公开(公告)号：US20210218717A1

公开(公告)日：2021-07-15

申请号：US16738722

申请日：2020-01-09

Applicant: Cisco Technology, Inc.

Inventor： Craig Thomas Hill ,  Chennakesava Reddy Gaddam ,  Annu Singh ,  Gaurav Kumar

IPC: H04L29/06 ,  H04L9/08

Abstract: A non-transitory computer readable medium including instructions stored thereon, when executed, the instructions being effective to cause at least one processor of a first network device to: derive a private key encryption key based on a public key, a first private key of the first network device, a second private key of a live peer device, and a Connectivity Association Key (CAK); transmit a secret key encrypted by the private key encryption key to the live peer device; and receive a communication from the live peer device, the communication being encrypted by the secret key.

公开(公告)号：US11870762B2

公开(公告)日：2024-01-09

申请号：US17368902

申请日：2021-07-07

Applicant: Cisco Technology Inc.

Inventor： Craig Thomas Hill ,  Aaron Christopher Warner ,  Michael William Bessette ,  Chennakesava Reddy Gaddam

IPC: H04L29/06 ,  H04L9/40 ,  H04L12/46

CPC classification number: H04L63/061 ,  H04L12/462 ,  H04L63/0464 ,  H04L63/162

Abstract: The present disclosure is directed to systems and methods for transparent Provider Backbone Bridge forwarding of MACsec key exchanges over public Ethernet provider backbones. The method includes the steps of receiving, at a first PBB device, an Ethernet frame from a first edge router for transmission to a second edge router via a MACsec connection, the Ethernet frame comprising a plurality of fields; performing a lookup of one or more fields of the plurality of fields to determine a match with one or more pre-defined values; determining that the one or more fields of the Ethernet frame match the one or more pre-defined values; rewriting the one or more fields of the Ethernet frame to one or more open values operable to allow the Ethernet frame to be transmitted to a next hop device; and transmitting the Ethernet frame to the next hop device.

公开(公告)号：US20230008699A1

公开(公告)日：2023-01-12

申请号：US17368902

申请日：2021-07-07

Applicant: Cisco Technology Inc.

Inventor： Craig Thomas Hill ,  Aaron Christopher Warner ,  Michael William Bessette ,  Chennakesava Reddy Gaddam

IPC: H04L29/06 ,  H04L12/46

Abstract: The present disclosure is directed to systems and methods for transparent Provider Backbone Bridge forwarding of MACsec key exchanges over public Ethernet provider backbones. The method includes the steps of receiving, at a first PBB device, an Ethernet frame from a first edge router for transmission to a second edge router via a MACsec connection, the Ethernet frame comprising a plurality of fields; performing a lookup of one or more fields of the plurality of fields to determine a match with one or more pre-defined values; determining that the one or more fields of the Ethernet frame match the one or more pre-defined values; rewriting the one or more fields of the Ethernet frame to one or more open values operable to allow the Ethernet frame to be transmitted to a next hop device; and transmitting the Ethernet frame to the next hop device.

公开(公告)号：US11212265B2

公开(公告)日：2021-12-28

申请号：US16738722

申请日：2020-01-09

Applicant: Cisco Technology, Inc.

Inventor： Craig Thomas Hill ,  Chennakesava Reddy Gaddam ,  Annu Singh ,  Gaurav Kumar

IPC: H04L29/06 ,  H04L9/30 ,  H04L9/08

Abstract: A non-transitory computer readable medium including instructions stored thereon, when executed, the instructions being effective to cause at least one processor of a first network device to: derive a private key encryption key based on a public key, a first private key of the first network device, a second private key of a live peer device, and a Connectivity Association Key (CAK); transmit a secret key encrypted by the private key encryption key to the live peer device; and receive a communication from the live peer device, the communication being encrypted by the secret key.

公开(公告)号：US11909872B2

公开(公告)日：2024-02-20

申请号：US18054219

申请日：2022-11-10

Applicant: Cisco Technology, Inc.

Inventor： Amjad Inamdar ,  Lionel Florit ,  Eric Voit ,  Sujal Sheth ,  Chennakesava Reddy Gaddam

IPC: H04L9/08 ,  H04L9/30

CPC classification number: H04L9/0852 ,  H04L9/0827 ,  H04L9/0869 ,  H04L9/304

Abstract: Systems and methods are provided for quantum-resistant secure key distribution between a peer and an EAP authenticator by using an authentication server. The systems and methods include receiving requests for a COMMON-SEED and a quantum-safe public key from a peer and an EAP authenticator. The COMMON-SEED is encrypted using the quantum-safe public key of the peer and the quantum-safe public key of the EAP authenticator, and the encrypted COMMON-SEED is sent to the peer along with a request for a PPK_ID from the peer to complete authentication of the peer. The PPK_ID is received from the peer, and the encrypted COMMON-SEED and PPK_ID is sent to the EAP authenticator. A quantum-resistant secure channel is established between the peer and the EAP authenticator when the peer and the EAP authenticator share the same COMMON-SEED and the same PPK-ID.

公开(公告)号：US11757630B2

公开(公告)日：2023-09-12

申请号：US17377303

申请日：2021-07-15

Applicant: Cisco Technology, Inc.

Inventor： Amjad Inamdar ,  Lionel Florit ,  Eric Voit ,  Sujal Sheth ,  Chennakesava Reddy Gaddam

IPC: H04L9/08 ,  H04L9/30

CPC classification number: H04L9/0852 ,  H04L9/0827 ,  H04L9/0869 ,  H04L9/304

Abstract: Systems and methods are provided for quantum-resistant secure key distribution between a peer and an EAP authenticator by using an authentication server. The systems and methods include receiving requests for a COMMON-SEED and a quantum-safe public key from a peer and an EAP authenticator. The COMMON-SEED is encrypted using the quantum-safe public key of the peer and the quantum-safe public key of the EAP authenticator, and the encrypted COMMON-SEED is sent to the peer along with a request for a PPK ID from the peer to complete authentication of the peer. The PPK ID is received from the peer, and the encrypted COMMON-SEED and PPK ID is sent to the EAP authenticator. A quantum-resistant secure channel is established between the peer and the EAP authenticator when the peer and the EAP authenticator share the same COMMON-SEED and the same PPK-ID.

公开(公告)号：US20230071333A1

公开(公告)日：2023-03-09

申请号：US18054219

申请日：2022-11-10

Applicant: Cisco Technology, Inc.

Inventor： Amjad Inamdar ,  Lionel Florit ,  Eric Voit ,  Sujal Sheth ,  Chennakesava Reddy Gaddam

IPC: H04L9/08 ,  H04L9/30

Abstract: Systems and methods are provided for quantum-resistant secure key distribution between a peer and an EAP authenticator by using an authentication server. The systems and methods include receiving requests for a COMMON-SEED and a quantum-safe public key from a peer and an EAP authenticator. The COMMON-SEED is encrypted using the quantum-safe public key of the peer and the quantum-safe public key of the EAP authenticator, and the encrypted COMMON-SEED is sent to the peer along with a request for a PPK_ID from the peer to complete authentication of the peer. The PPK_ID is received from the peer, and the encrypted COMMON-SEED and PPK_ID is sent to the EAP authenticator. A quantum-resistant secure channel is established between the peer and the EAP authenticator when the peer and the EAP authenticator share the same COMMON-SEED and the same PPK-ID.

公开(公告)号：US20220345300A1

公开(公告)日：2022-10-27

申请号：US17377303

申请日：2021-07-15

Applicant: Cisco Technology, Inc.

Inventor： Amjad Inamdar ,  Lionel Florit ,  Eric Voit ,  Sujal Sheth ,  Chennakesava Reddy Gaddam

IPC: H04L9/08 ,  H04L9/30

Abstract: A method is provided for quantum-resistant secure key distribution between a peer and an extendible authentication protocol (EAP) authenticator by using an authentication server. The method may include receiving requests for a COMMON-SEED and a McEliece public key from a peer and an EAP authenticator by an authentication server using an EAP method, encrypting the COMMON-SEED using the McEliece public key of the peer and the McEliece public key of the EAP authenticator by the authentication server, and sending the encrypted COMMON-SEED from the authentication server to the peer along with a request for a PPK_ID from the peer using the EAP method to complete authentication of the peer. The method may also include receiving the PPK_ID from the peer using the EAP method, where the PPK_ID is from a key pair consisting of PPK_ID and PPK obtained from a first SKS server in electrical communication with the peer based upon the encrypted COMMON-SEED. The method may also include sending the encrypted COMMON-SEED and PPK_ID from the authentication server to the EAP authenticator, and establishing a quantum-resistant secure channel between the peer and the EAP authenticator, where a message of EAP success is delivered from the EAP authenticator to the peer when the peer and the EAP authenticator share the same COMMON-SEED and the same PPK-ID.

公开(公告)号：US20240333706A1

公开(公告)日：2024-10-03

申请号：US18127372

申请日：2023-03-28

Applicant: Cisco Technology, Inc.

Inventor： Jabir Hamediya Mohammed ,  Bazil Mohammed Ali ,  Reda Haddad ,  Chennakesava Reddy Gaddam ,  Nishad C M

IPC: H04L9/40

CPC classification number: H04L63/0823 ,  H04L63/102

Abstract: Techniques and architecture are described for verifying real-time ownership of network devices, e.g., routers, switches, etc. The real-time ownership of network devices is verified using the ownership voucher/ownership certificate model, which is useful for device security and protocol security. The techniques and architecture are leveraged on various bases such as, for example, routing, attestation, protocols, management protocols, etc., where a user may enforce the ownership check before making any connection of a network device or even managing the respective network device after it is securely booted.

公开(公告)号：US11381391B2

公开(公告)日：2022-07-05

申请号：US16902081

申请日：2020-06-15

Applicant: Cisco Technology, Inc.

Inventor： Lionel Florit ,  Chennakesava Reddy Gaddam ,  Annu Singh ,  Gaurav Kumar ,  Shwetha Subray Bhandari

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/40

Abstract: A first computing node configures for communication with a second computing node according to a secure Media Access Layer (MAC) layer communication protocol. The first computing node transmits a first message, to the second computing node. The first message includes at least a first indication that the first computing node is capable of communicating according to the secure MAC layer communication protocol based on a pre-shared secret key. The first computing nodes determines to communicate with the second computing node according to the secure MAC layer communication protocol based on one of a pre-shared secret key or a distributed shared key. The first computing node, at least in part based on the determining, transmits a second message to the second computing node according to the secure MAC layer communication protocol based on the one of the pre-shared secret key or the distributed shared key.