US20210075777A1 - Method and system for asynchronous side channel cipher renegotiation - Google Patents
Method and system for asynchronous side channel cipher renegotiation Download PDFInfo
- Publication number
- US20210075777A1 US20210075777A1 US16/562,525 US201916562525A US2021075777A1 US 20210075777 A1 US20210075777 A1 US 20210075777A1 US 201916562525 A US201916562525 A US 201916562525A US 2021075777 A1 US2021075777 A1 US 2021075777A1
- Authority
- US
- United States
- Prior art keywords
- computing device
- cipher
- communication channel
- renegotiation
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0478—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/70—Admission control; Resource allocation
- H04L47/82—Miscellaneous aspects
- H04L47/825—Involving tunnels, e.g. MPLS
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/061—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/065—Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/088—Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3215—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a plurality of channels
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/18—Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
Definitions
- the present disclosure relates to asynchronous side channel cipher renegotiation, specifically the use of an alternative communication channel to exchange data for use in renegotiating the cipher used in a primary communication channel that utilizes an encryption tunnel.
- Communication channels are utilized between computing systems, devices, application programs, and other discrete components used to exchange data, packets, media, and other messages.
- two computing systems or devices may maintain a single communication channel over a long period of time where data may be exchanged, to reduce the need to reconnect, which may require complicated authentication processes and interrupt user experiences.
- a communication channel once a communication channel is established, it can be susceptible to attack by a nefarious entity that may seek to intercept communications or inject its own data.
- Some methods to avoid the susceptibility of attacks in an established communication channel utilize asymmetric cryptography, such as through the use of shared secrets and cryptographic key pairs. In such methods, initial setup between the computing devices ensures the security of subsequent communications.
- asymmetric cryptography may not be available for all communication channels, particularly for peer-to-peer connections and other connections where ciphers may be necessary to encrypt communications between both endpoints.
- the present disclosure provides a description of systems and methods for asynchronous side channel cipher renegotiation.
- Two endpoint devices that share an encrypted tunnel may have a side channel established for communication between the two devices.
- that endpoint device transmits a renegotiation request using the side channel, where the request includes a password and a relative time offset.
- Use of a relative time offset may be superior to using an absolute time, as it may avoid complications arising from mismatched clocks on devices, removing the need for synchronization, and can make it more difficult for a nefarious actor to replay encrypted network traffic later.
- Each device can independently generate a new cipher using the password and a known encryption algorithm and, when the relative time has elapsed, can begin using the new cipher to decrypt messages transmitted using the encrypted tunnel.
- the devices can both continue to utilize the original cipher for a predetermined period of time or number of packets, which can then be discarded.
- the result is a seamless handoff from one cipher to another for use in the encrypted tunnel.
- any nefarious party that may acquire a cipher may only be able to use that cipher until a renegotiation takes place, limiting the ability to perform any detrimental actions with the stolen cipher.
- security of communications between both devices can be increased without expending significant time and resources and without incurring dropped network connections as a result of packet loss.
- a method for asynchronous side channel cipher renegotiation includes: establishing, by a first computing device, a first communication channel and a second communication channel with a second computing device, where the first communication channel is an encrypted tunnel and packages exchanged using the encrypted tunnel are encrypted using a first cipher; receiving, by a receiver of the first computing device, a renegotiation request from the second computing device using the second communication channel, where the renegotiation request includes at least a password value and a relative time; generating, by a processor of the first computing device, a second cipher using at least an encryption protocol and the password value; receiving, by the receiver of the first computing device, a new encrypted packet from the second computing device using the first communication channel; and decrypting, by the processor of the first computing device, the new encrypted packet using the second cipher.
- a system for asynchronous side channel cipher renegotiation includes: a first computing device; a second computing device; a first communication channel established between the first computing device and the second computing device, where the first communication channel is an encrypted tunnel and packages exchanged using the encrypted tunnel are encrypted using a first cipher; and a second communication channel established between the first computing device and the second computing device, wherein the first computing device includes a receiver receiving a renegotiation request from the second computing device using the second communication channel, where the renegotiation request includes at least a password value and a relative time, and a processor generating a second cipher using at least an encryption protocol and the password value, wherein the receiver further receives a new encrypted packet from the second computing device using the first communication channel, and the processor further decrypts the new encrypted packet using the second cipher.
- FIG. 1 is a block diagram illustrating a high level system architecture for asynchronous side channel cipher renegotiation in accordance with exemplary embodiments.
- FIG. 2 is a block diagram illustrating a computing device for use in the system of FIG. 1 for asynchronous side channel cipher renegotiation in accordance with exemplary embodiments.
- FIG. 3 is a flow diagram illustrating a process for renegotiation of a cipher using an asynchronous side channel by the computing device of FIG. 2 in accordance with exemplary embodiments.
- FIG. 4 is a flow chart illustrating an exemplary method for asynchronous side channel cipher renegotiation in accordance with exemplary embodiments.
- FIG. 5 is a block diagram illustrating a computer system architecture in accordance with exemplary embodiments.
- FIG. 1 illustrates a system 100 for the renegotiation of a cipher for communications made using an encrypted tunnel between two computing devices using an asynchronous side channel.
- the system 100 may include a first computing device 102 and a second computing device 104 .
- the computing devices which may be computing devices 200 illustrated in FIG. 2 and discussed in more detail below, may be configured to exchange communications using a first communication channel 106 .
- the first communication channel 106 may be an encrypted tunnel, where any data packets or other communications transmitted thereby may be encrypted via use of a cipher.
- the first computing device 102 may encrypt a data packet using the cipher, may transmit the encrypted data packet to the second computing device 104 using the first communication channel 106 , and the second computing device 104 may then decrypt the data packet using the same cipher.
- the first communication channel 106 may utilize any communication protocol and method suitable for the operation and usage of an encrypted tunnel, such as user datagram protocol (UDP), secure shell (SSH), etc. While the system 100 in FIG. 1 illustrates the first computing device 102 and second computing device 104 as being separate and distinct devices, the first computing device 102 and second computing device 104 may be separate components in a single computing device, or one or more of the devices may be a component of a computing device that communicates with a separate computing device or a component in a separate computing device, such as a web extension of a web browsing application program that communicates with a network device or a web server.
- UDP user datagram protocol
- SSH secure shell
- the first computing device 102 or second computing device 104 may have a desire to be able to renegotiate the cipher used in the first communication channel 106 during the course of operation thereof. For instance, the first computing device 102 and second computing device 106 may want to keep the first communication channel 106 in operation for several hours or days, where renegotiation of the cipher may result in higher security without the need to interrupt or reestablish the first communication channel 106 .
- the first computing device 102 and the second computing device 104 may have a second communication channel 108 established between the two devices.
- the second communication channel 108 may be a side channel that may utilize a different communication protocol than the first communication channel.
- the first communication channel 106 may utilize UDP while the second communication channel 108 may utilize transmission control protocol (TCP). Any suitable type of communication method and protocol may be utilized by the second communication channel 108 .
- the second computing device 104 may electronically transmit a renegotiation request to the first computing device 102 using the second communication channel 108 . While the methods and systems described herein have the second computing device 104 submitting the request, either computing device may submit a renegotiation request and thereby perform the functions of the second computing device 104 .
- the renegotiation request may include at least a password value and a relative time.
- the password value may be a word, number, alphanumeric value, etc. that is used in generation of the new cipher.
- the relative time may be a time relative to the receipt and/or transmission of the renegotiation request at which time the devices are to begin to use the new cipher to encrypt/decrypt packets transmitted using the first communication channel 106 .
- the first computing device 102 may receive the renegotiation request using the second communication channel 108 and decrypt or otherwise parse the data therefrom using any suitable method.
- the first computing device 102 may then generate the new cipher using the password value from the renegotiation request and an agreed-upon encryption protocol, such as the advanced encryption standard (AES), triple data encryption algorithm ( 3 DES), etc.
- the second computing device 104 may also independently generate the new cipher using the password value and the agreed-upon encryption protocol.
- the renegotiation request may specify the encryption protocol to be used.
- the encryption protocol may be specified in a separate communication, during establishment of the first communication channel 106 or second communication channel 108 , or at another suitable time.
- the computing devices may utilize the same encryption protocol for all ciphers generated for use with the first communication channel 106 . In other cases, multiple encryption protocols may be used through the life of the first communication channel 106 .
- each of the computing devices 102 and 104 may start using the new cipher when encrypting and decrypting packets that are transmitted or received after the relative time has passed (e.g., or shortly before, such as in instances if packets are received before the first computing device 102 has officially changed to the new cipher). For instance, if the relative time is fifteen seconds, the first computing device 102 may start attempting to decrypt any packets received thirteen or fourteen seconds after receipt of the renegotiation request. Once the first computing device 102 receives a new data packet after the relative time has passed, they will utilize the new cipher when attempting to decrypt the new data packet.
- the first computing device 102 may attempt to use the original cipher for decryption. For example, due to transmission speeds and other factors, the first computing device 102 may still receive packets encrypted with the original cipher after the relative time has passed (e.g., the second computing device 104 may have transmitted a packet encrypted with the original cipher at 14.8 seconds, which may not be received by the first computing device 102 until 15.4 seconds).
- the first computing device 102 may attempt to use the original cipher to decrypt any data packets where decryption using the new cipher fails. If the attempt using the original cipher fails as well, then the data packet may be discarded. This may result in the connection being dropped if the computing devices are not using a reliable connection protocol (e.g., including, but not limited to, TCP, which enables the computing devices to re-transmit dropped packets). If the original cipher is successful in decrypting the data packet, then the data packet may be processed as applicable. In some cases, the first computing device 102 may only attempt to use the original cipher upon failure of the new cipher for a predetermined period of time and/or predetermined number of packets.
- a reliable connection protocol e.g., including, but not limited to, TCP, which enables the computing devices to re-transmit dropped packets.
- the original cipher may only be used for ten seconds after the relative time has passed or for a maximum of ten packets, whichever is met first. Such limits may prevent the ability for a nefarious party that is able to identify the original cipher from taking advantage of the first computing device 102 or second computing device 104 .
- the original cipher may be deleted from the first computing device 102 .
- the second computing device 104 may be programmed to perform the same functions for data packets sent from the first computing device 102 using the first communication channel 106 .
- the following code represents an example implementation in the first computing device 102 or the second computing device 104 of the processing of an incoming data packet using the new cipher, where the old cipher is attempted if decrypting using the new cipher fails:
- the methods and systems discussed herein enable two computing devices 102 and 104 to renegotiate the cipher used in encrypting/decrypting communications made using an encrypted tunnel 106 via the use of an asynchronous side channel 108 .
- the renegotiation of the cipher may ensure that the first communication channel 106 can be maintained over a long period of time with minimal risk to exposure of the underlying data being transmitted thereby due to changes to the cipher.
- the use of the asynchronous side channel facilitates the renegotiation in a manner that is easy and secure, enabling the renegotiation to occur using minimal computing resources and bandwidth, and negating the need for reconnecting or reestablishing the first communication channel 106 .
- the use of separate communication protocols for both channels, deletion of the original cipher, use of the original cipher after the relative time has passed, and the use of relative time further enhances the security offered by the methods discussed herein while maintaining full reliability of the first communication channel 106 . Accordingly, the methods and systems discussed herein provide for significant security advantages over traditional systems without sacrificing convenience and reliability and without the need for new hardware and excessive communications.
- FIG. 2 illustrates an embodiment of a computing device 200 in the system 100 .
- the embodiment of the computing device 200 illustrated in FIG. 2 is provided as illustration only and may not be exhaustive to all possible configurations of the computing device 200 suitable for performing the functions as discussed herein.
- the computer system 500 illustrated in FIG. 5 and discussed in more detail below may be a suitable configuration of the computing device 200 .
- the first computing device 102 and second computing device 104 of the system 100 may be implemented as the computing device 200 as illustrated in FIG. 2 and discussed below.
- the computing device 200 may include a receiving device 202 .
- the receiving device 202 may be configured to receive data over one or more networks via one or more network protocols.
- the receiving device 202 may be configured to receive data from other computing devices 200 and other systems and entities via one or more communication methods, such as radio frequency, local area networks, wireless area networks, cellular communication networks, Bluetooth, the Internet, etc.
- the receiving device 202 may be comprised of multiple devices, such as different receiving devices for receiving data over different networks, such as a first receiving device for receiving data over a local area network and a second receiving device for receiving data via the Internet.
- the receiving device 202 may receive electronically transmitted data signals, where data may be superimposed or otherwise encoded on the data signal and decoded, parsed, read, or otherwise obtained via receipt of the data signal by the receiving device 202 .
- the receiving device 202 may include a parsing module for parsing the received data signal to obtain the data superimposed thereon.
- the receiving device 202 may include a parser program configured to receive and transform the received data signal into usable input for the functions performed by the processing device to carry out the methods and systems described herein.
- the receiving device 202 may be configured to receive data signals electronically transmitted by other computing devices 200 that may be electronically transmitted using first communication channels 106 and second communication channels 108 and may be superimposed or otherwise encoded with data packets, which may be encrypted using any suitable means.
- data packets may include a renegotiation request, which may include a password value, relative time, and, in some cases, an encryption method.
- Some data packets may be encrypted using a cipher, which may be changed following a renegotiation processed as discussed herein.
- the computing device 200 may also include a communication module 204 .
- the communication module 204 may be configured to transmit data between modules, engines, databases, memories, and other components of the computing device 200 for use in performing the functions discussed herein.
- the communication module 204 may be comprised of one or more communication types and utilize various communication methods for communications within a computing device.
- the communication module 204 may be comprised of a bus, contact pin connectors, wires, etc.
- the communication module 204 may also be configured to communicate between internal components of the computing device 200 and external components of the computing device 200 , such as externally connected databases, display devices, input devices, etc.
- the computing device 200 may also include a processing device.
- the processing device may be configured to perform the functions of the computing device 200 discussed herein as will be apparent to persons having skill in the relevant art.
- the processing device may include and/or be comprised of a plurality of engines and/or modules specially configured to perform one or more functions of the processing device, such as a querying module 214 , generation module 216 , encryption module 218 , etc.
- the term “module” may be software or hardware particularly programmed to receive an input, perform one or more processes using the input, and provides an output. The input, output, and processes performed by various modules will be apparent to one skilled in the art based upon the present disclosure.
- the computing device 200 may include a querying module 214 .
- the querying module 214 may be configured to execute queries on databases to identify information.
- the querying module 214 may receive one or more data values or query strings, and may execute a query string based thereon on an indicated database, such as a memory 206 , to identify information stored therein.
- the querying module 214 may then output the identified information to an appropriate engine or module of the computing device 200 as necessary.
- the querying module 214 may, for example, execute a query on the memory 206 to identify an encryption algorithm for use in generating a new cipher based on a received password value.
- the computing device 200 may also include a generation module 216 .
- the generation module 216 may be configured to generate data for the computing device 200 as part of the functions discussed herein.
- the generation module 216 may receiving instructions as input, may perform generate data as instructed, and may output the generated data to another module or engine of the computing device 200 .
- data to be used in the generation may be included in the input.
- the generation module 216 may be configured to identify data for use in the requested generation, such as by instructing the querying module 214 to perform one or more queries for data.
- the generation module 216 may, for example, be configured to generate ciphers using specific encryption algorithms and password values and generate data packets for transmission using the first communication channel 106 and second communication channel 108 .
- the computing device 200 may also include an encryption module 218 .
- the encryption module 218 may be configured to encrypt or decrypt data for the computing device 200 for performing the functions discussed herein.
- the encryption module 218 may receive data as input for decryption or encryption, may encrypt or decrypt the data as instructed, and may output the result to another module or engine of the computing device 200 .
- the input may include the cipher to be used for encryption or decryption.
- the encryption module 218 may be configured to identify the cipher to be used, such as by instructing the querying module 214 to execute a query on the memory 226 to identify a cipher for use.
- the encryption module 218 may be configured to, for example, encrypt or decrypt data packets that are transmitted or received using the first communication channel 106 .
- the computing device 200 may also include a transmitting device 220 .
- the transmitting device 220 may be configured to transmit data over one or more networks via one or more network protocols. In some instances, the transmitting device 220 may be configured to transmit data to other computing devices 200 and other entities via one or more communication methods, local area networks, wireless area networks, cellular communication, Bluetooth, radio frequency, the Internet, etc. In some embodiments, the transmitting device 220 may be comprised of multiple devices, such as different transmitting devices for transmitting data over different networks, such as a first transmitting device for transmitting data over a local area network and a second transmitting device for transmitting data via the Internet. The transmitting device 220 may electronically transmit data signals that have data superimposed that may be parsed by a receiving computing device. In some instances, the transmitting device 220 may include one or more modules for superimposing, encoding, or otherwise formatting data into data signals suitable for transmission.
- the transmitting device 220 may be configured to electronically transmit data signals to other computing devices 200 that are electronically transmitted using the first communication channel 106 or second communication channel 108 , which may be superimposed or otherwise encoded with data packets.
- the data packets may be encrypted using a cipher or decrypted using a cipher.
- Some data packets may include a renegotiation request for use in renegotiating a cipher, which may include a password value, relative time, and, in some cases, an encryption algorithm.
- the computing device 200 may also include a memory 206 .
- the memory 206 may be configured to store data for use by the computing device 200 in performing the functions discussed herein, such as public and private keys, symmetric keys, etc.
- the memory 206 may be configured to store data using suitable data formatting methods and schema and may be any suitable type of memory, such as read-only memory, random access memory, etc.
- the memory 206 may include, for example, encryption keys and algorithms, communication protocols and standards, data formatting standards and protocols, program code for modules and application programs of the processing device, and other data that may be suitable for use by the computing device 200 in the performance of the functions disclosed herein as will be apparent to persons having skill in the relevant art.
- the memory 206 may be comprised of or may otherwise include a relational database that utilizes structured query language for the storage, identification, modifying, updating, accessing, etc. of structured data sets stored therein.
- the memory 206 may be configured to store, for example, relative times, ciphers, password values, encryption algorithms, protocol data, communication channel information, etc.
- FIG. 3 illustrates a process 300 for the renegotiation of a cipher by the computing device 200 , which may be the first computing device 102 and/or the second computing device 104 in the system 100 illustrated in FIG. 1 , for use in encrypting and decrypting data packets transmitted using the first communication channel 106 .
- the receiving device 202 may receive a renegotiation request from another computing device 200 transmitted using a second communication channel 108 .
- the renegotiation request may include a password value and relative time, and, in some cases, may also include an indication of an encryption algorithm to use.
- the relative time may be a time represented in any suitable format, such as a number of seconds.
- the receiving device 202 and/or other component in the computing device 200 e.g., the encryption module 218 ) may decrypt or otherwise perform functions to parse data from the data packet received using the second communication channel 108 .
- the generation module 216 of the computing device 200 may generate a new cipher using the password value from the renegotiation request and a predetermined encryption algorithm.
- the predetermined encryption algorithm may be specified in the renegotiation request, or may be already known to the computing device 200 , such as based on a past communication with the other computing device.
- the receiving device 202 of the computing device 200 may receive a new, encrypted data packet from the other computing device 200 that is electronically transmitted using the first communication channel 106 .
- the computing device 200 may determine if the relative time specified in the renegotiation request has elapsed since receipt thereof. If the relative time has elapsed, then the new cipher is to be used in communications between the computing devices. In such cases, in step 310 , the encryption module 218 of the computing device 200 may attempt to decrypt the encrypted data packet using the new cipher. In step 312 , the computing device 200 may determine if the attempted decryption using the new cipher was successful. If the decryption is successful, then, in step 314 , the computing device 200 may process the decrypted data packet using any suitable method, which may be based on the data contained in the data packet.
- step 308 the computing device 200 determines that the relative time has not yet passed, or, in step 312 , the decryption of the data packet using the new cipher is unsuccessful, then, in step 316 , the encryption module 218 of the computing device 200 may attempt to decrypt the encrypted data packet using the original cipher. In step 318 , the computing device 200 may determine if decryption using the original cipher was successful. If the decryption is successful, then the process 300 may proceed to step 314 where the decrypted data packet may be processed. If decryption is unsuccessful in step 318 , then, in step 320 , the computing device 200 may discard the data packet.
- steps 316 and 318 may only be attempted if decryption in step 312 is unsuccessful for a predetermined period of time or number of data packets following passage of the relative time in the renegotiation request. In such embodiments, if decryption is unsuccessful using the new cipher, the process 300 may proceed directly to step 320 for discarding of the data packet.
- FIG. 4 illustrates a method 400 for renegotiation of a cipher for use in an encrypted tunnel utilizing an asynchronous side channel for transmission of a renegotiation request.
- a first communication channel (e.g., first communication channel 106 ) and a second communication channel (e.g., second communication channel 108 ) may be established by a first computing device (e.g., first computing device 102 ) with a second computing device (e.g., second computing device 104 ), where the first communication channel is an encrypted tunnel and packages exchanged using the encrypted tunnel are encrypted using a first cipher.
- a renegotiation request may be received by a receiver (e.g., receiving device 202 ) of the first computing device from the second computing device using the second communication channel, where the renegotiation request includes at least a password value and a relative time.
- a second cipher may be generated by a processor (e.g., generation module 216 ) of the first computing device using at least an encryption protocol and the password value.
- a new encrypted packet may be received by the receiver of the first computing device from the second computing device using the first communication channel.
- the new encrypted packet may be decrypted by the processor (e.g., encryption module 218 ) of the first computing device using the new cipher.
- the renegotiation request may further include the encryption protocol.
- the new encrypted packet may be received after the relative time has passed since receipt of the renegotiation request.
- the method 400 may further include storing, in a memory (e.g., memory 226 ) of the first computing device, the first cipher and the second cipher.
- the second communication channel may utilize a secure communication protocol.
- the method 400 may also include decrypting, by the processor of the first computing device, the new encrypted packet using the first cipher upon decryption failure using the second cipher.
- the first cipher may be used upon decryption failure for a predetermined period of time and/or predetermined number of received packets.
- the method 400 may even further include deleting, by the first computing device, the first cipher from a memory of the first computing device after the predetermined period of time and/or predetermined number of received packets.
- FIG. 5 illustrates a computer system 500 in which embodiments of the present disclosure, or portions thereof, may be implemented as computer-readable code.
- the first computing device 102 or second computing device 104 of FIG. 1 or the computing device 200 of FIG. 2 may be implemented in the computer system 500 using hardware, software, firmware, non-transitory computer readable media having instructions stored thereon, or a combination thereof and may be implemented in one or more computer systems or other processing systems.
- Hardware, software, or any combination thereof may embody modules and components used to implement the methods of FIGS. 3 and 4 .
- programmable logic may execute on a commercially available processing platform configured by executable software code to become a specific purpose computer or a special purpose device (e.g., programmable logic array, application-specific integrated circuit, etc.).
- a person having ordinary skill in the art may appreciate that embodiments of the disclosed subject matter can be practiced with various computer system configurations, including multi-core multiprocessor systems, minicomputers, mainframe computers, computers linked or clustered with distributed functions, as well as pervasive or miniature computers that may be embedded into virtually any device.
- at least one processor device and a memory may be used to implement the above described embodiments.
- a processor unit or device as discussed herein may be a single processor, a plurality of processors, or combinations thereof. Processor devices may have one or more processor “cores.”
- the terms “computer program medium,” “non-transitory computer readable medium,” and “computer usable medium” as discussed herein are used to generally refer to tangible media such as a removable storage unit 518 , a removable storage unit 522 , and a hard disk installed in hard disk drive 512 .
- Processor device 504 may be a special purpose or a general purpose processor device specifically configured to perform the functions discussed herein.
- the processor device 504 may be connected to a communications infrastructure 506 , such as a bus, message queue, network, multi-core message-passing scheme, etc.
- the network may be any network suitable for performing the functions as disclosed herein and may include a local area network (LAN), a wide area network (WAN), a wireless network (e.g., WiFi), a mobile communication network, a satellite network, the Internet, fiber optic, coaxial cable, infrared, radio frequency (RF), or any combination thereof.
- LAN local area network
- WAN wide area network
- WiFi wireless network
- mobile communication network e.g., a mobile communication network
- satellite network the Internet, fiber optic, coaxial cable, infrared, radio frequency (RF), or any combination thereof.
- RF radio frequency
- the computer system 500 may also include a main memory 508 (e.g., random access memory, read-only memory, etc.), and may also include a secondary memory 510 .
- the secondary memory 510 may include the hard disk drive 512 and a removable storage drive 514 , such as a floppy disk drive, a magnetic tape drive, an optical disk drive, a flash memory, etc.
- the removable storage drive 514 may read from and/or write to the removable storage unit 518 in a well-known manner.
- the removable storage unit 518 may include a removable storage media that may be read by and written to by the removable storage drive 514 .
- the removable storage drive 514 is a floppy disk drive or universal serial bus port
- the removable storage unit 518 may be a floppy disk or portable flash drive, respectively.
- the removable storage unit 518 may be non-transitory computer readable recording media.
- the secondary memory 510 may include alternative means for allowing computer programs or other instructions to be loaded into the computer system 500 , for example, the removable storage unit 522 and an interface 520 .
- Examples of such means may include a program cartridge and cartridge interface (e.g., as found in video game systems), a removable memory chip (e.g., EEPROM, PROM, etc.) and associated socket, and other removable storage units 522 and interfaces 520 as will be apparent to persons having skill in the relevant art.
- Data stored in the computer system 500 may be stored on any type of suitable computer readable media, such as optical storage (e.g., a compact disc, digital versatile disc, Blu-ray disc, etc.) or magnetic tape storage (e.g., a hard disk drive).
- the data may be configured in any type of suitable database configuration, such as a relational database, a structured query language (SQL) database, a distributed database, an object database, etc. Suitable configurations and storage types will be apparent to persons having skill in the relevant art.
- the computer system 500 may also include a communications interface 524 .
- the communications interface 524 may be configured to allow software and data to be transferred between the computer system 500 and external devices.
- Exemplary communications interfaces 524 may include a modem, a network interface (e.g., an Ethernet card), a communications port, a PCMCIA slot and card, etc.
- Software and data transferred via the communications interface 524 may be in the form of signals, which may be electronic, electromagnetic, optical, or other signals as will be apparent to persons having skill in the relevant art.
- the signals may travel via a communications path 526 , which may be configured to carry the signals and may be implemented using wire, cable, fiber optics, a phone line, a cellular phone link, a radio frequency link, etc.
- the computer system 500 may further include a display interface 502 .
- the display interface 502 may be configured to allow data to be transferred between the computer system 500 and external display 530 .
- Exemplary display interfaces 502 may include high-definition multimedia interface (HDMI), digital visual interface (DVI), video graphics array (VGA), etc.
- the display 530 may be any suitable type of display for displaying data transmitted via the display interface 502 of the computer system 500 , including a cathode ray tube (CRT) display, liquid crystal display (LCD), light-emitting diode (LED) display, capacitive touch display, thin-film transistor (TFT) display, etc.
- CTR cathode ray tube
- LCD liquid crystal display
- LED light-emitting diode
- TFT thin-film transistor
- Computer program medium and computer usable medium may refer to memories, such as the main memory 508 and secondary memory 510 , which may be memory semiconductors (e.g., DRAMs, etc.). These computer program products may be means for providing software to the computer system 500 .
- Computer programs e.g., computer control logic
- Computer programs may be stored in the main memory 508 and/or the secondary memory 510 .
- Computer programs may also be received via the communications interface 524 .
- Such computer programs, when executed, may enable computer system 500 to implement the present methods as discussed herein.
- the computer programs, when executed may enable processor device 504 to implement the methods illustrated by FIGS. 3 and 4 , as discussed herein. Accordingly, such computer programs may represent controllers of the computer system 500 .
- the software may be stored in a computer program product and loaded into the computer system 500 using the removable storage drive 514 , interface 520 , and hard disk drive 512 , or communications interface 524 .
- the processor device 504 may comprise one or more modules or engines configured to perform the functions of the computer system 500 .
- Each of the modules or engines may be implemented using hardware and, in some instances, may also utilize software, such as corresponding to program code and/or programs stored in the main memory 508 or secondary memory 510 .
- program code may be compiled by the processor device 504 (e.g., by a compiling module or engine) prior to execution by the hardware of the computer system 500 .
- the program code may be source code written in a programming language that is translated into a lower level language, such as assembly language or machine code, for execution by the processor device 504 and/or any additional hardware components of the computer system 500 .
- the process of compiling may include the use of lexical analysis, preprocessing, parsing, semantic analysis, syntax-directed translation, code generation, code optimization, and any other techniques that may be suitable for translation of program code into a lower level language suitable for controlling the computer system 500 to perform the functions disclosed herein. It will be apparent to persons having skill in the relevant art that such processes result in the computer system 500 being a specially configured computer system 500 uniquely programmed to perform the functions discussed above.
Abstract
A method for asynchronous side channel cipher renegotiation includes: establishing, by a first computing device, a first communication channel and a second communication channel with a second computing device, where the first communication channel is an encrypted tunnel and packages exchanged using the encrypted tunnel are encrypted using a first cipher; receiving, by a receiver of the first computing device, a renegotiation request from the second computing device using the second communication channel, where the renegotiation request includes at least a password value and a relative time; generating, by a processor of the first computing device, a second cipher using at least an encryption protocol and the password value; receiving, by the receiver of the first computing device, a new encrypted packet from the second computing device using the first communication channel; and decrypting, by the processor of the first computing device, the new encrypted packet using the second cipher.
Description
- The present disclosure relates to asynchronous side channel cipher renegotiation, specifically the use of an alternative communication channel to exchange data for use in renegotiating the cipher used in a primary communication channel that utilizes an encryption tunnel.
- Communication channels are utilized between computing systems, devices, application programs, and other discrete components used to exchange data, packets, media, and other messages. In many cases, two computing systems or devices may maintain a single communication channel over a long period of time where data may be exchanged, to reduce the need to reconnect, which may require complicated authentication processes and interrupt user experiences. However, in many cases once a communication channel is established, it can be susceptible to attack by a nefarious entity that may seek to intercept communications or inject its own data.
- Some methods to avoid the susceptibility of attacks in an established communication channel utilize asymmetric cryptography, such as through the use of shared secrets and cryptographic key pairs. In such methods, initial setup between the computing devices ensures the security of subsequent communications. However, asymmetric cryptography may not be available for all communication channels, particularly for peer-to-peer connections and other connections where ciphers may be necessary to encrypt communications between both endpoints.
- Thus, there is a need for a technical system to enable renegotiation of the cipher used in an encrypted tunnel, to protect a communication channel even in instances where a nefarious party may gain access to an original cipher.
- The present disclosure provides a description of systems and methods for asynchronous side channel cipher renegotiation. Two endpoint devices that share an encrypted tunnel may have a side channel established for communication between the two devices. When one endpoint device wants to renegotiate the cipher used for communications exchanged via the encrypted tunnel, that endpoint device transmits a renegotiation request using the side channel, where the request includes a password and a relative time offset. Use of a relative time offset may be superior to using an absolute time, as it may avoid complications arising from mismatched clocks on devices, removing the need for synchronization, and can make it more difficult for a nefarious actor to replay encrypted network traffic later. Each device can independently generate a new cipher using the password and a known encryption algorithm and, when the relative time has elapsed, can begin using the new cipher to decrypt messages transmitted using the encrypted tunnel. To accommodate for different packet transmission speeds and times, the devices can both continue to utilize the original cipher for a predetermined period of time or number of packets, which can then be discarded. The result is a seamless handoff from one cipher to another for use in the encrypted tunnel. As a result, any nefarious party that may acquire a cipher may only be able to use that cipher until a renegotiation takes place, limiting the ability to perform any detrimental actions with the stolen cipher. Thus, security of communications between both devices can be increased without expending significant time and resources and without incurring dropped network connections as a result of packet loss.
- A method for asynchronous side channel cipher renegotiation includes: establishing, by a first computing device, a first communication channel and a second communication channel with a second computing device, where the first communication channel is an encrypted tunnel and packages exchanged using the encrypted tunnel are encrypted using a first cipher; receiving, by a receiver of the first computing device, a renegotiation request from the second computing device using the second communication channel, where the renegotiation request includes at least a password value and a relative time; generating, by a processor of the first computing device, a second cipher using at least an encryption protocol and the password value; receiving, by the receiver of the first computing device, a new encrypted packet from the second computing device using the first communication channel; and decrypting, by the processor of the first computing device, the new encrypted packet using the second cipher.
- A system for asynchronous side channel cipher renegotiation includes: a first computing device; a second computing device; a first communication channel established between the first computing device and the second computing device, where the first communication channel is an encrypted tunnel and packages exchanged using the encrypted tunnel are encrypted using a first cipher; and a second communication channel established between the first computing device and the second computing device, wherein the first computing device includes a receiver receiving a renegotiation request from the second computing device using the second communication channel, where the renegotiation request includes at least a password value and a relative time, and a processor generating a second cipher using at least an encryption protocol and the password value, wherein the receiver further receives a new encrypted packet from the second computing device using the first communication channel, and the processor further decrypts the new encrypted packet using the second cipher.
- The scope of the present disclosure is best understood from the following detailed description of exemplary embodiments when read in conjunction with the accompanying drawings. Included in the drawings are the following figures:
-
FIG. 1 is a block diagram illustrating a high level system architecture for asynchronous side channel cipher renegotiation in accordance with exemplary embodiments. -
FIG. 2 is a block diagram illustrating a computing device for use in the system ofFIG. 1 for asynchronous side channel cipher renegotiation in accordance with exemplary embodiments. -
FIG. 3 is a flow diagram illustrating a process for renegotiation of a cipher using an asynchronous side channel by the computing device ofFIG. 2 in accordance with exemplary embodiments. -
FIG. 4 is a flow chart illustrating an exemplary method for asynchronous side channel cipher renegotiation in accordance with exemplary embodiments. -
FIG. 5 is a block diagram illustrating a computer system architecture in accordance with exemplary embodiments. - Further areas of applicability of the present disclosure will become apparent from the detailed description provided hereinafter. It should be understood that the detailed description of exemplary embodiments are intended for illustration purposes only and are, therefore, not intended to necessarily limit the scope of the disclosure.
-
FIG. 1 illustrates asystem 100 for the renegotiation of a cipher for communications made using an encrypted tunnel between two computing devices using an asynchronous side channel. - The
system 100 may include afirst computing device 102 and asecond computing device 104. The computing devices, which may becomputing devices 200 illustrated inFIG. 2 and discussed in more detail below, may be configured to exchange communications using afirst communication channel 106. Thefirst communication channel 106 may be an encrypted tunnel, where any data packets or other communications transmitted thereby may be encrypted via use of a cipher. For instance, thefirst computing device 102 may encrypt a data packet using the cipher, may transmit the encrypted data packet to thesecond computing device 104 using thefirst communication channel 106, and thesecond computing device 104 may then decrypt the data packet using the same cipher. Thefirst communication channel 106 may utilize any communication protocol and method suitable for the operation and usage of an encrypted tunnel, such as user datagram protocol (UDP), secure shell (SSH), etc. While thesystem 100 inFIG. 1 illustrates thefirst computing device 102 andsecond computing device 104 as being separate and distinct devices, thefirst computing device 102 andsecond computing device 104 may be separate components in a single computing device, or one or more of the devices may be a component of a computing device that communicates with a separate computing device or a component in a separate computing device, such as a web extension of a web browsing application program that communicates with a network device or a web server. - The
first computing device 102 orsecond computing device 104 may have a desire to be able to renegotiate the cipher used in thefirst communication channel 106 during the course of operation thereof. For instance, thefirst computing device 102 andsecond computing device 106 may want to keep thefirst communication channel 106 in operation for several hours or days, where renegotiation of the cipher may result in higher security without the need to interrupt or reestablish thefirst communication channel 106. In order to facilitate renegotiation, thefirst computing device 102 and thesecond computing device 104 may have asecond communication channel 108 established between the two devices. Thesecond communication channel 108 may be a side channel that may utilize a different communication protocol than the first communication channel. For instance, thefirst communication channel 106 may utilize UDP while thesecond communication channel 108 may utilize transmission control protocol (TCP). Any suitable type of communication method and protocol may be utilized by thesecond communication channel 108. - When the
second computing device 104 wants to renegotiate the cipher, thesecond computing device 104 may electronically transmit a renegotiation request to thefirst computing device 102 using thesecond communication channel 108. While the methods and systems described herein have thesecond computing device 104 submitting the request, either computing device may submit a renegotiation request and thereby perform the functions of thesecond computing device 104. The renegotiation request may include at least a password value and a relative time. The password value may be a word, number, alphanumeric value, etc. that is used in generation of the new cipher. The relative time may be a time relative to the receipt and/or transmission of the renegotiation request at which time the devices are to begin to use the new cipher to encrypt/decrypt packets transmitted using thefirst communication channel 106. - The
first computing device 102 may receive the renegotiation request using thesecond communication channel 108 and decrypt or otherwise parse the data therefrom using any suitable method. Thefirst computing device 102 may then generate the new cipher using the password value from the renegotiation request and an agreed-upon encryption protocol, such as the advanced encryption standard (AES), triple data encryption algorithm (3DES), etc. Thesecond computing device 104 may also independently generate the new cipher using the password value and the agreed-upon encryption protocol. In some embodiments, the renegotiation request may specify the encryption protocol to be used. In other embodiments, the encryption protocol may be specified in a separate communication, during establishment of thefirst communication channel 106 orsecond communication channel 108, or at another suitable time. In some cases, the computing devices may utilize the same encryption protocol for all ciphers generated for use with thefirst communication channel 106. In other cases, multiple encryption protocols may be used through the life of thefirst communication channel 106. - Once the new cipher has been generated by both devices, each of the
computing devices first computing device 102 has officially changed to the new cipher). For instance, if the relative time is fifteen seconds, thefirst computing device 102 may start attempting to decrypt any packets received thirteen or fourteen seconds after receipt of the renegotiation request. Once thefirst computing device 102 receives a new data packet after the relative time has passed, they will utilize the new cipher when attempting to decrypt the new data packet. If the decryption fails, thefirst computing device 102 may attempt to use the original cipher for decryption. For example, due to transmission speeds and other factors, thefirst computing device 102 may still receive packets encrypted with the original cipher after the relative time has passed (e.g., thesecond computing device 104 may have transmitted a packet encrypted with the original cipher at 14.8 seconds, which may not be received by thefirst computing device 102 until 15.4 seconds). - The
first computing device 102 may attempt to use the original cipher to decrypt any data packets where decryption using the new cipher fails. If the attempt using the original cipher fails as well, then the data packet may be discarded. This may result in the connection being dropped if the computing devices are not using a reliable connection protocol (e.g., including, but not limited to, TCP, which enables the computing devices to re-transmit dropped packets). If the original cipher is successful in decrypting the data packet, then the data packet may be processed as applicable. In some cases, thefirst computing device 102 may only attempt to use the original cipher upon failure of the new cipher for a predetermined period of time and/or predetermined number of packets. For example, the original cipher may only be used for ten seconds after the relative time has passed or for a maximum of ten packets, whichever is met first. Such limits may prevent the ability for a nefarious party that is able to identify the original cipher from taking advantage of thefirst computing device 102 orsecond computing device 104. In an exemplary embodiment, once the predetermined period of time or predetermined number of packets has been exceeded, the original cipher may be deleted from thefirst computing device 102. It will be apparent to persons having skill in the relevant art that thesecond computing device 104 may be programmed to perform the same functions for data packets sent from thefirst computing device 102 using thefirst communication channel 106. - The following code represents an example implementation in the
first computing device 102 or thesecond computing device 104 of the processing of an incoming data packet using the new cipher, where the old cipher is attempted if decrypting using the new cipher fails: -
func (s *UDPSession) processIncomingPacket(data [ ]byte) { dataValid := false // Must lock to prevent segmentation fault while changing ciphers s.mu.Lock( ) if s.block != nil { var originaldata [ ]byte if s.oldblock != nil { // If the old block has been assigned an expiration time, check it and delete if necessary. This improves performance. if s.oldexpires.Before(time.Now( )) { s.oldblock = nil } else { // For best performance, decryption should be performed in-place to avoid unnecessary memory allocation. This destroys the original packet so during a cipher change, the original packet is preserved for a possible second attempt. originaldata = make([ ]byte, len(data)) copy(originaldata, data) } } s.block.Decrypt(data, data) // Calculate checksum using some common method _, validchecksum := calculateChecksum(data) if validchecksum { // Remove checksum from decrypted packet data = data[crcSize:] dataValid = true } else { // Decryption failed. Attempt using the prior cipher in case the packets were still in the process of being transmitted after the cipher was renegotiated. if s.oldblock != nil { s.oldblock.Decrypt(data, originaldata) _, validchecksum := calculateChecksum(data) if validchecksum { data = data[crcSize:] dataValid = true } } } } else if s.block == nil { dataValid = true } s.mu.Unlock( ) if dataValid { // Process decrypted packet } } - The methods and systems discussed herein enable two
computing devices encrypted tunnel 106 via the use of anasynchronous side channel 108. The renegotiation of the cipher may ensure that thefirst communication channel 106 can be maintained over a long period of time with minimal risk to exposure of the underlying data being transmitted thereby due to changes to the cipher. The use of the asynchronous side channel facilitates the renegotiation in a manner that is easy and secure, enabling the renegotiation to occur using minimal computing resources and bandwidth, and negating the need for reconnecting or reestablishing thefirst communication channel 106. In addition, the use of separate communication protocols for both channels, deletion of the original cipher, use of the original cipher after the relative time has passed, and the use of relative time further enhances the security offered by the methods discussed herein while maintaining full reliability of thefirst communication channel 106. Accordingly, the methods and systems discussed herein provide for significant security advantages over traditional systems without sacrificing convenience and reliability and without the need for new hardware and excessive communications. -
FIG. 2 illustrates an embodiment of acomputing device 200 in thesystem 100. It will be apparent to persons having skill in the relevant art that the embodiment of thecomputing device 200 illustrated inFIG. 2 is provided as illustration only and may not be exhaustive to all possible configurations of thecomputing device 200 suitable for performing the functions as discussed herein. For example, thecomputer system 500 illustrated inFIG. 5 and discussed in more detail below may be a suitable configuration of thecomputing device 200. Thefirst computing device 102 andsecond computing device 104 of thesystem 100 may be implemented as thecomputing device 200 as illustrated inFIG. 2 and discussed below. - The
computing device 200 may include a receivingdevice 202. The receivingdevice 202 may be configured to receive data over one or more networks via one or more network protocols. In some instances, the receivingdevice 202 may be configured to receive data fromother computing devices 200 and other systems and entities via one or more communication methods, such as radio frequency, local area networks, wireless area networks, cellular communication networks, Bluetooth, the Internet, etc. In some embodiments, the receivingdevice 202 may be comprised of multiple devices, such as different receiving devices for receiving data over different networks, such as a first receiving device for receiving data over a local area network and a second receiving device for receiving data via the Internet. The receivingdevice 202 may receive electronically transmitted data signals, where data may be superimposed or otherwise encoded on the data signal and decoded, parsed, read, or otherwise obtained via receipt of the data signal by the receivingdevice 202. In some instances, the receivingdevice 202 may include a parsing module for parsing the received data signal to obtain the data superimposed thereon. For example, the receivingdevice 202 may include a parser program configured to receive and transform the received data signal into usable input for the functions performed by the processing device to carry out the methods and systems described herein. - The receiving
device 202 may be configured to receive data signals electronically transmitted byother computing devices 200 that may be electronically transmitted usingfirst communication channels 106 andsecond communication channels 108 and may be superimposed or otherwise encoded with data packets, which may be encrypted using any suitable means. Such data packets may include a renegotiation request, which may include a password value, relative time, and, in some cases, an encryption method. Some data packets may be encrypted using a cipher, which may be changed following a renegotiation processed as discussed herein. - The
computing device 200 may also include acommunication module 204. Thecommunication module 204 may be configured to transmit data between modules, engines, databases, memories, and other components of thecomputing device 200 for use in performing the functions discussed herein. Thecommunication module 204 may be comprised of one or more communication types and utilize various communication methods for communications within a computing device. For example, thecommunication module 204 may be comprised of a bus, contact pin connectors, wires, etc. In some embodiments, thecommunication module 204 may also be configured to communicate between internal components of thecomputing device 200 and external components of thecomputing device 200, such as externally connected databases, display devices, input devices, etc. Thecomputing device 200 may also include a processing device. The processing device may be configured to perform the functions of thecomputing device 200 discussed herein as will be apparent to persons having skill in the relevant art. In some embodiments, the processing device may include and/or be comprised of a plurality of engines and/or modules specially configured to perform one or more functions of the processing device, such as aquerying module 214,generation module 216,encryption module 218, etc. As used herein, the term “module” may be software or hardware particularly programmed to receive an input, perform one or more processes using the input, and provides an output. The input, output, and processes performed by various modules will be apparent to one skilled in the art based upon the present disclosure. - The
computing device 200 may include aquerying module 214. Thequerying module 214 may be configured to execute queries on databases to identify information. Thequerying module 214 may receive one or more data values or query strings, and may execute a query string based thereon on an indicated database, such as amemory 206, to identify information stored therein. Thequerying module 214 may then output the identified information to an appropriate engine or module of thecomputing device 200 as necessary. Thequerying module 214 may, for example, execute a query on thememory 206 to identify an encryption algorithm for use in generating a new cipher based on a received password value. - The
computing device 200 may also include ageneration module 216. Thegeneration module 216 may be configured to generate data for thecomputing device 200 as part of the functions discussed herein. Thegeneration module 216 may receiving instructions as input, may perform generate data as instructed, and may output the generated data to another module or engine of thecomputing device 200. In some cases, data to be used in the generation may be included in the input. In some instances, thegeneration module 216 may be configured to identify data for use in the requested generation, such as by instructing thequerying module 214 to perform one or more queries for data. Thegeneration module 216 may, for example, be configured to generate ciphers using specific encryption algorithms and password values and generate data packets for transmission using thefirst communication channel 106 andsecond communication channel 108. - The
computing device 200 may also include anencryption module 218. Theencryption module 218 may be configured to encrypt or decrypt data for thecomputing device 200 for performing the functions discussed herein. Theencryption module 218 may receive data as input for decryption or encryption, may encrypt or decrypt the data as instructed, and may output the result to another module or engine of thecomputing device 200. In some cases, the input may include the cipher to be used for encryption or decryption. In other cases, theencryption module 218 may be configured to identify the cipher to be used, such as by instructing thequerying module 214 to execute a query on the memory 226 to identify a cipher for use. Theencryption module 218 may be configured to, for example, encrypt or decrypt data packets that are transmitted or received using thefirst communication channel 106. - The
computing device 200 may also include atransmitting device 220. The transmittingdevice 220 may be configured to transmit data over one or more networks via one or more network protocols. In some instances, the transmittingdevice 220 may be configured to transmit data toother computing devices 200 and other entities via one or more communication methods, local area networks, wireless area networks, cellular communication, Bluetooth, radio frequency, the Internet, etc. In some embodiments, the transmittingdevice 220 may be comprised of multiple devices, such as different transmitting devices for transmitting data over different networks, such as a first transmitting device for transmitting data over a local area network and a second transmitting device for transmitting data via the Internet. The transmittingdevice 220 may electronically transmit data signals that have data superimposed that may be parsed by a receiving computing device. In some instances, the transmittingdevice 220 may include one or more modules for superimposing, encoding, or otherwise formatting data into data signals suitable for transmission. - The transmitting
device 220 may be configured to electronically transmit data signals toother computing devices 200 that are electronically transmitted using thefirst communication channel 106 orsecond communication channel 108, which may be superimposed or otherwise encoded with data packets. The data packets may be encrypted using a cipher or decrypted using a cipher. Some data packets may include a renegotiation request for use in renegotiating a cipher, which may include a password value, relative time, and, in some cases, an encryption algorithm. - The
computing device 200 may also include amemory 206. Thememory 206 may be configured to store data for use by thecomputing device 200 in performing the functions discussed herein, such as public and private keys, symmetric keys, etc. Thememory 206 may be configured to store data using suitable data formatting methods and schema and may be any suitable type of memory, such as read-only memory, random access memory, etc. Thememory 206 may include, for example, encryption keys and algorithms, communication protocols and standards, data formatting standards and protocols, program code for modules and application programs of the processing device, and other data that may be suitable for use by thecomputing device 200 in the performance of the functions disclosed herein as will be apparent to persons having skill in the relevant art. In some embodiments, thememory 206 may be comprised of or may otherwise include a relational database that utilizes structured query language for the storage, identification, modifying, updating, accessing, etc. of structured data sets stored therein. Thememory 206 may be configured to store, for example, relative times, ciphers, password values, encryption algorithms, protocol data, communication channel information, etc. -
FIG. 3 illustrates aprocess 300 for the renegotiation of a cipher by thecomputing device 200, which may be thefirst computing device 102 and/or thesecond computing device 104 in thesystem 100 illustrated inFIG. 1 , for use in encrypting and decrypting data packets transmitted using thefirst communication channel 106. - In
step 302, the receivingdevice 202 may receive a renegotiation request from anothercomputing device 200 transmitted using asecond communication channel 108. The renegotiation request may include a password value and relative time, and, in some cases, may also include an indication of an encryption algorithm to use. The relative time may be a time represented in any suitable format, such as a number of seconds. In some cases, the receivingdevice 202 and/or other component in the computing device 200 (e.g., the encryption module 218) may decrypt or otherwise perform functions to parse data from the data packet received using thesecond communication channel 108. - In
step 304, thegeneration module 216 of thecomputing device 200 may generate a new cipher using the password value from the renegotiation request and a predetermined encryption algorithm. The predetermined encryption algorithm may be specified in the renegotiation request, or may be already known to thecomputing device 200, such as based on a past communication with the other computing device. Instep 306, the receivingdevice 202 of thecomputing device 200 may receive a new, encrypted data packet from theother computing device 200 that is electronically transmitted using thefirst communication channel 106. - In
step 308, thecomputing device 200 may determine if the relative time specified in the renegotiation request has elapsed since receipt thereof. If the relative time has elapsed, then the new cipher is to be used in communications between the computing devices. In such cases, instep 310, theencryption module 218 of thecomputing device 200 may attempt to decrypt the encrypted data packet using the new cipher. Instep 312, thecomputing device 200 may determine if the attempted decryption using the new cipher was successful. If the decryption is successful, then, instep 314, thecomputing device 200 may process the decrypted data packet using any suitable method, which may be based on the data contained in the data packet. - If, in
step 308, thecomputing device 200 determines that the relative time has not yet passed, or, instep 312, the decryption of the data packet using the new cipher is unsuccessful, then, instep 316, theencryption module 218 of thecomputing device 200 may attempt to decrypt the encrypted data packet using the original cipher. Instep 318, thecomputing device 200 may determine if decryption using the original cipher was successful. If the decryption is successful, then theprocess 300 may proceed to step 314 where the decrypted data packet may be processed. If decryption is unsuccessful instep 318, then, instep 320, thecomputing device 200 may discard the data packet. In some embodiments,steps step 312 is unsuccessful for a predetermined period of time or number of data packets following passage of the relative time in the renegotiation request. In such embodiments, if decryption is unsuccessful using the new cipher, theprocess 300 may proceed directly to step 320 for discarding of the data packet. -
FIG. 4 illustrates amethod 400 for renegotiation of a cipher for use in an encrypted tunnel utilizing an asynchronous side channel for transmission of a renegotiation request. - In
step 402, a first communication channel (e.g., first communication channel 106) and a second communication channel (e.g., second communication channel 108) may be established by a first computing device (e.g., first computing device 102) with a second computing device (e.g., second computing device 104), where the first communication channel is an encrypted tunnel and packages exchanged using the encrypted tunnel are encrypted using a first cipher. Instep 404, a renegotiation request may be received by a receiver (e.g., receiving device 202) of the first computing device from the second computing device using the second communication channel, where the renegotiation request includes at least a password value and a relative time. - In
step 406, a second cipher may be generated by a processor (e.g., generation module 216) of the first computing device using at least an encryption protocol and the password value. Instep 408, a new encrypted packet may be received by the receiver of the first computing device from the second computing device using the first communication channel. Instep 410, the new encrypted packet may be decrypted by the processor (e.g., encryption module 218) of the first computing device using the new cipher. - In one embodiment, the renegotiation request may further include the encryption protocol. In some embodiments, the new encrypted packet may be received after the relative time has passed since receipt of the renegotiation request. In one embodiment, the
method 400 may further include storing, in a memory (e.g., memory 226) of the first computing device, the first cipher and the second cipher. In some embodiments, the second communication channel may utilize a secure communication protocol. - In one embodiment, the
method 400 may also include decrypting, by the processor of the first computing device, the new encrypted packet using the first cipher upon decryption failure using the second cipher. In a further embodiment, the first cipher may be used upon decryption failure for a predetermined period of time and/or predetermined number of received packets. In an even further embodiment, themethod 400 may even further include deleting, by the first computing device, the first cipher from a memory of the first computing device after the predetermined period of time and/or predetermined number of received packets. -
FIG. 5 illustrates acomputer system 500 in which embodiments of the present disclosure, or portions thereof, may be implemented as computer-readable code. For example, thefirst computing device 102 orsecond computing device 104 ofFIG. 1 or thecomputing device 200 ofFIG. 2 may be implemented in thecomputer system 500 using hardware, software, firmware, non-transitory computer readable media having instructions stored thereon, or a combination thereof and may be implemented in one or more computer systems or other processing systems. Hardware, software, or any combination thereof may embody modules and components used to implement the methods ofFIGS. 3 and 4 . - If programmable logic is used, such logic may execute on a commercially available processing platform configured by executable software code to become a specific purpose computer or a special purpose device (e.g., programmable logic array, application-specific integrated circuit, etc.). A person having ordinary skill in the art may appreciate that embodiments of the disclosed subject matter can be practiced with various computer system configurations, including multi-core multiprocessor systems, minicomputers, mainframe computers, computers linked or clustered with distributed functions, as well as pervasive or miniature computers that may be embedded into virtually any device. For instance, at least one processor device and a memory may be used to implement the above described embodiments.
- A processor unit or device as discussed herein may be a single processor, a plurality of processors, or combinations thereof. Processor devices may have one or more processor “cores.” The terms “computer program medium,” “non-transitory computer readable medium,” and “computer usable medium” as discussed herein are used to generally refer to tangible media such as a
removable storage unit 518, aremovable storage unit 522, and a hard disk installed inhard disk drive 512. - Various embodiments of the present disclosure are described in terms of this
example computer system 500. After reading this description, it will become apparent to a person skilled in the relevant art how to implement the present disclosure using other computer systems and/or computer architectures. Although operations may be described as a sequential process, some of the operations may in fact be performed in parallel, concurrently, and/or in a distributed environment, and with program code stored locally or remotely for access by single or multi-processor machines. In addition, in some embodiments the order of operations may be rearranged without departing from the spirit of the disclosed subject matter. -
Processor device 504 may be a special purpose or a general purpose processor device specifically configured to perform the functions discussed herein. Theprocessor device 504 may be connected to acommunications infrastructure 506, such as a bus, message queue, network, multi-core message-passing scheme, etc. The network may be any network suitable for performing the functions as disclosed herein and may include a local area network (LAN), a wide area network (WAN), a wireless network (e.g., WiFi), a mobile communication network, a satellite network, the Internet, fiber optic, coaxial cable, infrared, radio frequency (RF), or any combination thereof. Other suitable network types and configurations will be apparent to persons having skill in the relevant art. Thecomputer system 500 may also include a main memory 508 (e.g., random access memory, read-only memory, etc.), and may also include asecondary memory 510. Thesecondary memory 510 may include thehard disk drive 512 and aremovable storage drive 514, such as a floppy disk drive, a magnetic tape drive, an optical disk drive, a flash memory, etc. - The
removable storage drive 514 may read from and/or write to theremovable storage unit 518 in a well-known manner. Theremovable storage unit 518 may include a removable storage media that may be read by and written to by theremovable storage drive 514. For example, if theremovable storage drive 514 is a floppy disk drive or universal serial bus port, theremovable storage unit 518 may be a floppy disk or portable flash drive, respectively. In one embodiment, theremovable storage unit 518 may be non-transitory computer readable recording media. - In some embodiments, the
secondary memory 510 may include alternative means for allowing computer programs or other instructions to be loaded into thecomputer system 500, for example, theremovable storage unit 522 and aninterface 520. Examples of such means may include a program cartridge and cartridge interface (e.g., as found in video game systems), a removable memory chip (e.g., EEPROM, PROM, etc.) and associated socket, and otherremovable storage units 522 andinterfaces 520 as will be apparent to persons having skill in the relevant art. - Data stored in the computer system 500 (e.g., in the
main memory 508 and/or the secondary memory 510) may be stored on any type of suitable computer readable media, such as optical storage (e.g., a compact disc, digital versatile disc, Blu-ray disc, etc.) or magnetic tape storage (e.g., a hard disk drive). The data may be configured in any type of suitable database configuration, such as a relational database, a structured query language (SQL) database, a distributed database, an object database, etc. Suitable configurations and storage types will be apparent to persons having skill in the relevant art. - The
computer system 500 may also include acommunications interface 524. Thecommunications interface 524 may be configured to allow software and data to be transferred between thecomputer system 500 and external devices. Exemplary communications interfaces 524 may include a modem, a network interface (e.g., an Ethernet card), a communications port, a PCMCIA slot and card, etc. Software and data transferred via thecommunications interface 524 may be in the form of signals, which may be electronic, electromagnetic, optical, or other signals as will be apparent to persons having skill in the relevant art. The signals may travel via acommunications path 526, which may be configured to carry the signals and may be implemented using wire, cable, fiber optics, a phone line, a cellular phone link, a radio frequency link, etc. - The
computer system 500 may further include adisplay interface 502. Thedisplay interface 502 may be configured to allow data to be transferred between thecomputer system 500 andexternal display 530. Exemplary display interfaces 502 may include high-definition multimedia interface (HDMI), digital visual interface (DVI), video graphics array (VGA), etc. Thedisplay 530 may be any suitable type of display for displaying data transmitted via thedisplay interface 502 of thecomputer system 500, including a cathode ray tube (CRT) display, liquid crystal display (LCD), light-emitting diode (LED) display, capacitive touch display, thin-film transistor (TFT) display, etc. - Computer program medium and computer usable medium may refer to memories, such as the
main memory 508 andsecondary memory 510, which may be memory semiconductors (e.g., DRAMs, etc.). These computer program products may be means for providing software to thecomputer system 500. Computer programs (e.g., computer control logic) may be stored in themain memory 508 and/or thesecondary memory 510. Computer programs may also be received via thecommunications interface 524. Such computer programs, when executed, may enablecomputer system 500 to implement the present methods as discussed herein. In particular, the computer programs, when executed, may enableprocessor device 504 to implement the methods illustrated byFIGS. 3 and 4 , as discussed herein. Accordingly, such computer programs may represent controllers of thecomputer system 500. Where the present disclosure is implemented using software, the software may be stored in a computer program product and loaded into thecomputer system 500 using theremovable storage drive 514,interface 520, andhard disk drive 512, orcommunications interface 524. - The
processor device 504 may comprise one or more modules or engines configured to perform the functions of thecomputer system 500. Each of the modules or engines may be implemented using hardware and, in some instances, may also utilize software, such as corresponding to program code and/or programs stored in themain memory 508 orsecondary memory 510. In such instances, program code may be compiled by the processor device 504 (e.g., by a compiling module or engine) prior to execution by the hardware of thecomputer system 500. For example, the program code may be source code written in a programming language that is translated into a lower level language, such as assembly language or machine code, for execution by theprocessor device 504 and/or any additional hardware components of thecomputer system 500. The process of compiling may include the use of lexical analysis, preprocessing, parsing, semantic analysis, syntax-directed translation, code generation, code optimization, and any other techniques that may be suitable for translation of program code into a lower level language suitable for controlling thecomputer system 500 to perform the functions disclosed herein. It will be apparent to persons having skill in the relevant art that such processes result in thecomputer system 500 being a specially configuredcomputer system 500 uniquely programmed to perform the functions discussed above. - Techniques consistent with the present disclosure provide, among other features, systems and methods for asynchronous side channel cipher renegotiation. While various exemplary embodiments of the disclosed system and method have been described above it should be understood that they have been presented for purposes of example only, not limitations. It is not exhaustive and does not limit the disclosure to the precise form disclosed. Modifications and variations are possible in light of the above teachings or may be acquired from practicing of the disclosure, without departing from the breadth or scope.
Claims (16)
1. A method for asynchronous side channel cipher renegotiation, comprising:
establishing, by a first computing device, a first communication channel and a second communication channel with a second computing device, where the first communication channel is an encrypted tunnel and packages exchanged using the encrypted tunnel are encrypted using a first cipher;
receiving, by a receiver of the first computing device, a renegotiation request from the second computing device using the second communication channel, where the renegotiation request includes at least a password value and a relative time;
generating, by a processor of the first computing device, a second cipher using at least an encryption protocol and the password value;
receiving, by the receiver of the first computing device, a new encrypted packet from the second computing device using the first communication channel; and
decrypting, by the processor of the first computing device, the new encrypted packet using the second cipher.
2. The method of claim 1 , wherein the renegotiation request further includes the encryption protocol.
3. The method of claim 1 , wherein the new encrypted packet is received after the relative time has passed since receipt of the renegotiation request.
4. The method of claim 1 , further comprising:
decrypting, by the processor of the first computing device, the new encrypted packet using the first cipher upon decryption failure using the second cipher.
5. The method of claim 4 , wherein the first cipher is used upon decryption failure for a predetermined period of time and/or predetermined number of received packets.
6. The method of claim 5 , further comprising:
deleting, by the first computing device, the first cipher from a memory of the first computing device after the predetermined period of time and/or predetermined number of received packets.
7. The method of claim 1 , further comprising:
storing, in a memory of the first computing device, the first cipher and the second cipher.
8. The method of claim 1 , wherein the second communication channel uses a secure communication protocol.
9. A system for asynchronous side channel cipher renegotiation, comprising:
a first computing device;
a second computing device;
a first communication channel established between the first computing device and the second computing device, where the first communication channel is an encrypted tunnel and packages exchanged using the encrypted tunnel are encrypted using a first cipher; and
a second communication channel established between the first computing device and the second computing device, wherein
the first computing device includes
a receiver receiving a renegotiation request from the second computing device using the second communication channel, where the renegotiation request includes at least a password value and a relative time, and
a processor generating a second cipher using at least an encryption protocol and the password value, wherein
the receiver further receives a new encrypted packet from the second computing device using the first communication channel, and
the processor further decrypts the new encrypted packet using the second cipher.
10. The system of claim 9 , wherein the renegotiation request further includes the encryption protocol.
11. The system of claim 9 , wherein the new encrypted packet is received after the relative time has passed since receipt of the renegotiation request.
12. The system of claim 9 , wherein the processor of the first computing device further decrypts the new encrypted packet using the first cipher upon decryption failure using the second cipher.
13. The system of claim 12 , wherein the first cipher is used upon decryption failure for a predetermined period of time and/or predetermined number of received packets.
14. The system of claim 13 , wherein the first computing device deletes the first cipher from a memory of the first computing device after the predetermined period of time and/or predetermined number of received packets.
15. The system of claim 9 , wherein the first computing device further includes a memory storing the first cipher and the second cipher.
16. The system of claim 9 , wherein the second communication channel uses a secure communication protocol.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US16/562,525 US20210075777A1 (en) | 2019-09-06 | 2019-09-06 | Method and system for asynchronous side channel cipher renegotiation |
US17/390,375 US11700243B2 (en) | 2019-09-06 | 2021-07-30 | Method and system for asynchronous side channel cipher renegotiation |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US16/562,525 US20210075777A1 (en) | 2019-09-06 | 2019-09-06 | Method and system for asynchronous side channel cipher renegotiation |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/390,375 Continuation US11700243B2 (en) | 2019-09-06 | 2021-07-30 | Method and system for asynchronous side channel cipher renegotiation |
Publications (1)
Publication Number | Publication Date |
---|---|
US20210075777A1 true US20210075777A1 (en) | 2021-03-11 |
Family
ID=74850506
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/562,525 Abandoned US20210075777A1 (en) | 2019-09-06 | 2019-09-06 | Method and system for asynchronous side channel cipher renegotiation |
US17/390,375 Active 2039-11-28 US11700243B2 (en) | 2019-09-06 | 2021-07-30 | Method and system for asynchronous side channel cipher renegotiation |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/390,375 Active 2039-11-28 US11700243B2 (en) | 2019-09-06 | 2021-07-30 | Method and system for asynchronous side channel cipher renegotiation |
Country Status (1)
Country | Link |
---|---|
US (2) | US20210075777A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11700243B2 (en) | 2019-09-06 | 2023-07-11 | Action Streamer, LLC | Method and system for asynchronous side channel cipher renegotiation |
Family Cites Families (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5404403A (en) | 1990-09-17 | 1995-04-04 | Motorola, Inc. | Key management in encryption systems |
US5311596A (en) | 1992-08-31 | 1994-05-10 | At&T Bell Laboratories | Continuous authentication using an in-band or out-of-band side channel |
US7436965B2 (en) | 2003-02-19 | 2008-10-14 | Microsoft Corporation | Optical out-of-band key distribution |
US7310730B1 (en) | 2003-05-27 | 2007-12-18 | Cisco Technology, Inc. | Method and apparatus for communicating an encrypted broadcast to virtual private network receivers |
US8613071B2 (en) | 2005-08-10 | 2013-12-17 | Riverbed Technology, Inc. | Split termination for secure communication protocols |
GB0517592D0 (en) * | 2005-08-25 | 2005-10-05 | Vodafone Plc | Data transmission |
US8422687B2 (en) | 2008-05-30 | 2013-04-16 | Lantiq Deutschland Gmbh | Key management for communication networks |
US9654505B2 (en) * | 2009-06-22 | 2017-05-16 | Citrix Systems, Inc. | Systems and methods for encoding the core identifier in the session identifier |
US20110119487A1 (en) | 2009-11-13 | 2011-05-19 | Velocite Systems, LLC | System and method for encryption rekeying |
US8190879B2 (en) | 2009-12-17 | 2012-05-29 | Cisco Technology, Inc. | Graceful conversion of a security to a non-security transparent proxy |
US8700892B2 (en) | 2010-03-19 | 2014-04-15 | F5 Networks, Inc. | Proxy SSL authentication in split SSL for client-side proxy agent resources with content insertion |
US8543805B2 (en) | 2010-04-21 | 2013-09-24 | Citrix Systems, Inc. | Systems and methods for split proxying of SSL via WAN appliances |
US8667265B1 (en) | 2010-07-28 | 2014-03-04 | Sandia Corporation | Hardware device binding and mutual authentication |
US8843737B2 (en) * | 2011-07-24 | 2014-09-23 | Telefonaktiebolaget L M Ericsson (Publ) | Enhanced approach for transmission control protocol authentication option (TCP-AO) with key management protocols (KMPS) |
US10178181B2 (en) | 2014-04-02 | 2019-01-08 | Cisco Technology, Inc. | Interposer with security assistant key escrow |
US9578016B2 (en) * | 2014-07-17 | 2017-02-21 | Riverbed Technology, Inc. | Optimizing secure communications between a client authenticating server and a mobile client |
US9888037B1 (en) * | 2015-08-27 | 2018-02-06 | Amazon Technologies, Inc. | Cipher suite negotiation |
US9781081B1 (en) | 2015-10-02 | 2017-10-03 | Amazon Technologies, Inc. | Leveraging transport-layer cryptographic material |
US11212089B2 (en) | 2017-10-04 | 2021-12-28 | Amir Keyvan Khandani | Methods for secure data storage |
US10880342B2 (en) | 2018-03-15 | 2020-12-29 | Jive Communications, Inc. | Dynamically controlling communication channels during a communication session |
US20210075777A1 (en) | 2019-09-06 | 2021-03-11 | Winston Privacy | Method and system for asynchronous side channel cipher renegotiation |
-
2019
- 2019-09-06 US US16/562,525 patent/US20210075777A1/en not_active Abandoned
-
2021
- 2021-07-30 US US17/390,375 patent/US11700243B2/en active Active
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11700243B2 (en) | 2019-09-06 | 2023-07-11 | Action Streamer, LLC | Method and system for asynchronous side channel cipher renegotiation |
Also Published As
Publication number | Publication date |
---|---|
US11700243B2 (en) | 2023-07-11 |
US20210359983A1 (en) | 2021-11-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11664990B2 (en) | Method and system for distributed cryptographic key provisioning and storage via elliptic curve cryptography | |
US10841097B2 (en) | Method and system for verification of identity attribute information | |
US10404464B2 (en) | Method and system for secure FIDO development kit with embedded hardware | |
EP3554042B1 (en) | Method and system for managing centralized encryption and data format validation for secure real time multi-party data distribution | |
US8284944B2 (en) | Unified and persistent system and method for automatic configuration of encryption | |
US11621826B2 (en) | Method and system for HTTP session management using hash chains | |
US11888965B2 (en) | Method and system for IOT device digital asset permission transfer system using blockchain network | |
WO2021244489A1 (en) | Method and apparatus for transmitting encryption control overhead in optical transport network | |
US11606193B2 (en) | Distributed session resumption | |
WO2019019593A1 (en) | Stateless communication security signature method, terminal and server end | |
US11700243B2 (en) | Method and system for asynchronous side channel cipher renegotiation | |
CN109088731B (en) | Internet of things cloud communication method and device | |
CN115001716B (en) | Network data processing method and system of education all-in-one machine and education all-in-one machine | |
US20230196346A1 (en) | Method and system of providing for offline transactions in digital currencies | |
CN114928756B (en) | Video data protection, encryption and verification method, system and equipment | |
WO2018039099A1 (en) | Method and system for secure fido development kit with embedded hardware and for secure device based biometric authentication scheme | |
EP3952204A2 (en) | Coordinated management of cryptographic keys for communication with peripheral devices |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: WINSTON PRIVACY, ILLINOIS Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:STOKES, RICHARD;REEL/FRAME:050288/0644 Effective date: 20190905 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |