Fast CAN message authentication for vehicular systems
US-9705678-B1 · Jul 11, 2017 · US
Methods and systems for network security using a cryptographic firewall
US10469262B1 · US · B1
| Field | Value |
|---|---|
| Publication number | US-10469262-B1 |
| Application number | US-201615266980-A |
| Country | US |
| Kind code | B1 |
| Filing date | Sep 15, 2016 |
| Priority date | Jan 27, 2016 |
| Publication date | Nov 5, 2019 |
| Grant date | Nov 5, 2019 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A method is performed at a security device. The method includes establishing a network connection with a client system. After establishing the network connection, the security device receives a first packet from the client system. The first packet includes an identifier, a first counter value, and a first one-time password hash generated by the client system. Based on the identifier received, the security device retrieves from a trusted data store the seed and a second counter value. If the first counter value is larger than the second counter value, the security device generates a second one-time password hash based on the identifier, the first counter value, and the seed. In accordance with a determination that the first and second one-time password hashes match, the security device grants, to the client system, access to one or more network resources protected by the security device via the network connection.
First claim
Opening claim text (preview).
What is claimed is: 1. A method for accessing network resources protected by a security device, comprising: at a security device having one or more processors and memory storing one or more programs for execution by the one or more processors: establishing a network connection with a client system; after establishing the network connection, receiving from the client system a first packet, the first packet including: an identifier, a first counter value, wherein the first counter value is one of a plurality of incremental counts generated by a system counter, and a first one-time password hash generated by the client system based on the identifier, the first counter value, and a seed; based on the identifier received from the client system, retrieving from a trusted data store the seed and a second counter value, wherein the identifier and the seed are provided to the client system by the trusted data store based on authenticating the client system; based on the first counter value being larger than the second counter value: generating a second one-time password hash based on the identifier, the first counter value, and the seed; determining whether the first one-time password hash and the second one-time password hash match; and in accordance with a determination that the first one-time password hash and the second one-time password hash match, granting, to the client system, access to one or more network resources protected by the security device via the network connection. 2. The method of claim 1 , wherein the identifier and the seed are provided to the client system by the trusted data store based on a request for an identifier and seed pair, and prior to the security device establishing the network connection with the client system. 3. The method of claim 1 , wherein the network connection is a TCP connection. 4. The method of claim 1 , wherein the trusted data store includes the system counter, and wherein the system counter monotonically increases for each request received from the client system. 5. The method of claim 1 , wherein the system counter is updated in accordance with a determination that the first one-time password hash and the second one-time password hash match. 6. The method of claim 1 , further comprising terminating the network connection with the client system, based on the first counter value being less than or equal to the second counter value. 7. The method of claim 1 , further comprising terminating the network connection with the client system in accordance with a determination that the first one-time password hash and the second one-time password hash do not match. 8. The method of claim 7 , wherein terminating the network connection with the client system comprises sending a reset packet to the client system. 9. The method of claim 7 , wherein terminating the network connection with the client system comprises foregoing acknowledgment of packets received from the client system. 10. The method of claim 7 , wherein terminating the network connection with the client system further comprises clearing table entries associated with a connection request. 11. The method of claim 1 , wherein receiving the first packet comprises receiving the first packet embedded in a body of an HTTP POST. 12. The method of claim 1 , wherein receiving the first packet comprises receiving the first packet embedded within an HTTP GET URL. 13. The method of claim 1 , wherein receiving the first packet comprises receiving the first packet in a TLS Client Hello message, wherein the first packet is placed within a random field of the TLS Client Hello message. 14. The method of claim 1 , wherein establishing the network connection with the client system comprises: prior to receiving the first packet from the client system: receiving a SYN packet from the client system; based on receiving the SYN packet, sending a SYN-ACK packet to the client system; and after sending the SYN-ACK packet, receiving, from the client system, an ACK packet, thereby establishing the network connection and permitting receipt of the first packet from the client system. 15. A security device, comprising: one or more processors; and memory storing one or more programs for execution by the one or more processors, the one or more programs including instructions for: establishing a network connection with a client system; after establishing the network connection, receiving from the client system a first packet, the first packet including: an identifier, a first counter value, wherein the first counter value is one of a plurality of incremental counts generated by a system counter, and a first one-time password hash generated by the client system based on the identifier, the first counter value, and a seed; based on the identifier received from the client system, retrieving from a trusted data store the seed and a second counter value, wherein the identifier and the seed are provided to the client system by the trusted data store based on authenticating the client system; based on the first counter value being larger than the second counter value: generating a second one-time password hash based on the identifier, the first counter value, and the seed; determining whether the first one-time password hash and the second one-time password hash match; and in accordance with a determination that the first one-time password hash and the second one-time password hash match, granting, to the client system, access to one or more network resources protected by the security device via the network connection. 16. The security device of claim 15 , wherein the identifier and the seed are provided to the client system by the trusted data store based on a request for an identifier and seed pair, and prior to the security device establishing the network connection with the client system. 17. The security device of claim 15 , wherein the network connection is a TCP connection. 18. The security device of claim 15 , wherein the trusted data store includes the system counter, and wherein the system counter monotonically increases for each request received from the client system. 19. The security device of claim 15 , wherein the system counter is updated in accordance with a determination that the first one-time password hash and the second one-time password hash match. 20. A non-transitory computer readable storage medium, storing one or more programs for execution by one or more processors, the one or more programs including instructions for: establishing a network connection with a client system; after establishing the network connection, receiving from the client system a first packet, the first packet including: an identifier, a first counter value, wherein the first counter value is one of a plurality of incremental counts generated by a system counter, and a first one-time password hash generated by the client system based on the identifier, the first counter value, and a seed; based on the identifier received from the client system, retrieving from a trusted data store the seed and a second counter value, wherein the identifier and the seed are provided to the client system by the trusted data store based on authenticating the client system; based on the first counter value being larger than the second counter value: generating a second one-time password hash based on the identifier, the first counter value, and the seed; determining whether the first one-time password hash and the second one-time pa
Assignees
Inventors
Classifications
at the transport layer · CPC title
received data contents, e.g. message integrity · CPC title
using one-time-passwords · CPC title
using cryptographic hash functions · CPC title
- H04L9/3228Primary
One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10469262B1 cover?
- A method is performed at a security device. The method includes establishing a network connection with a client system. After establishing the network connection, the security device receives a first packet from the client system. The first packet includes an identifier, a first counter value, and a first one-time password hash generated by the client system. Based on the identifier received, t…
- Who is the assignee on this patent?
- Verizon Patent & Licensing Inc, Verizon Patent Ad Licensing Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L9/3228. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Nov 05 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).