Patent application number | Description | Published |
20100165839 | ANTI-REPLAY METHOD FOR UNICAST AND MULTICAST IPSEC - A method for managing a packet in a communication system between two or more endpoints, a sender and one or more recipients, comprises receiving a first packet comprising a source identifier that uniquely identifies a sender of the first packet and a current source time assigned to the first packet by the sender, determining a received time for the first packet, retrieving a cached source time assigned by the sender to a second packet that was received prior to receiving the first packet, and determining whether to discard or process the first packet based on the current source time, the received time, and the cached source time. The current source time, the received time, and the cached time, in addition to predetermined parameters such as a maximum age and an anti-replay window allows a recipient to determine whether to process or discard a packet. | 07-01-2010 |
20110026714 | METHODS AND DEVICE FOR SECURE TRANSFER OF SYMMETRIC ENCRYPTION KEYS - A sending device generates a first and a second KMM, wherein the first KMM includes a first KEK and a KMM encryption key, and the second KMM includes a set of symmetric encryption keys. The sending device further encrypts the set of symmetric encryption keys using the first KEK; encrypts the first KEK and the KMM encryption key using a first public key of a receiving device; and encrypts the second KMM using the KMM encryption key to generate an encrypted second KMM before sending the first KMM and the encrypted second KMM to the receiving device. The receiving device decrypts the first KEK and the KMM encryption key using a first private key that corresponds to the first public key; and decrypts the encrypted second KMM using the KMM encryption key to obtain the encrypted set of symmetric keys. | 02-03-2011 |
20120036363 | METHOD FOR KEY IDENTIFICATION USING AN INTERNET SECURITY ASSOCIATION AND KEY MANAGEMENT BASED PROTOCOL - An initiating device: generates a message having an ISAKMP-based header that includes a security parameter index (SPI) field; identifies a key in the SPI field of the ISKMP-based header; and sends the message to a responding device. The responding device: receives the message; extracts the key identifier; and when a shared key is selected using the key identifier, uses the selected shared key to establish, with the initiating device, a session having a secure tunnel. | 02-09-2012 |
20120036567 | METHODS FOR ESTABLISHING A SECURITY SESSION IN A COMMUNICATIONS SYSTEM - A security gateway and an initiating device perform methods for establishing a security session. The methods includes the security gateway: receiving a first message from an initiating device, the first message including a first message authentication code; validating the first message using the message authentication code; and responsive to the validating, sending a second message to the initiating device, the second message including a timestamp and further including a second message authentication code for authenticating of the timestamp by the initiating device, wherein the first and second messages are used to establish the security session, and the authenticated timestamp is used for subsequent replay protection of messages between the security gateway and the initiating device. The method further includes the security gateway validating a dynamically assigned IP address for the initiating device to use in authorizing VPN traffic between the two devices. | 02-09-2012 |
20120170743 | METHODS FOR ESTABLISHING A SECURE POINT-TO-POINT CALL ON A TRUNKED NETWORK - Methods for establishing secure point-to-point communications in a trunked radio system include receiving, at a trunking controller, a request from a source endpoint for a traffic channel for confidential communications between the source endpoint and a destination endpoint using a shared unique first symmetric key. The trunking controller provides keying material related to the symmetric key over the secured control channel to at least one of the source or destination endpoints and assigns a traffic channel. Moreover, in response to the request, the controller assigns a traffic channel. The keying material enables the unique first symmetric key to be securely established between the source and destination endpoints. | 07-05-2012 |
20120183143 | METHOD FOR A COMMUNICATION DEVICE TO OPERATE WITH MULTIPLE KEY MANAGEMENT FACILITIES - A method for operating with KMFs includes a communication device having a memory device: receiving a designation of a primary KMF for the communication device, wherein only one primary KMF is designated for the communication device at any given time instance; receiving a designation of a secondary KMF for the communication device; storing, within the memory device, a first and a second set of crypto groups, wherein each crypto group within each set of crypto groups comprises at least one keyset, wherein each set of crypto groups is associated, within the memory device, to only one KMF identifier; associating, within the memory device, the first set of crypto groups to an identifier for the primary KMF; and associating, within the memory device, the second set of crypto groups to an identifier for the secondary KMF. | 07-19-2012 |
20130072155 | METHOD AND APPARATUS FOR AUTHENTICATING A DIGITAL CERTIFICATE STATUS AND AUTHORIZATION CREDENTIALS - A radio is authenticated at the site and unique authentication information for the radio is stored at the site. A subsequent non-authentication message from the radio is received at the site and authentication information in the non-authentication message is identified. The unique authentication information stored at the site is compared with authentication information identified in the non-authentication message. If there is a match, the non-authentication message is authenticated with an authentication code included in the non-authentication message, wherein a predefined portion of the authentication code is obtained from at least one of a header portion or a data portion of the non-authentication message. Upon successfully completing authentication, the site repeats the non-authentication message towards destination radios indicated in non-authentication message. | 03-21-2013 |
20130142335 | METHOD AND DEVICE FOR LINK LAYER DECRYPTING AND/OR ENCRYPTING A VOICE MESSAGE STREAM ALREADY SUPPORTING END TO END ENCRYPTION - Methods and systems for LLE encrypting and decrypting voice message streams (VMSs) already supporting eTe encryption are disclosed. In one example, LLE and eTe encryption initialization vectors (EIVs) are interleaved such that an LLE EIV retrieved from one of a header and a data unit is used to LLE decrypt both the header or data unit and a subsequent data unit. A recovered eTe EIV is used to eTe decrypt voice payloads in one or more subsequent data units. In another example, a base station dynamically LLE encrypts a VMS already supporting eTe encrypting by determining whether a received VMS is eTe encrypted, and ii it is not generating a new LLE EIV, and if it is, re-using the pre-existing eTe EIV for LLE encryption. The LLE encrypted (and perhaps eTe encrypted) VMS is then sent over the air to one or more mobile stations. | 06-06-2013 |
20130223622 | METHOD AND DEVICE FOR REKEYING IN A RADIO NETWORK LINK LAYER ENCRYPTION SYSTEM - Disclosed is a method of rekeying radios for link layer encryption (LLE) in a radio network using a bifurcated crypto period. During a first portion of a first LLE crypto period during which a first LLE key (LEK) is used to LLE encrypt communications between a base station and mobile stations operating within a corresponding coverage area of the base station, a radio network communications device prevents individual ones of the mobile stations from requesting a second LEK to be used during a second LLE crypto period after the first LLE crypto period. During a second portion of the first LLE crypto period, the radio network communications device allows individual ones of the mobile stations to request the second LEK. A mobile station configured to operate in accordance with the bifurcated crypto period, and provide information regarding keys in its possession via an authentication response ISP, is also disclosed. | 08-29-2013 |
20130227294 | COMMUNICATION PROTOCOL FOR SECURE COMMUNICATIONS SYSTEMS - A method and apparatus for authenticating a key management message within a secure communication system is provided herein. During operation, a digital signature for message authentication of a Project 25 Key Management Message (KMM) is utilized. In particular, the digital signature will be used to authenticate the KMM in scenarios where there is no Message Authentication Code (MAC). The MAC will be utilized to authenticate the KMM when available. Because authentication of KMMs take place, even when no MAC is available, it becomes increasingly more difficult to tamper or spoof the delivery of encryption keys. | 08-29-2013 |
20130236014 | COMMUNICATION PROTOCOL FOR SECURE COMMUNICATIONS SYSTEMS - A method and apparatus for transmitting encryption keys in a secure communication system is provided herein. During rekeying of a device, a key encryption key (KEK) is utilized to wrap (encrypt) the traffic encryption key (TEK) when the KEK is available to the device. If unavailable, the TEK will be wrapped using public key encryption with the recipient device's public key. The receiving device will then be able to unwrap the TEK using public key decryption with its own private key. Because TEKs are always transmitted in a secure manner, secure and efficient rekeying of devices on foreign networks can occur. | 09-12-2013 |
20130243195 | METHOD AND DEVICE FOR MANAGING ENCRYPTED GROUP REKEYING IN A RADIO NETWORK LINK LAYER ENCRYPTION SYSTEM - Disclosed is a radio system, method, and device for a mobile station to indicate to an authentication controller, in an authentication response message, which of a plurality of group key link layer encryption keys (GKEK)s it currently has in its possession, and to work with the authentication controller to more intelligently manage multiple GKEKs. The authentication controller can use the information obtained from the authentication response message to determine which of a plurality of GKEKs to advertise in a key announcement broadcast. Furthermore, individual requests for a future LLE key (LEK) to be used for link layer encryption (LLE) encrypting and decrypting inbound and outbound group communications between base station(s) and mobile station(s) are responded to with a broadcast GKEK-encrypted transmission including the future LEK. Only the requesting mobile station transmits an acknowledgment packet in response to the broadcast. | 09-19-2013 |
20140198916 | METHOD AND DEVICE FOR MANAGING ENCRYPTED GROUP REKEYING IN A RADIO NETWORK LINK LAYER ENCRYPTION SYSTEM - Disclosed is a radio system, method, and device for a mobile station to indicate to an authentication controller, in an authentication response message, which of a plurality of group key link layer encryption keys (GKEK)s it currently has in its possession, and to work with the authentication controller to more intelligently manage multiple GKEKs. The authentication controller can use the information obtained from the authentication response message to determine which of a plurality of GKEKs to advertise in a key announcement broadcast. Furthermore, individual requests for a future LLE key (LEK) to be used for link layer encryption (LLE) encrypting and decrypting inbound and outbound group communications between base station(s) and mobile station(s) are responded to with a broadcast GKEK-encrypted transmission including the future LEK. Only the requesting mobile station transmits an acknowledgment packet in response to the broadcast. | 07-17-2014 |
20150043539 | CONCURRENT VOICE AND DATA SERVICE ON A SAME DIGITAL RADIO CHANNEL - A method, a subscriber unit, and a system provide concurrent voice and data systems and methods that “steal bits” from voice frames for low-speed concurrent data. In this manner, concurrent voice and data is supported over protocols that require voice-only in current operation such as Project 25 (P25). The stealing of bits from voice is done in a manner that is transparent and not noticeable to users. The systems and methods enable replication of signaling on the downlink and wireline segments that is replaced on the uplink, encoding of interleaving blocks that extend across multiple Layer 2 voice logical data units (LDUs), flexibility in replacing voice data in LDUs, indication of the availability of the service and an interleaving schedule, notification of upcoming stealing events via signaling, and the like. | 02-12-2015 |