David Bryon Mcgrew

US Patent:

7095850, Aug 22, 2006

Filed:

Oct 17, 2001

Appl. No.:

09/982375

Inventors:

David McGrew - Poolesville MD, US

Assignee:

Cisco Technology, Inc. - San Jose CA

International Classification:

H04L 9/00

US Classification:

380 42, 380 37, 380 43, 380 44, 380 45, 380 46, 380 47

Abstract:

An encryption method and apparatus that provides forward secrecy, by updating the key using a one-way function after each encryption. By providing forward secrecy within a cipher, rather than through a key management system, forward secrecy may be added to cryptographic systems and protocols by using the cipher within an existing framework. A random-access key updating method can efficiently generate one or more future keys in any order. Embodiments are applicable to forward secret ciphers that are used to protect protocols with unreliable transport, to ciphers that are used in multicast or other group settings, and to protection of packets using the IPSec protocols.

US Patent:

7139679, Nov 21, 2006

Filed:

Jun 27, 2002

Appl. No.:

10/185159

Inventors:

David McGrew - Poolesville MD, US

Assignee:

Cisco Technology, Inc. - San Jose CA

International Classification:

G06F 15/00

US Classification:

702186, 709227

Abstract:

A method and apparatus for protecting, from denial of service attacks, a device that provides particular services that consume substantial computational resources. A data packet is received that includes data for the particular services and a cryptographic tag. It is determined whether the data packet is legitimate based on the cryptographic tag without using the data for the particular services. If it is determined that the data packet is not legitimate, then the data is diverted from input to the particular services that process the data. These techniques use the cryptographic tag to provide strong data origin authentication without the heavy computational costs associated with providing full data integrity authentication in typical cryptographic services. Further, denial of service protection is conveniently implemented as a cryptographic service.

US Patent:

7290281, Oct 30, 2007

Filed:

Aug 8, 2002

Appl. No.:

10/215544

Inventors:

David McGrew - Poolesville MD, US

Assignee:

Cisco Technology, Inc. - San Jose CA

International Classification:

G06F 21/00

US Classification:

726 23, 726 13, 713160

Abstract:

A method and apparatus for protecting, from denial of service attacks, a device that provides particular services that consume substantial computational resources. A data packet includes data for the particular services and a cryptographic tag. It is determined whether the data packet is legitimate based on the cryptographic tag and a size of the data for the particular services without otherwise using the data for the particular services. If the data packet is not legitimate, then the data is diverted from input to the particular services that process the data. These techniques use the cryptographic tag to provide strong data origin authentication without the heavy computational costs associated with providing full data integrity authentication in typical cryptographic services. Further, denial of service protection is conveniently implemented as a cryptographic service.

US Patent:

7350227, Mar 25, 2008

Filed:

Apr 26, 2005

Appl. No.:

11/115542

Inventors:

David A. McGrew - Poolesville MD, US
Melinda L. Shore - Ithaca NY, US

Assignee:

Cisco Technology, Inc. - San Jose CA

International Classification:

H04L 9/00
G06F 17/00
G06F 15/16
H04K 1/00
G06F 9/00

US Classification:

726 1, 726 12, 713153, 713168

Abstract:

A method is disclosed for cryptographic peer discovery, authentication, and authorization. According to one embodiment, a data packet, which is addressed to a destination device other than an intermediary network device, is intercepted at the intermediary network device. The data packet contains a request and a group identifier. A shared secret cryptographic key, which is mapped to the group identifier, is selected. A challenge is sent toward an upstream device from whence the data packet came. A response is received. A verification value is generated based on the cryptographic key and the challenge. It is determined whether the response matches the verification value. If the response matches the verification value, then it is determined whether the request is allowed by an authorization set that is mapped to the group identifier. If the request is allowed, then a policy of the intermediary network device is configured based on the request.

US Patent:

7373502, May 13, 2008

Filed:

Jan 12, 2004

Appl. No.:

10/756633

Inventors:

David A. McGrew - Poolesville MD, US

Assignee:

Cisco Technology, Inc. - San Jose CA

International Classification:

H04L 9/00

US Classification:

713155, 713150, 713153

Abstract:

A method is disclosed for avoiding the storage of client state on a server. Based on a local key that is not known to a client, a server encrypts the client's state information. The client's state information may include, for example, the client's authentication credentials, the client's authorization characteristics, and a shared secret key that the server can use to encrypt and authenticate communication to and from the client. By any of a variety of mechanisms, the encrypted client state information is provided to the client. The server may free memory that stored the client's state information. When the server needs the client's state information, the client sends, to the server, the encrypted state information that the client stored. The server decrypts the client state information using the local key. Because each client stores that client's own state information in encrypted form, the server does not need to store any client's state information permanently.

US Patent:

7418100, Aug 26, 2008

Filed:

Aug 10, 2005

Appl. No.:

11/201626

Inventors:

David A. McGrew - Poolesville MD, US
Scott Fluhrer - San Jose CA, US

Assignee:

Cisco Technology, Inc. - San Jose CA

International Classification:

H04K 1/06
H04L 9/28

US Classification:

380 37, 380 28

Abstract:

A block cipher mode of operation implements a block cipher with an arbitrary block length and provides output ciphertext that is always the same size as the input plaintext. The mode can provide the best possible security in systems that cannot allow data expansion, such as disk-block encryption and some network protocols. The mode accepts an additional input, which can be used to protect against attacks that manipulate the ciphertext by rearranging the ciphertext blocks. The universal hash function from Galois/Counter Mode of operation for block ciphers may be used in an embodiment for hardware and software efficiency.

US Patent:

7426636, Sep 16, 2008

Filed:

Jun 2, 2003

Appl. No.:

10/453237

Inventors:

David A. McGrew - Poolesville MD, US
Jan Vilhuber - Santa Cruz CA, US

Assignee:

Cisco Technology, Inc. - San Jose CA

International Classification:

H04L 9/00

US Classification:

713160

Abstract:

A compact secure data communication method is disclosed. In one embodiment, a compact security protocol provides cryptographic services on IP, UDP, and TCP packets with minimal bandwidth degradation due to encapsulation overhead. The disclosed protocol may be used, for example, in converged networks that carry both voice-over-IP and data traffic in and wireless networks, in which it is imperative to minimize per-packet overhead. The disclosed protocol provides as much security as possible, by authenticating the uncompressed headers rather than the compressed headers.

US Patent:

7493331, Feb 17, 2009

Filed:

Mar 21, 2007

Appl. No.:

11/726671

Inventors:

David A. McGrew - Poolesville MD, US

Assignee:

Cisco Technology, Inc. - San Jose CA

International Classification:

G06F 7/00

US Classification:

707101, 707 10, 707102

Abstract:

A method is disclosed for avoiding the storage of client state on a server. Based on a local key that is not known to a client, a server encrypts the client's state information. The client's state information may include, for example, the client's authentication credentials, the client's authorization characteristics, and a shared secret key that the server can use to encrypt and authenticate communication to and from the client. By any of a variety of mechanisms, the encrypted client state information is provided to the client. The server may free memory that stored the client's state information. When the server needs the client's state information, the client sends, to the server, the encrypted state information that the client stored. The server decrypts the client state information using the local key. Because each client stores that client's own state information in encrypted form, the server does not need to store any client's state information permanently.