80 results about "Anti-replay" patented technology

An improved method is described for providing Differentiated Services (Diffserv) traffic to a node in a network that implements a security method that discards duplicate packets received at the node. The method includes the step of identifying at least two service levels to be provided to received traffic and assigning separate sequential sequence numbers and different anti-replay bitmasks to each of the service levels. The anti-replay bitmask indicates the sequence numbers of packets that have been previously received at the node that should be compared against a received packet to determine whether a duplicate packet has been received. Such an arrangement reduces the possibility that traffic having lower priority is dropped as a security measure.

A method and apparatus for updating an anti-replay window in Internet Protocol Security (IPSec). The method includes determining whether a difference between a sequence number extracted from a received packet and a maximum value of a sequence number of an anti-replay window is greater than a predetermined value; if it is determined that the difference is greater than the predetermined value, creating a first bit map based on a size of the anti-replay window and a second bit map based on the sequence number extracted from the received packet, respectively; comparing the number of bit values in the first bit map of packets received during a predetermined time with the number of bit values in the second bit map of packets received during the predetermined time, and updating the anti-replay window.

A method of routing data over an Internet Protocol security (IPSec) network, the method comprising: receiving packets for transmission over the IPSec network, controlling the order of processing of the packets, determining whether each packet requires security features, feeding of the packets to a post-queue line interface module according to the order of processing the packets and allocating a sequence number to each packet in the order of feeding of packets to the post-queue line interface module. A packet requiring security features are provided with such features, which may be AH or ESP protocol, before it is transmitted over the Internet Protocol security network. As the queueing of the packet is done before the packet is provided with security features, the quality of service of the IPSec network is improved with the packets being received at the anti-replay window according to the order of the allocated sequence numbers.

A mechanism for providing strong anti-replay protection at a security gateway in a network for protection against an attacker duplicating encrypted packets. The mechanism assigns a unique sequence number to each encrypted packet and a time stamp. A receiving security gateway rejects packets that have a duplicative sequence number or that is too old to protect itself against replay attacks. Each security gateway checks off the sequence numbers as they are received knowing that the sending security gateway assigns sequence numbers in an increasing order. The receiving security gateway remembers the value of the highest sequence number that it has already seen as well as up to N additional sequence numbers. Any packet with a duplicative sequence number is discarded. In addition to the sequence number, each packet also has an associated time stamp that corresponds to an epoch during which it should be received. If the packet is received after the epoch has expired, the packet is rejected.

The invention provides an anti-replay-attack system for an industrial wireless network, which introduces a third-party detection mechanism in order to reduce system resource consumption. The industrial wireless network comprises a gateway, a router, field equipment and network security manager. The anti-replay-attack system for the industrial wireless network comprises a third-party detection module used for detecting whether intrusion data packets and replay attack data packets exist in the industrial wireless network or not and sending detection results to the network security manager, and the network security manager compares the system resource consumption caused by replay attacks with resource consumption brought by using an anti-replay-attack means to determine whether the anti-replay-attack means is used, thereby effectively preventing the anti-replay-attack means from bringing more system resource consumption than the replay attacks, and two time stamps of creation time and sending time are added in the data packet by a sender, so that the certainty and uniqueness of messages can be ensured; a receiver detection mechanism is adopted, and the data packets of the replay attacks are judged and discarded by a receiver so as to solve the problems of ID authentication and the like.

The invention provides a method for realizing IPSec anti-replay attack, wherein, a plurality of sliding-windows are utilized to distinguish whether a received message is new in a system providing the IPSec service. For a multi-core architecture, the IPSec anti-replay attack function is perfected by utilizing the multi-sliding window technique, thereby avoiding the technical problem that system performance decreases badly caused by single sliding windows and lock mechanism. In the method, the message with specific type is dispatched to an appointed IPSec processing unit through a pretreatment module according to a plaintext serial-number on an IPSec message header, thereby leading the anti-replay attack detection to be more accurate.

The invention discloses a message anti-replay method, a message anti-replay device and a network device which are based on IPSec (internet protocol security). The method includes: comparing a serial number of an IPSec message with a preset serial number range corresponding to a sliding window in a receiving window, and filtering the replay message by means of cyclic shift of the sliding window in the receiving window according to a comparison result. Sliding shift of the sliding window can be achieved only by cyclic shift of the sliding window in the receiving window, and the replay message can be filtered by means of cyclic shift of the sliding window, so that processing complexity of shift of the sliding window can be lowered, system overhead is reduced, and processing efficiency is improved. Therefore, the problems of processing complexity and low processing efficiency due to the fact that message anti-replay processing is performed by shifting the sliding window by means of sequential shift in the prior art are solved.

Described embodiments provide a network processor that includes a security protocol processor to prevent replay attacks on the network processor. A memory stores security associations for anti-replay operations. A pre-fetch module retrieves an anti-replay window corresponding to a data stream of the network processor. The anti-replay window has a range of sequence numbers. When the network processor receives a data packet, the security hardware accelerator determines a value of the received sequence number with respect to minimum and maximum values of a sequence number range of the anti-replay window. Depending on the value, the data packet is either received or accepted. The anti-replay window might be updated to reflect the receipt of the most recent data packet.

Described embodiments provide a network processor that includes a security sub-processor to prevent replay attacks on the network processor. A memory stores an anti-replay window corresponding to a data stream of the network processor. The anti-replay window has N bits initialized to correspond to data packet sequence numbers in the range 1 to N. The anti-replay memory is stored in a plurality of data words. A plurality of flip-flops store word valid bits corresponding to each of the data words. A multiplexer selects the word valid bit corresponding to a data word requested by the security processor, and an AND gate performs a bitwise AND operation between the selected data word and word valid bit. When the network processor receives a data packet, the security sub-processor determines a value of the received sequence number with respect to minimum and maximum values of a sequence number range of the anti-replay window.

A live non-volatile (NV) replay technique enables a partner node to efficiently takeover a failed node of a high-availability pair in a multi-node storage cluster by dynamically replaying operations synchronously logged in a non-volatile random access memory (NVRAM) of the partner node, while also providing high performance during normal operation. Dynamic live replay may be effected through interpretation of metadata describing the logged operations. The metadata may specify a location and type of each logged operation within a partner portion of the NVRAM, as well as any dependency among the logged operation and any other logged operations that would impose an ordering constraint. During normal operation, the partner node may consult the metadata to identify dependent logged operations and dynamically replay those operations to satisfy one or more requests. Upon failure of the node, the partner node may replay, in parallel, those logged operations having no imposed ordering constraint, thereby reducing time needed to complete takeover of the failed node.

The embodiment of the invention discloses an anti-replay attack method, a sending end, a receiving end, a corresponding computer device and a program product. The method disclosed by the embodiment ofthe invention comprises the following steps: when the sending end needs to send target information to the receiving end, the sending end uses anti-replay information and the target information as plaintext information, wherein the anti-replay information is applied to anti-replay attack verification; the sending end performs digital signature on the plaintext information to obtain corresponding signature information; and the sending end sends the plaintext information and the signature information to the receiving end, so that the receiving end performs signature verification on the plaintextinformation according to the signature information, and after the signature verification is passed, the receiving end performs anti-replay attack verification on the target information according to the anti-replay information.

The invention discloses an anti-tamper and anti-replay method in support of REST API. The method includes the following steps: 1. an API invocation end applying access authority and secret key for performing signing to an API server; 2. the API invocation end generating invocation timestamp and random number, ranking request parameters in a lexicographic order, in combination with system request headers, performing signing with the applied secret key; 3. the server detecting the identity of the API invocation person, determining whether the API invocation person has invocation authority; 4. the server using the same secret key to sign request parameters and system request headers in accordance with same rules, comparing whether the signatures are the same, and preventing the parameters from being tampered; 5. the server determining the API invocation timestamp, and determining timeout; and 6. the server re-determining random number. According to the invention, the API invocation person only needs to strictly save the secret key, and attacker does not need to forge the signature and the parameters in the request process are unable to be tampered, thus achieving safe access to API.

The invention discloses a method and equipment for updating an anti-replay parameter during master and slave switching. During master and slave switching, new master equipment sets IPSec SA to be invalid, acquires an anti-replay window and an anti-replay sequence number from opposite-end equipment of an IPSec tunnel to update the anti-replay window and the anti-replay sequence number of the IPSec SA per se, and sets the corresponding IPSec SA to be valid after the update is finished to process data so that the new master equipment can acquire the real and reliable anti-replay window and anti-replay sequence number and the security of data transmission is ensured.

The gaming network described herein includes network security features, host security features, audit protocols, and design architecture approaches to reduce the possibility of network attacks. The gaming network provides for traffic confidentiality, encryption, message authentication, secure authentication mechanisms, anti-replay protection of traffic, key management mechanisms, robust network availability, misrouting and redirection protection and prevention, rejection of external traffic, and a high entry-barrier to device addition to the network. The host protection and security includes secure host initialization, disabling unneeded components, download verification, disabling of unused IP ports, discarding traffic, strong passwords, dynamic one-time passwords for remote login, disabling default accounts, and appropriate “least-level” device privileges. Audit requirements include integrity protection of audit logs, appropriate definition of auditable events, auditing of anomalous behavior, chain of evidence preservation, shutdown if audit disabled, full log entry audit, personal ID and time access audit trail, and auditing of internal user actions.

A method for managing a packet in a communication system between two or more endpoints, a sender and one or more recipients, comprises receiving a first packet comprising a source identifier that uniquely identifies a sender of the first packet and a current source time assigned to the first packet by the sender, determining a received time for the first packet, retrieving a cached source time assigned by the sender to a second packet that was received prior to receiving the first packet, and determining whether to discard or process the first packet based on the current source time, the received time, and the cached source time. The current source time, the received time, and the cached time, in addition to predetermined parameters such as a maximum age and an anti-replay window allows a recipient to determine whether to process or discard a packet.

Through AK context is buffered on mobile terminal, and authenticator, when moving to different base stations, mobile terminal can store AK context within its lifetime. At the same time, when moving back to the base station, which obtained and buffered the AK context effective till now, mobile terminal can continues using the AK context (mainly, packet sequence number of anti replay attack of up/down going link message) without need of authenticating again. The invention also raises efficiency of switching and moving system greatly, improves seamless communication performance between different sectors provided by system.

The invention discloses a TPM-based multi-instance dynamic remote attestation method which belongs to the field of information security technology. The method comprises the steps as follows: a) an RAI instance is started: the TPM measures the RAI instance and issues an initial attestation certificate for the RAI instance; the remote relying party of the RAI instance obtains and authenticates the initial attestation certificate, if the authentication is passed, the link between the RAI instance and the remote relying party of the RAI instance is established; b) if the component of the RAI instance is updated, the TPM re-measures the RAI instance and issues an updating attestation certificate; the remote relying party of the RAI instance obtains and authenticates the updating attestation certificate; if the authentication is passed, the link is maintained; and c) the step b) is repeated until the RAI instance is closed and the link is disconnected; meanwhile, all the attestation steps of a plurality of RAI instances intersperse with each other for forming a TPM attestation chain. Compared with the remote attestation methods of other trusted computing platforms, the method is characterized by the dynamic attestation of platform status, the concurrent attestations of multiple network programs, and anti-replay attack, etc.

A system for facilitating distribution of authentication information for a network of devices to be authenticated is provided. The system comprises: an authentication module configured to obtain an identity-proofing confidence score, based on data about identity-proofing of a user obtained from an authentication service system, wherein the data about identity-proofing comprises a type of identity document of the user and a presentation method used for verifying the user's identity by the authentication service system; and an insurance module in communication with the authentication module, configured to generate a plurality of security levels for the user, wherein each of the plurality of security levels is generated based on the identity-proofing confidence score and a credential authentication confidence score that is (1) obtained with aid of at least one device from the network of devices, and (2) determined based on a credential to be used for a transaction and a presence of an anti-replay feature about the at least one device, wherein a display is configured to show a plurality of coverage plans associated with the plurality of security levels to the user for selection, such that the authentication service system performed credential authentication according to a selected coverage plan.

The invention relates to the technical field of voiceprint recognition and provides an audio data recognition method which comprises the following steps: acquiring audio data input by a user; cuttinga data segment of a preset length from the audio data; converting the data segment into voiceprint characteristics; on the basis of a preset GRU (Gated Recurrent Unit) neural network recognition model, recognizing the voiceprint characteristics, and confirming that the voiceprint characteristics belong to real human voice or replayed recorded voice. By adopting the method provided by the invention, real human voice or replayed recorded voice can be accurately recognized, anti-replay recognition on audio data input by a user can be achieved, and hostile attack can be prevented. In addition, theinvention further provides a human voice anti-replay recognition system.

The invention relates to a credible inter-domain rapid authentication method on the basis of a separation mechanism network for solving the problem of rapid authentication when a terminal in the separation mechanism network is subjected to inter-domain switching. In the method, a novel protocol is provided for realizing the rapid authentication when the terminal is subjected to inter-domain switching; and when the identity of a user is authenticated, the identity authentication of a terminal platform and the integrity check of the terminal platform are realized. In the method, when the terminal is subjected to inter-domain switching, an authentication center of a home domain does not need to participate again and an authentication center of a local domain can authenticate the mobile terminal by a Ticket. The method can resist the anti-replay attack, so that the credibility, safety, anonymity, anonymity of the identity of the user and untraceability of the identity of the user of the platform are ensured.

Methods and apparatus are provided for improving message-based security in a Fibre Channel network. More specifically, the present invention relates to methods and apparatus for providing confidentiality for Fibre Channel control messages encapsulated within Common Transport Information Units. Control messages transported with the Fibre Channel Common Transport protocol, and passed between Fibre Channel network entities, can be encrypted providing confidentiality combined with data origin authentication, integrity and anti-replay protection provided by existing Fibre Channel security mechanisms.

The invention aims to provide an IEC62351 (International Electrotechnical Commission 62351)-based process layer safety test system which effectively verifies whether process layer network equipment has tamper-proof and anti-replay safety functions. The system consists of the following modules: a human-computer interface UI (User Interface), a message editing module, a storage module, an SCD (namely substation configuration description) analysis module and a communication module. The invention also provides an IEC62351 (International Electrotechnical Commission 62351)-based process layer safety test method. By using the system and the method, an IEC62351 specification-based process layer message can be edited. The EC62351 specification-based process layer message is edited according to the principle that the message check and signature algorithm is increased based on the EC62351 specification-based process layer message, so the message meets the EC62351 specification. Any field of the edited EC62351 specification-based message can be modified. Thus the message tamper attack and message replay attack to to-be-tested equipment can be simulated to verify whether the to-be-tested equipment has defense capacity.

The method includes steps: maintaining mutual independent up and down going aerial port message sequence number (UDAPMSN) for each candidate target base station and service station respectively is setup on mobile terminal to be switched; maintaining UDAPMSN corresponding to the mobile terminal is setup on candidate target base station and service station respectively; after finishing switching, mobile station and final selected base station adjusts obtained each current UDAPMSN based on saved UDAPMSN. The invention guarantees that when mobile terminal has switched, new base station (i.e. target base station) can determine corresponding UDAPMSN correctly. Based on the sequence number, the invention implements anti replay attack process so as to raise reliability of wireless communication.