Methods and systems for network security using a cryptographic firewall

US 10,848,313 B2
Filed: 09/27/2019
Issued: 11/24/2020
Est. Priority Date: 01/27/2016
Status: Active Grant

First Claim

Patent Images

1. A method for accessing network resources protected by a security device, comprising:

at a security device having one or more processors and memory storing one or more programs for execution by the one or more processors;

establishing a network connection with a client system;

after establishing the network connection, receiving from the client system a first packet, the first packet including;

an identifier,a first counter value, wherein the first counter value is one of a plurality of incremental counts generated by a system counter, anda first one-time password hash generated by the client system based on the identifier, the first counter value, and a seed;

based on the identifier received from the client system, retrieving from a trusted data store the seed and a second counter value;

based on the first counter value being larger than the second counter value;

generating a second one-time password hash based on the identifier, the first counter value, and the seed;

determining whether the first one-time password hash and the second one-time password hash match; and

in accordance with a determination that the first one-time password hash and the second one-time password hash match, granting, to the client system, access to one or more network resources protected by the security device via the network connection,wherein establishing the network connection with the client system comprises;

prior to receiving the first packet from the client system;

receiving a SYN packet from the client system;

based on receiving the SYN packet, sending a SYN-ACK packet to the client system; and

after sending the SYN-ACK packet, receiving, from the client system, an ACK packet, thereby establishing the network connection and permitting receipt of the first packet from the client system.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is performed at a security device. The method includes establishing a network connection with a client system. After establishing the network connection, the security device receives a first packet from the client system. The first packet includes an identifier, a first counter value, and a first one-time password hash generated by the client system. Based on the identifier received, the security device retrieves from a trusted data store the seed and a second counter value. If the first counter value is larger than the second counter value, the security device generates a second one-time password hash based on the identifier, the first counter value, and the seed. In accordance with a determination that the first and second one-time password hashes match, the security device grants, to the client system, access to one or more network resources protected by the security device via the network connection.

131 Citations

20 Claims

1. A method for accessing network resources protected by a security device, comprising:
- at a security device having one or more processors and memory storing one or more programs for execution by the one or more processors;
  
  establishing a network connection with a client system;
  
  after establishing the network connection, receiving from the client system a first packet, the first packet including;
  
  an identifier,a first counter value, wherein the first counter value is one of a plurality of incremental counts generated by a system counter, anda first one-time password hash generated by the client system based on the identifier, the first counter value, and a seed;
  
  based on the identifier received from the client system, retrieving from a trusted data store the seed and a second counter value;
  
  based on the first counter value being larger than the second counter value;
  
  generating a second one-time password hash based on the identifier, the first counter value, and the seed;
  
  determining whether the first one-time password hash and the second one-time password hash match; and
  
  in accordance with a determination that the first one-time password hash and the second one-time password hash match, granting, to the client system, access to one or more network resources protected by the security device via the network connection,wherein establishing the network connection with the client system comprises;
  
  prior to receiving the first packet from the client system;
  
  receiving a SYN packet from the client system;
  
  based on receiving the SYN packet, sending a SYN-ACK packet to the client system; and
  
  after sending the SYN-ACK packet, receiving, from the client system, an ACK packet, thereby establishing the network connection and permitting receipt of the first packet from the client system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the identifier and the seed are provided to the client system by the trusted data store based on a request for an identifier and seed pair, and prior to the security device establishing the network connection with the client system.
  - 3. The method of claim 1, wherein the system counter is updated each time the system counter receives a packet from the client system.
  - 4. The method of claim 1, wherein the trusted data store includes the system counter, and wherein the system counter monotonically increases for each request received from the client system.
  - 5. The method of claim 1, wherein the system counter is updated in accordance with a determination that the first one-time password hash and the second one-time password hash match.
  - 6. The method of claim 1, further comprising terminating the network connection with the client system, based on the first counter value being less than or equal to the second counter value.
  - 7. The method of claim 1, further comprising terminating the network connection with the client system in accordance with a determination that the first one-time password hash and the second one-time password hash do not match.
  - 8. The method of claim 7, wherein terminating the network connection with the client system comprises sending a reset packet to the client system.
  - 9. The method of claim 7, wherein terminating the network connection with the client system comprises forgoing acknowledgment of packets received from the client system.
  - 10. The method of claim 7, wherein terminating the network connection with the client system further comprises clearing table entries associated with a connection request.
  - 11. The method of claim 1, wherein receiving the first packet comprises receiving the first packet embedded in a body of an HTTP POST.
  - 12. The method of claim 1, wherein receiving the first packet comprises receiving the first packet embedded within an HTTP GET URL.
  - 13. The method of claim 1, wherein receiving the first packet comprises receiving the first packet in a TLS Client Hello message, wherein the first packet is placed within a random field of the TLS Client Hello message.
  - 14. The method of claim 1, wherein the identifier and the seed are provided to the client system by the trusted data store system in response to authenticating the client system.

15. A security device, comprising:
- one or more processors; and
  
  memory storing one or more programs for execution by the one or more processors, the one or more programs including instructions for;
  
  establishing a network connection with a client system;
  
  after establishing the network connection, receiving from the client system a first packet, the first packet including;
  
  an identifier,a first counter value, wherein the first counter value is one of a plurality of incremental counts generated by a system counter, anda first one-time password hash generated by the client system based on the identifier, the first counter value, and a seed;
  
  based on the identifier received from the client system, retrieving from a trusted data store the seed and a second counter value;
  
  based on the first counter value being larger than the second counter value;
  
  generating a second one-time password hash based on the identifier, the first counter value, and the seed;
  
  determining whether the first one-time password hash and the second one-time password hash match; and
  
  in accordance with a determination that the first one-time password hash and the second one-time password hash match, granting, to the client system, access to one or more network resources protected by the security device via the network connection,wherein establishing the network connection with the client system comprises;
  
  prior to receiving the first packet from the client system;
  
  receiving a SYN packet from the client system;
  
  based on receiving the SYN packet, sending a SYN-ACK packet to the client system; and
  
  after sending the SYN-ACK packet, receiving, from the client system, an ACK packet, thereby establishing the network connection and permitting receipt of the first packet from the client system.
- View Dependent Claims (16, 17)
- - 16. The security device of claim 15, wherein the identifier and the seed are provided to the client system by the trusted data store in response to a request for an identifier and seed pair, and prior to the security device establishing the network connection with the client system.
  - 17. The security device of claim 15, wherein the system counter is updated in accordance with a determination that the first one-time password hash and the second one-time password hash match.

18. A non-transitory computer readable storage medium, storing one or more programs for execution by one or more processors, the one or more programs including instructions for:
- establishing a network connection with a client system;
  
  after establishing the network connection, receiving from the client system a first packet, the first packet including;
  
  an identifier,a first counter value, wherein the first counter value is one of a plurality of incremental counts generated by a system counter, anda first one-time password hash generated by the client system based on the identifier, the first counter value, and a seed;
  
  based on the identifier received from the client system, retrieving from a trusted data store the seed and a second counter value;
  
  based on the first counter value being larger than the second counter value;
  
  generating a second one-time password hash based on the identifier, the first counter value, and the seed;
  
  determining whether the first one-time password hash and the second one-time password hash match; and
  
  in accordance with a determination that the first one-time password hash and the second one-time password hash match, granting, to the client system, access to one or more network resources via the network connection,wherein establishing the network connection with the client system comprises;
  
  prior to receiving the first packet from the client system;
  
  receiving a SYN packet from the client system;
  
  based on receiving the SYN packet, sending a SYN-ACK packet to the client system; and
  
  after sending the SYN-ACK packet, receiving, from the client system, an ACK packet, thereby establishing the network connection and permitting receipt of the first packet from the client system.
- View Dependent Claims (19, 20)
- - 19. The non-transitory computer readable storage medium of claim 18, wherein the identifier and the seed are provided to the client system by the trusted data store in response to a request for an identifier and seed pair, and prior to establishing the network connection with the client system.
  - 20. The non-transitory computer readable storage medium of claim 18, wherein the trusted data store includes the system counter, and wherein the system counter monotonically increases for each request received from the client system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Inventors
Schroeder, Ted, Lengyel, Gabor
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Almeida, Devin E

Application Number

US16/585,340
Publication Number

US 20200028685A1
Time in Patent Office

424 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/0838   using one-time-passwords

H04L 63/123   received data contents, e.g...

H04L 63/166   at the transport layer

H04L 9/0643   Hash functions, e.g. MD5, S...

H04L 9/0863   involving passwords or one-...

H04L 9/0866   involving user or device id...

H04L 9/0869   involving random numbers or...

H04L 9/3228   One-time or temporary data,...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3239   involving non-keyed hash fu...

H04L 9/3242   involving keyed hash functi...

Methods and systems for network security using a cryptographic firewall

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

131 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for network security using a cryptographic firewall

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

131 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links