Automatic generation and update of connectivity association keys for media access control security protocol
US-2023421360-A1 · Dec 28, 2023 · US
Automatic generation and update of connectivity association keys for media access control security protocol
US12200111B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12200111-B2 |
| Application number | US-202217808351-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jun 23, 2022 |
| Priority date | Jun 23, 2022 |
| Publication date | Jan 14, 2025 |
| Grant date | Jan 14, 2025 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A first network device may identify a MACsec session between the first network device and a second network device that utilizes a CAK, may determine, using a KDF and one or more KDF input parameters, an additional CAK, may encrypt the one or more KDF input parameters and/or KDF identification information that identifies the KDF and the one or more KDF input parameters to generate encrypted KDF input information, and may send, to the second network device, a first message that includes the encrypted KDF input information. The first network device may receive, from the second network device, based on sending the first message, a second message that includes a checksum value, may determine, based on the checksum value, that the second network device has determined the additional CAK, and may communicate, with the second network device, to cause the MACsec session to utilize the additional CAK.
First claim
Opening claim text (preview).
What is claimed is: 1. A method, comprising: identifying, by a first network device, a Media Access Control Security (MACsec) session between the first network device and a second network device, wherein the MACsec session utilizes a connectivity association key (CAK); determining, by the first network device and using a key derivation function (KDF) and one or more KDF input parameters, an additional CAK; encrypting, by the first network device, at least one of the one or more KDF input parameters or KDF identification information that identifies the KDF and the one or more KDF input parameters to generate encrypted KDF input information; sending, by the first network device and to the second network device, a first message that includes the encrypted KDF input information; receiving, by the first network device, from the second network device, and based on sending the first message, a second message that includes a checksum value, wherein the second message is a MACsec key agreement protocol data unit (MKPDU), and wherein the checksum value is included in a CAK name field of the MKPDU; determining, by the first network device and based on the checksum value, that the second network device has determined the additional CAK; and communicating, by the first network device and with the second network device, to cause the MACsec session to utilize the additional CAK. 2. The method of claim 1 , wherein the one or more KDF input parameters include at least one of: a KDF parameter, a key parameter, label parameter, or context parameter. 3. The method of claim 1 , wherein the encrypted KDF input information is encrypted using a secure association key (SAK) or a key encryption key (KEK), each of which is associated with the MACsec session. 4. The method of claim 1 , wherein the first message is a MKPDU. 5. The method of claim 4 , wherein the encrypted KDF input information is included in a CAK name field of the MKPDU. 6. The method of claim 1 , wherein the checksum value is associated with the second network device determining the additional CAK based on the encrypted KDF input information. 7. The method of claim 1 , wherein the first message includes an indicator indicating that the first message includes the encrypted KDF input information, wherein the second network device is to: process the first message to identify the indicator and the encrypted KDF input information; decrypt, based on the indicator, the encrypted KDF input information to determine at least one of the one or more KDF input parameters or the KDF identification information; and determine, based on determining the at least one of the one or more KDF input parameters or the KDF identification information, the additional CAK. 8. A first network device, comprising: one or more memories; and one or more processors to: identify a Media Access Control Security (MACsec) session between the first network device and a second network device, wherein the MACsec session utilizes a connectivity association key (CAK); determine, using a key derivation function (KDF) and one or more KDF input parameters, an additional CAK; encrypt at least one of the one or more KDF input parameters or KDF identification information that identifies the KDF and the one or more KDF input parameters to generate encrypted KDF input information; send, to the second network device, a first message that includes the encrypted KDF input information; receive, from the second network device and based on sending the first message, a second message that includes a checksum value, wherein the second message is a MACsec key agreement protocol data unit (MKPDU), and wherein the checksum value is included in a CAK name field of the MKPDU; determine, based on the checksum value, that the second network device has determined the additional CAK; and communicate, with the second network device and based on the second message, to cause the MACsec session to utilize the additional CAK. 9. The first network device of claim 8 , wherein the encrypted KDF input information is encrypted using an encryption key associated with the additional CAK. 10. The first network device of claim 8 , wherein the encrypted KDF input information is included in a CAK name field of the first message. 11. The first network device of claim 8 , wherein the first message includes an indicator indicating that the first message includes the encrypted KDF input information. 12. The first network device of claim 8 , wherein the checksum value is associated with the second network device determining the additional CAK based on the encrypted KDF input information. 13. The first network device of claim 8 , wherein the second message includes an indicator indicating that the second message includes the checksum value. 14. The first network device of claim 8 , wherein the one or more processors, to communicate to cause the MACsec session to utilize the additional CAK, are to: process the second message to determine the checksum value included in the second message; process the additional CAK to determine an additional checksum value; validate, based on the additional checksum value, the checksum value; and communicate, with the second network device and based on validating the checksum value, to cause the MACsec session to utilize the additional CAK. 15. A non-transitory computer-readable medium storing a set of instructions, the set of instructions comprising: one or more instructions that, when executed by one or more processors of a first network device, cause the first network device to: identify a Media Access Control Security (MACsec) session between the first network device and a second network device, wherein the MACsec session utilizes a connectivity association key (CAK); determine, using a key derivation function (KDF) and one or more KDF input parameters, an additional CAK; encrypt at least one of the one or more KDF input parameters or KDF identification information that identifies the KDF and the one or more KDF input parameters to generate encrypted KDF input information; send, to the second network device, a first message that includes the encrypted KDF input information; receive, from the second network device and based on sending the first message, a second message that includes a checksum value, wherein the second message is a MACsec key agreement protocol data unit (MKPDU), and wherein the checksum value is included in a CAK name field of the MKPDU; determine, based on the checksum value, that the second network device has determined the additional CAK; and communicate, with the second network device and based on the second message, to cause the MACsec session to utilize the additional CAK. 16. The non-transitory computer-readable medium of claim 15 , wherein the encrypted KDF input information is encrypted using an encryption key associated with the additional CAK. 17. The non-transitory computer-readable medium of claim 15 , wherein the first message includes an indicator indicating that the first message includes the encrypted KDF input information. 18. The non-transitory computer-readable medium of claim 15 , wherein the checksum value is associated with the second network device determining the additional CAK based on the encrypted KDF input information. 19. The non-transitory computer-readable medium of claim 15 , wherein the second message includes an indicator indicating that the second message includes the checksum value. 20. The non-trans
Assignees
Inventors
Classifications
- H04L9/0861Primary
Generation of secret information including derivation or calculation of cryptographic keys or passwords · CPC title
- H04L9/0838Primary
Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these (network architectures or network communication protocols for key exchange in a packet data network H04L63/061) · CPC title
Network security protocols · CPC title
Revocation or update of secret information, e.g. encryption key update or rekeying · CPC title
above the transport layer · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12200111B2 cover?
- A first network device may identify a MACsec session between the first network device and a second network device that utilizes a CAK, may determine, using a KDF and one or more KDF input parameters, an additional CAK, may encrypt the one or more KDF input parameters and/or KDF identification information that identifies the KDF and the one or more KDF input parameters to generate encrypted KDF …
- Who is the assignee on this patent?
- Juniper Networks Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L9/0861. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jan 14 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).