Method to authenticate packet payloads

US 20040193876A1
Filed: 03/27/2003
Published: 09/30/2004
Est. Priority Date: 03/27/2003
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating a packet, comprising:

receiving a packet, the packet comprising a header and a payload;

computing a first message authentication code based at least in part on a pseudo-header derived from at least some of the packet header;

wherein at least one of the source and destination port fields in the pseudo-header has a value different from the corresponding source and destination port field in the packet header; and

comparing the first message authentication code with a second message authentication code in the header to authenticate the packet.

View all claims

24 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An architecture for authenticating packets is provided that includes: an input 322 operable to receive a packet, the packet comprising at least one of a transport, session and presentation header portion and a transport agent 312 operable to compute a first message authentication code based on at least some of the contents of the packet and compare the first message authentication code with a second message authentication code in the at least one of a transport, session, and presentation header portion to authenticate the packet.

132 Citations

49 Claims

1. A method for authenticating a packet, comprising:
- receiving a packet, the packet comprising a header and a payload;
  
  computing a first message authentication code based at least in part on a pseudo-header derived from at least some of the packet header;
  
  wherein at least one of the source and destination port fields in the pseudo-header has a value different from the corresponding source and destination port field in the packet header; and
  
  comparing the first message authentication code with a second message authentication code in the header to authenticate the packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 37)
- - 2. The method of claim 1, wherein the header comprises a transport header portion and wherein the second authentication code is in the transport header portion.
  - 3. The method of claim 1, wherein the transport header portion is defined by one of the OSI transport layer and TCP/IP host-to-host transport layer.
  - 4. The method of claim 1, wherein the second authentication code is computed based on a pseudo-header in which at least one of the source and destination port fields is set to a value different than a corresponding source or destination port field in the header.
  - 5. The method of claim 4, wherein in the pseudo-header at least one of the source and destination field has a value independent of the source and destination field in the header.
  - 6. The method of claim 5, wherein the at least one of the source and destination field is set to zero.
  - 7. The method of claim 1, wherein the first and second authentication codes are hashed message authentication codes.
  - 8. The method of claim 7, wherein the first and second authentication codes are truncated to a predetermined number of bits.
  - 9. The method of claim 1, wherein the first and second message authentication codes are determined using the transport header portion.
  - 10. The method of claim 1, further comprising after the receiving step:
    - in a first mode, discarding the packet when the header does not include a valid authentication option, the authentication option comprising the second message authentication code; and
      
      in a second, different mode, discarding the packet when the header includes an authentication option, wherein the computing and comparing steps occur only in the first mode.
  - 11. The method of claim 1, wherein, in the comparing step when the first and second message authentication codes are nonidentical, the packet is deemed invalid and further comprising:
    - incrementing a counter indicative of the instance of packet invalidity.
  - 12. The method of claim 10, wherein the second mode is in effect and further comprising:
    - receiving a command from a higher layer to discontinue the second mode and initiate the first mode; and
      
      in response to the command, discontinuing the second mode and initiating the first mode.
  - 13. The method of claim 12, wherein the command is generated by the application layer and is one of a transmit authentication command and receive authentication command.
  - 37. The method of claim 12, wherein the command is generated by the application layer and is a receive authentication command.

14. A packet, comprising:
- a transport layer header portion, the transport layer header portion comprising;
  
  a source port field;
  
  a destination port field;
  
  a sequence number field; and
  
  an option field, wherein the option field comprises an authentication option, the authentication option comprising a message authentication code; and
  
  a payload.
- View Dependent Claims (15, 16, 17)
- - 15. The packet of claim 14, wherein the message authentication code is computed based on a pseudo-header in which at least one of the source and destination port field is set to a value different from the corresponding source or destination port field in a header of the packet.
  - 16. The packet of claim 14, wherein the message authentication code is a hashed message authentication code.
  - 17. The packet of claim 16, wherein the hashed message authentication code is truncated by a predetermined number of bits.

18. A method for authenticating packets, comprising:
- receiving a packet comprising a header and a payload, wherein the header comprises a transport header portion;
  
  in a first mode, discarding the packet when the transport header portion does not include a valid authentication option field; and
  
  in a second, different mode, discarding the packet when the transport header portion includes an authentication option field.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 19. The method of claim 18, further comprising in the first mode:
    - computing a first message authentication code based on at least some of the contents of the packet; and
      
      comparing the first message authentication code with a second message authentication code in the transport header portion to authenticate the packet, wherein the second authentication code is in the transport header portion.
  - 20. The method of claim 19, wherein the transport header portion is defined by one of the OSI transport layer and TCP/IP host-to-host transport layer.
  - 21. The method of claim 19, wherein the second authentication code is computed based on a pseudo-header in which at least one of the source and destination port fields is set to a value different than a corresponding source or destination port field in the header.
  - 22. The method of claim 21, wherein in the pseudo-header at least one of the source and destination field has a value independent of the source and destination field in the header.
  - 23. The method of claim 22, wherein the at least one of the source and destination field is set to zero.
  - 24. The method of claim 19, wherein the first and second authentication codes are hashed message authentication codes.
  - 25. The method of claim 19, wherein the first and second message authentication codes are determined based on the transport header portion.
  - 26. The method of claim 18, wherein the second mode is in effect and further comprising:
    - receiving a command from a higher layer to discontinue the second mode and initiate the first mode; and
      
      in response to the command, discontinuing the second mode and initiating the first mode.
  - 27. The method of claim 26, wherein the command is generated by the application layer and is a transmit authentication command.

28. A method for authenticating packets, comprising:
- assembling a packet comprising a header and a payload, the header including transport header portion, wherein in a first mode, including in the transport header portion a valid authentication option field; and
  
  in a second, different mode, not including in the transport header portion a valid authentication option field; and
  
  thereafter transmitting the packet.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36)
- - 29. The method of claim 28, further comprising in the first mode:
    - computing a first message authentication code based on at least some of the contents of the packet; and
      
      comparing the first message authentication code with a second message authentication code in the transport header portion to authenticate the packet, wherein the second authentication code is in the transport header portion.
  - 30. The method of claim 29, wherein the transport header portion is defined by one of the OSI transport layer and TCP/IP host-to-host transport layer.
  - 31. The method of claim 29, wherein the second authentication code is computed based on a pseudo-header in which at least one of the source and destination port fields is set to a value different than a corresponding source or destination port field in the header.
  - 32. The method of claim 31, wherein in the pseudo-header at least one of the source and destination field has a value independent of the source and destination field in the header.
  - 33. The method of claim 32, wherein the at least one of the source and destination field is set to zero.
  - 34. The method of claim 29, wherein the first and second authentication codes are hashed message authentication codes.
  - 35. The method of claim 29, wherein the first and second message authentication codes are determined based on the transport header portion.
  - 36. The method of claim 28, wherein the second mode is in effect and further comprising:
    - receiving a command from a higher layer to discontinue the second mode and initiate the first mode; and
      
      in response to the command, discontinuing the second mode and initiating the first mode.

38. An architecture for authenticating packets, comprising:
- an input operable to receive a packet including a header and payload, the header comprising a transport header portion; and
  
  a transport agent operable to compute a first message authentication code based on at least some of the contents of the packet and compare the first message authentication code with a second message authentication code in the transport header portion to authenticate the packet.
- View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49)
- - 39. The architecture of claim 38, wherein the first and second authentication codes are derived from a pseudo-header and wherein the pseudo-header comprises a first set of fields identical to corresponding fields in the header and a second set of fields different from corresponding fields in the header, the first and second sets being disjoint.
  - 40. The architecture of claim 39, wherein the transport header portion is defined by one of the OSI transport layer and TCP/IP host-to-host transport layer.
  - 41. The architecture of claim 38, wherein the second authentication code is computed based on a pseudo-header.
  - 42. The architecture of claim 41, wherein in the pseudo-header at least one of the source and destination field has a value independent of the source and destination field in the header.
  - 43. The architecture of claim 42, wherein the at least one of the source and destination fields is set to zero.
  - 44. The architecture of claim 38, wherein the first and second authentication codes are hashed message authentication codes.
  - 45. The architecture of claim 44, wherein the first and second authentication codes are truncated to a predetermined number of bits.
  - 46. The architecture of claim 38, wherein the first and second message authentication codes are determined based on the transport header portion.
  - 47. The architecture of claim 38, wherein the transport agent is operable to operate in first and second modes and wherein:
    - in the first mode, the packet is discarded when the header does not include a valid authentication option, the authentication option comprising the second message authentication code; and
      
      in the second mode, the packet is discarded when the header includes an authentication option, wherein the transport agent performs the computing and comparing steps occur only in the first mode.
  - 48. The architecture of claim 38, wherein, when the first and second message authentication codes are nonidentical, the packet is deemed invalid and in response thereto the transport agent increments a counter indicative of the instance of packet invalidity.
  - 49. The architecture of claim 38, further comprising:
    - a cryptographic agent operable to perform cryptographic operations, wherein the cryptographic agent operates at at least one of the application and session layers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avaya Incorporated
Original Assignee
Avaya Incorporated
Inventors
Walton, John M., Donley, Christopher J., Haserodt, Kurt H., Gilman, Robert R.

Granted Patent

US 8,245,032 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/162
CPC Class Codes

H04L 1/1607   Details of the supervisory ...

H04L 63/12   Applying verification of th...

H04L 63/1458   Denial of Service

H04L 69/16   Implementation or adaptatio...

H04L 69/161   Implementation details of T...

H04L 69/22   Parsing or analysis of headers

H04L 9/40   Network security protocols

Method to authenticate packet payloads

First Claim

24 Assignments

0 Petitions

Accused Products

Abstract

132 Citations

49 Claims

Specification

Use Cases

Quick Links

Others

Method to authenticate packet payloads

First Claim

24 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

132 Citations

49 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others