the headend device includes an authentication server, the headend device connects the station to a backhaul network.
  - 9. The method of claim 1, wherein the key rotation communication is encrypted using a network membership key associated with the station, and wherein the network membership key is retrieved by the headend device from a key store.

10. A method for key rotation performed by a station, the method comprising:
- receiving, at the station, an initial counter value from a headend device;
  
  receiving, at the station, a key rotation communication comprising a new network key and a headend incremented counter value, wherein the headend incremented counter value is based on the initial counter value and a non-linear function at the headend device;
  
  locally incrementing, at the station, the initial counter value based on the non-linear function to produce a station incremented counter value; and
  
  authenticating the key rotation communication based, at least in part, on comparing the headend incremented counter value and the station incremented counter value.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The method of claim 10, wherein receiving the initial counter value comprises receiving the initial counter value with a previous network key.
  - 12. The method of claim 11, further comprising replacing the previous network key with the new network key in response to authenticating the key rotation communication.
  - 13. The method of claim 12, wherein the key rotation communication is decrypted by the station using a network membership key associated with the station.
  - 14. The method of claim 13, wherein the network membership key is retrieved by the station from a key store.
  - 15. The method of claim 10, wherein the non-linear function is known to an authentication server included in the headend device and to a plurality of authorized stations including the station.
  - 16. The method of claim 10, wherein the initial counter value is received from an authentication server that connects the station to a backhaul network.

17. A headend system comprising:
- a processor; and
  
  memory storing instructions therein which, when executed by the processor, cause the headend system to;
  
  generate a new network key;
  
  provide an initial counter value to a station;
  
  increment a previous counter value based on a non-linear function to produce a headend incremented counter value; and
  
  transmit a key rotation communication including the new network key and the headend incremented counter value to the station,wherein the headend incremented counter value authenticates the key rotation communication based, at least in part, on the headend incremented counter value matching a station incremented counter value that is derived from the initial counter value and the non-linear function.
- View Dependent Claims (18, 19)
- - 18. The headend system of claim 17, wherein the instructions, when executed by the processor, cause the headend system to store, in memory, the new network key associated with the station and the headend incremented counter value associated with the station.
  - 19. A headend system of claim 17, wherein the headend system and the station are part of a powerline network.

20. A station, comprising:
- an interface to receive a key rotation communication from a headend device;
  
  a processor; and
  
  memory storing instructions therein which, when executed by the processor, cause the station to;
  
  decrypt the key rotation communication to derive a new network key and a headend incremented counter value, wherein the headend incremented counter value has been incremented by the headend device based, at least in part, on a previous counter value and a non-linear function;
  
  independently increment the previous counter value based on the non-linear function to produce a station incremented counter value; and
  
  authenticate the key rotation communication based, at least in part, on a comparison between the headend incremented counter value and the station incremented counter value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm Atheros Incorporated (Qualcomm, Inc.)
Original Assignee
Qualcomm, Inc.
Inventors
Katar, Srinivas, Yonge, Lawrence W., Krishnam, Manjunath
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Pan, Peiliang

Application Number

US11/971,446
Publication Number

US 20080298590A1
Time in Patent Office

2,631 Days
Field of Search

380/43, 380 46- 47, 380/255, 380/262, 380277-278, 380/274
US Class Current

380/262
CPC Class Codes

H04B 2203/5445   Local network

H04L 12/2801   Broadband local area networks

H04L 12/2856   Access arrangements, e.g. I...

H04L 12/413   with random access, e.g. ca...

H04L 12/44   Star or tree networks

H04L 45/12   Shortest path evaluation

H04L 45/121   by minimising delays

H04L 45/122   by minimising distances, e....

H04L 45/123   Evaluation of link metrics ...

H04L 45/125   based on throughput or band...

H04L 45/16   Multipoint routing

H04L 47/787   Bandwidth trade among domains

Network encryption key rotation

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Network encryption key rotation

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links