80 results about "Anti-replay" patented technology

A method and apparatus for updating an anti-replay window in Internet Protocol Security (IPSec). The method includes determining whether a difference between a sequence number extracted from a received packet and a maximum value of a sequence number of an anti-replay window is greater than a predetermined value; if it is determined that the difference is greater than the predetermined value, creating a first bit map based on a size of the anti-replay window and a second bit map based on the sequence number extracted from the received packet, respectively; comparing the number of bit values in the first bit map of packets received during a predetermined time with the number of bit values in the second bit map of packets received during the predetermined time, and updating the anti-replay window.

A method of routing data over an Internet Protocol security (IPSec) network, the method comprising: receiving packets for transmission over the IPSec network, controlling the order of processing of the packets, determining whether each packet requires security features, feeding of the packets to a post-queue line interface module according to the order of processing the packets and allocating a sequence number to each packet in the order of feeding of packets to the post-queue line interface module. A packet requiring security features are provided with such features, which may be AH or ESP protocol, before it is transmitted over the Internet Protocol security network. As the queueing of the packet is done before the packet is provided with security features, the quality of service of the IPSec network is improved with the packets being received at the anti-replay window according to the order of the allocated sequence numbers.

A mechanism for providing strong anti-replay protection at a security gateway in a network for protection against an attacker duplicating encrypted packets. The mechanism assigns a unique sequence number to each encrypted packet and a time stamp. A receiving security gateway rejects packets that have a duplicative sequence number or that is too old to protect itself against replay attacks. Each security gateway checks off the sequence numbers as they are received knowing that the sending security gateway assigns sequence numbers in an increasing order. The receiving security gateway remembers the value of the highest sequence number that it has already seen as well as up to N additional sequence numbers. Any packet with a duplicative sequence number is discarded. In addition to the sequence number, each packet also has an associated time stamp that corresponds to an epoch during which it should be received. If the packet is received after the epoch has expired, the packet is rejected.

The invention provides an anti-replay-attack system for an industrial wireless network, which introduces a third-party detection mechanism in order to reduce system resource consumption. The industrial wireless network comprises a gateway, a router, field equipment and network security manager. The anti-replay-attack system for the industrial wireless network comprises a third-party detection module used for detecting whether intrusion data packets and replay attack data packets exist in the industrial wireless network or not and sending detection results to the network security manager, and the network security manager compares the system resource consumption caused by replay attacks with resource consumption brought by using an anti-replay-attack means to determine whether the anti-replay-attack means is used, thereby effectively preventing the anti-replay-attack means from bringing more system resource consumption than the replay attacks, and two time stamps of creation time and sending time are added in the data packet by a sender, so that the certainty and uniqueness of messages can be ensured; a receiver detection mechanism is adopted, and the data packets of the replay attacks are judged and discarded by a receiver so as to solve the problems of ID authentication and the like.

The invention discloses a message anti-replay method, a message anti-replay device and a network device which are based on IPSec (internet protocol security). The method includes: comparing a serial number of an IPSec message with a preset serial number range corresponding to a sliding window in a receiving window, and filtering the replay message by means of cyclic shift of the sliding window in the receiving window according to a comparison result. Sliding shift of the sliding window can be achieved only by cyclic shift of the sliding window in the receiving window, and the replay message can be filtered by means of cyclic shift of the sliding window, so that processing complexity of shift of the sliding window can be lowered, system overhead is reduced, and processing efficiency is improved. Therefore, the problems of processing complexity and low processing efficiency due to the fact that message anti-replay processing is performed by shifting the sliding window by means of sequential shift in the prior art are solved.

Described embodiments provide a network processor that includes a security protocol processor to prevent replay attacks on the network processor. A memory stores security associations for anti-replay operations. A pre-fetch module retrieves an anti-replay window corresponding to a data stream of the network processor. The anti-replay window has a range of sequence numbers. When the network processor receives a data packet, the security hardware accelerator determines a value of the received sequence number with respect to minimum and maximum values of a sequence number range of the anti-replay window. Depending on the value, the data packet is either received or accepted. The anti-replay window might be updated to reflect the receipt of the most recent data packet.

Described embodiments provide a network processor that includes a security sub-processor to prevent replay attacks on the network processor. A memory stores an anti-replay window corresponding to a data stream of the network processor. The anti-replay window has N bits initialized to correspond to data packet sequence numbers in the range 1 to N. The anti-replay memory is stored in a plurality of data words. A plurality of flip-flops store word valid bits corresponding to each of the data words. A multiplexer selects the word valid bit corresponding to a data word requested by the security processor, and an AND gate performs a bitwise AND operation between the selected data word and word valid bit. When the network processor receives a data packet, the security sub-processor determines a value of the received sequence number with respect to minimum and maximum values of a sequence number range of the anti-replay window.

A live non-volatile (NV) replay technique enables a partner node to efficiently takeover a failed node of a high-availability pair in a multi-node storage cluster by dynamically replaying operations synchronously logged in a non-volatile random access memory (NVRAM) of the partner node, while also providing high performance during normal operation. Dynamic live replay may be effected through interpretation of metadata describing the logged operations. The metadata may specify a location and type of each logged operation within a partner portion of the NVRAM, as well as any dependency among the logged operation and any other logged operations that would impose an ordering constraint. During normal operation, the partner node may consult the metadata to identify dependent logged operations and dynamically replay those operations to satisfy one or more requests. Upon failure of the node, the partner node may replay, in parallel, those logged operations having no imposed ordering constraint, thereby reducing time needed to complete takeover of the failed node.

The embodiment of the invention discloses an anti-replay attack method, a sending end, a receiving end, a corresponding computer device and a program product. The method disclosed by the embodiment ofthe invention comprises the following steps: when the sending end needs to send target information to the receiving end, the sending end uses anti-replay information and the target information as plaintext information, wherein the anti-replay information is applied to anti-replay attack verification; the sending end performs digital signature on the plaintext information to obtain corresponding signature information; and the sending end sends the plaintext information and the signature information to the receiving end, so that the receiving end performs signature verification on the plaintextinformation according to the signature information, and after the signature verification is passed, the receiving end performs anti-replay attack verification on the target information according to the anti-replay information.

The invention discloses a method and equipment for updating an anti-replay parameter during master and slave switching. During master and slave switching, new master equipment sets IPSec SA to be invalid, acquires an anti-replay window and an anti-replay sequence number from opposite-end equipment of an IPSec tunnel to update the anti-replay window and the anti-replay sequence number of the IPSec SA per se, and sets the corresponding IPSec SA to be valid after the update is finished to process data so that the new master equipment can acquire the real and reliable anti-replay window and anti-replay sequence number and the security of data transmission is ensured.

The gaming network described herein includes network security features, host security features, audit protocols, and design architecture approaches to reduce the possibility of network attacks. The gaming network provides for traffic confidentiality, encryption, message authentication, secure authentication mechanisms, anti-replay protection of traffic, key management mechanisms, robust network availability, misrouting and redirection protection and prevention, rejection of external traffic, and a high entry-barrier to device addition to the network. The host protection and security includes secure host initialization, disabling unneeded components, download verification, disabling of unused IP ports, discarding traffic, strong passwords, dynamic one-time passwords for remote login, disabling default accounts, and appropriate “least-level” device privileges. Audit requirements include integrity protection of audit logs, appropriate definition of auditable events, auditing of anomalous behavior, chain of evidence preservation, shutdown if audit disabled, full log entry audit, personal ID and time access audit trail, and auditing of internal user actions.

Through AK context is buffered on mobile terminal, and authenticator, when moving to different base stations, mobile terminal can store AK context within its lifetime. At the same time, when moving back to the base station, which obtained and buffered the AK context effective till now, mobile terminal can continues using the AK context (mainly, packet sequence number of anti replay attack of up/down going link message) without need of authenticating again. The invention also raises efficiency of switching and moving system greatly, improves seamless communication performance between different sectors provided by system.

The invention discloses a TPM-based multi-instance dynamic remote attestation method which belongs to the field of information security technology. The method comprises the steps as follows: a) an RAI instance is started: the TPM measures the RAI instance and issues an initial attestation certificate for the RAI instance; the remote relying party of the RAI instance obtains and authenticates the initial attestation certificate, if the authentication is passed, the link between the RAI instance and the remote relying party of the RAI instance is established; b) if the component of the RAI instance is updated, the TPM re-measures the RAI instance and issues an updating attestation certificate; the remote relying party of the RAI instance obtains and authenticates the updating attestation certificate; if the authentication is passed, the link is maintained; and c) the step b) is repeated until the RAI instance is closed and the link is disconnected; meanwhile, all the attestation steps of a plurality of RAI instances intersperse with each other for forming a TPM attestation chain. Compared with the remote attestation methods of other trusted computing platforms, the method is characterized by the dynamic attestation of platform status, the concurrent attestations of multiple network programs, and anti-replay attack, etc.

A system for facilitating distribution of authentication information for a network of devices to be authenticated is provided. The system comprises: an authentication module configured to obtain an identity-proofing confidence score, based on data about identity-proofing of a user obtained from an authentication service system, wherein the data about identity-proofing comprises a type of identity document of the user and a presentation method used for verifying the user's identity by the authentication service system; and an insurance module in communication with the authentication module, configured to generate a plurality of security levels for the user, wherein each of the plurality of security levels is generated based on the identity-proofing confidence score and a credential authentication confidence score that is (1) obtained with aid of at least one device from the network of devices, and (2) determined based on a credential to be used for a transaction and a presence of an anti-replay feature about the at least one device, wherein a display is configured to show a plurality of coverage plans associated with the plurality of security levels to the user for selection, such that the authentication service system performed credential authentication according to a selected coverage plan.

The invention relates to the technical field of voiceprint recognition and provides an audio data recognition method which comprises the following steps: acquiring audio data input by a user; cuttinga data segment of a preset length from the audio data; converting the data segment into voiceprint characteristics; on the basis of a preset GRU (Gated Recurrent Unit) neural network recognition model, recognizing the voiceprint characteristics, and confirming that the voiceprint characteristics belong to real human voice or replayed recorded voice. By adopting the method provided by the invention, real human voice or replayed recorded voice can be accurately recognized, anti-replay recognition on audio data input by a user can be achieved, and hostile attack can be prevented. In addition, theinvention further provides a human voice anti-replay recognition system.

Methods and apparatus are provided for improving message-based security in a Fibre Channel network. More specifically, the present invention relates to methods and apparatus for providing confidentiality for Fibre Channel control messages encapsulated within Common Transport Information Units. Control messages transported with the Fibre Channel Common Transport protocol, and passed between Fibre Channel network entities, can be encrypted providing confidentiality combined with data origin authentication, integrity and anti-replay protection provided by existing Fibre Channel security mechanisms.

The invention aims to provide an IEC62351 (International Electrotechnical Commission 62351)-based process layer safety test system which effectively verifies whether process layer network equipment has tamper-proof and anti-replay safety functions. The system consists of the following modules: a human-computer interface UI (User Interface), a message editing module, a storage module, an SCD (namely substation configuration description) analysis module and a communication module. The invention also provides an IEC62351 (International Electrotechnical Commission 62351)-based process layer safety test method. By using the system and the method, an IEC62351 specification-based process layer message can be edited. The EC62351 specification-based process layer message is edited according to the principle that the message check and signature algorithm is increased based on the EC62351 specification-based process layer message, so the message meets the EC62351 specification. Any field of the edited EC62351 specification-based message can be modified. Thus the message tamper attack and message replay attack to to-be-tested equipment can be simulated to verify whether the to-be-tested equipment has defense capacity.

The method includes steps: maintaining mutual independent up and down going aerial port message sequence number (UDAPMSN) for each candidate target base station and service station respectively is setup on mobile terminal to be switched; maintaining UDAPMSN corresponding to the mobile terminal is setup on candidate target base station and service station respectively; after finishing switching, mobile station and final selected base station adjusts obtained each current UDAPMSN based on saved UDAPMSN. The invention guarantees that when mobile terminal has switched, new base station (i.e. target base station) can determine corresponding UDAPMSN correctly. Based on the sequence number, the invention implements anti replay attack process so as to raise reliability of wireless communication.