Search

US-12621139-B2 - Mac header protection with preexisting keys

US12621139B2US 12621139 B2US12621139 B2US 12621139B2US-12621139-B2

Abstract

The technical solutions are directed to MAC address protection for frame integrity verification. A sender device can compute, using a temporal key (TK) programmed in hardware, a first key for a body of a frame and a second key for a header of the frame, different from the first key. The sender can encrypt the body of the frame at a machine access control (MAC) layer using the first key and the header of the frame at the MAC layer using the second key. The sender can compute a first MIC of the encrypted frame using the first key and a second MIC of a content of the header at the MAC layer using the second key. The sender can transmit the frame with the first MIC and the second MIC to a receiver configured to determine integrity of the header of the frame based on the second MIC.

Inventors

  • Nehru Bhandaru
  • Thomas Derham
  • Wentong Chen

Assignees

  • AVAGO TECHNOLOGIES INTERNATIONAL SALES PTE. LIMITED

Dates

Publication Date
20260505
Application Date
20240423

Claims (20)

  1. 1 . A system, comprising: one or more processors coupled with memory to: compute, using a temporal key (TK) programmed in hardware, a first key for a body of a frame and a second key for a header of the frame, the second key different from the first key; encrypt the body of the frame at a machine access control (MAC) layer using the first key and the header of the frame at the MAC layer using the second key; compute a first message integrity code (MIC) of the encrypted frame using the first key and a second MIC of a content of the header of the frame at the MAC layer using the second key; and transmit the frame with the first MIC and the second MIC to a receiver, the receiver configured to determine integrity of the header of the frame based at least on the second MIC.
  2. 2 . The system of claim 1 , comprising the one or more processors to: generate a combined MIC from the first MIC and the second MIC; and transmit the combined MIC to the receiver to determine the integrity of the frame.
  3. 3 . The system of claim 2 , wherein the combined MIC is generated using a reversable operation applied to the first MIC and the second MIC, wherein the reversable operation comprises at least one of: a concatenation of the first MIC and the second MIC or a bitwise exclusive OR (XOR) computation applied to the first MIC and the second MIC.
  4. 4 . The system of claim 2 , wherein the combined MIC is generated using one of: a concatenation of the first MIC and the second MIC, a bitwise exclusive OR (XOR) computation applied to the first MIC and the second MIC.
  5. 5 . The system of claim 1 , comprising the one or more processors to: compute the first key using at least one of a hash-based message authentication code (HMAC) operation or an advanced encryption standard (AES) encryption operation with a first input of the TK and a first fixed pattern; and computing the second key using the HMAC operation with a second input of the TK and a second fixed pattern.
  6. 6 . The system of claim 5 , wherein the first fixed pattern includes at least a portion of a content of the body of the frame and the second fixed pattern includes a packet number (PN) of the body of the frame, a type of the frame or a link address for a multi-link communication.
  7. 7 . The system of claim 1 , wherein the frame corresponds to a first network packet of a plurality of network packets, the first network packet including a first packet number in the header of the frame, the system comprising the one or more processors to: determine to resend the first network packet as a second network packet having a second packet number in a second header of a second frame of the second network packet, the second packet number different than the first packet number; and compute, using the TK, a first key for a second body of the second frame of the second network packet and a second key for the second header of the second frame, the first key of the first network packet different than the first key of the second network packet.
  8. 8 . The system of claim 7 , wherein the first key for the second body of the second frame of the second network packet is same as the first key for the body of the frame of the first network packet, the system comprising the one or more processors to: identify one or more frames at the MAC layer to be encrypted for wireless communications; and encrypt the second frame of the second network packet at the MAC layer using the first key of the second body and the second key for the second header.
  9. 9 . The system of claim 1 , comprising the one or more processors to: determine, during an exchange over a wireless network between a device comprising the one or more processors and a receiver, a pairwise master key (PMK); and generate the temporal key (TK) using the PMK.
  10. 10 . The system of claim 1 , wherein the receiver is further configured to determine the integrity of the header based on a verification of integrity of the header using the second MIC prior to decrypting the frame.
  11. 11 . The system of claim 1 , comprising the one or more processors to: include the second MIC in the header of the frame; and transmit the frame with the second MIC included in the header of the frame.
  12. 12 . The system of claim 1 , comprising the one or more processors to compute at least one the first key or the second key using an Advanced Encryption Standard (AES) algorithm and at least one of the first MIC or the second MIC using at least one of a Cipher Block Chaining-MAC Protocol (CCMP) or a Galois/Counter Mode Protocol (GCMP).
  13. 13 . The system of claim 1 , wherein the receiver is configured to verify the integrity of the header of the frame using the second MIC prior to processing the body of the frame.
  14. 14 . A method for providing protection of a machine access control (MAC) header of a frame, the method comprising: identifying, by one or more processors, a temporal key (TK) programmed in hardware to encrypt frames at a machine access control (MAC) layer for wireless communications; computing, by the one or more processors using the TK, a first key for encrypting a body of a frame and a second key for encrypting a header of the frame, the second key different from the first key; identifying, by the one or more processors, one or more frames at the MAC layer to be encrypted for wireless communications; encrypting, by the one or more processors, the body of the one or more frames at the MAC layer using the first key and the header of the one or more frames at the MAC layer using the second key; computing, by the one or more processors, a message integrity code (MIC) using the second key; and transmitting, by the one or more processors, the MIC to a receiver, the receiver configured to determine integrity of the header of the frame based at least on the MIC.
  15. 15 . The method of claim 14 , comprising: computing, by the one or more processors, another MIC of the encrypted frame using the first key; and transmitting, by the one or more processors, the frame with the MIC and the other MIC to the receiver, the receiver configured to determine integrity of the header of the frame based at least on the MIC and integrity of the body of the frame based at least on the other MIC.
  16. 16 . The method of claim 14 , further comprising: computing, by the one or more processors, the first key using at least one of a hash-based message authentication code (HMAC) operation or an advanced encryption standard (AES) encryption with a first input of the TK and a first fixed pattern; and computing, by the one or more processors, the second key using the HMAC operation with a second input of the TK and a second fixed pattern, wherein the first fixed pattern includes at least a portion of a content of the body of the frame and the second fixed pattern includes a packet number (PN) of the body of the frame, a type of the frame or a link address for a multi-link communication.
  17. 17 . The method of claim 14 , wherein the frame corresponds to a first network packet of a plurality of network packets, the first network packet including a first packet number in the header of the frame, the method comprising: determining, by the one or more processors, to resend the first network packet as a second network packet having a second packet number in a second header of a second frame of the second network packet, the second packet number different than the first packet number; computing, by the one or more processors using the TK, the first key for a second body of the second frame of the second network packet and the second key for the second header of the second frame, the first key of the first network packet different than the first key of the second network packet, wherein the first key for the second body of the second frame of the second network packet is same as the first key for the body of the frame of the first network packet; identifying, by the one or more processors, one or more frames at MAC layer to be encrypted for wireless communications; and encrypting, by the one or more processors, the second frame of the second network packet at the MAC layer using the first key of the second body and the second key for the second header.
  18. 18 . The method of claim 14 , comprising: computing, by the one or more processors, the first key for the body using an advanced encryption standard (AES) operation with a first input of the TK and a first fixed pattern and computing the second key for the header of the frame using the same AES operation with a second input of the TK and a second fixed pattern; and computing, by the one or more processors, the second key for the header using the AES operation with a first input of the TK and a first fixed pattern and using the TK as the first key for the body of the frame.
  19. 19 . The method of claim 14 , comprising: generating an initialization vector (IV) for encryption based on a parameter of the frame; and using the IV to encrypt the body of the frame.
  20. 20 . A system, comprising: one or more processors coupled with memory to: identify a temporal key (TK) programmed in hardware to encrypt frames at a machine access control (MAC) layer for wireless communications; compute, using the TK, a first key for encrypting a body of a frame and a second key for encrypting a header of the frame, the second key different from the first key; identify one or more frames at the MAC layer to be encrypted for wireless communications; encrypt the body of the one or more frames at the MAC layer using the first key and the header of the one or more frames at the MAC layer using the second key; compute a message integrity code (MIC) using the second key; and transmit the MIC to a receiver, the receiver configured to determine integrity of the header of the frame based at least on the MIC.

Description

CROSS-REFERENCE TO RELATED PATENT APPLICATIONS This application claims the benefit of and priority to a U.S. Provisional Application No. 63/601,438, filed Nov. 21, 2023, a U.S. Provisional Application No. 63/558,838, filed Feb. 28, 2024, and a U.S. Provisional Application No. 63/563,092, filed Mar. 8, 2024, all of which are incorporated herein by reference in their entirety. TECHNICAL FIELD This disclosure generally relates to systems and methods for network traffic protection, including for example protection of MAC headers. BACKGROUND When exchanging network communications, network devices can use Media Access Control (MAC) addresses to identify or distinguish devices engaged in communications. In various network communication, devices can use MAC addresses to route data to their intended destinations. SUMMARY Technical solutions provided herein are directed to providing security and integrity to machine access control (MAC) headers in wireless communication frames. In wireless communications, MAC header can be subject to tampering or unauthorized access by adversaries that may intercept network packets and change MAC header data. The technical solutions use a hardware programmed temporal key (TK) to derive separate keys for the body and header of communication frames at the MAC layer, improving the network packet integrity in a compute efficient manner. For example, in scenarios in which wireless devices exchange sensitive information over a network, MAC header data of any intercepted network packets may be manipulated to gain unauthorized access to a system. The technical solutions provide compute-efficient and secure techniques to protect MAC headers using existing system and network infrastructure, thereby mitigating the risk of unauthorized access or data manipulation without added design complexity. An aspect of the technical solutions is directed to a system. The system can include one or more processors coupled with memory. The one or more processors can be configured to compute, using a temporal key (TK) programmed in hardware, a first key for a body of a frame and a second key for a header of the frame, the second key different from the first key. The one or more processors can be configured to encrypt the body of the frame at a machine access control (MAC) layer using the first key and the header of the frame at the MAC layer using the second key. The one or more processors can be configured to compute a first message integrity code (MIC) of the encrypted frame using the first key and a second MIC of a content of the header of the frame at the MAC layer using the second key. The one or more processors can be configured to transmit the frame with the first MIC and the second MIC to a receiver, the receiver configured to determine integrity of the header of the frame based at least on the second MIC. The one or more processors can be configured to generate a combined MIC from the first MIC and the second MIC. The one or more processors can be configured to transmit the combined MIC to the receiver to determine the integrity of the frame. The combined MIC can be generated using one of: a concatenation of the first MIC and the second MIC, a bitwise exclusive OR (XOR) computation applied to the first MIC and the second MIC, or any reversable computation applied to the first MIC and the second MIC. The one or more processors can be configured to compute the first key using a hash-based message authentication code (HMAC) operation with a first input of the TK and a first fixed pattern. The one or more processors can be configured to computing the second key using the HMAC operation with a second input of the TK and a second fixed pattern. The first fixed pattern can include a packet number (PN) of a network packet of the frame and the second fixed pattern includes one or more characters of the body. The encryption of the body of the frame at the MAC layer using the first key can be performed concurrently with the encryption of the header of the frame at the MAC layer using the second key. The frame can correspond to a first network packet of a plurality of network packets. The first network packet can include a first packet number in the header of the frame. The one or more processors can be configured to determine to resend the first network packet as a second network packet having a second packet number in a second header of a second frame of the second network packet. The second packet number can be different than the first packet number. The one or more processors can be configured to compute, using the TK, a first key for a second body of the second frame of the second network packet and a second key for the second header of the second frame. The first key of the first network packet can be different than the first key of the second network packet. The first key for the second body of the second frame of the second network packet can be same as the first key for the body of the frame of the first