Abstract: A network node for a mesh network may control processing of an incoming PDU with reference to a stage one cache. The incoming PDU may be received in an obfuscated state in which a control portion is obfuscated. The control portion comprises information identifying the incoming PDU, and/or destination information indicative of at least one destination node for the incoming PDU. A stage one cache lookup is performed, based on at least a portion of the incoming PDU in the obfuscated state, to determine whether the incoming PDU matches information on a previously received PDU cached in a stage one cache. Depending on the stage one cache lookup, the node determines whether to perform a deobfuscation operation to deobfuscate the control portion of the incoming PDU and whether to perform continued processing the incoming PDU. This limits the number of deobfuscation operations required, which can save processing resource and power.

Abstract: A network node for a mesh network may control processing of an incoming PDU with reference to a stage one cache. The incoming PDU may be received in an obfuscated state in which a control portion is obfuscated. The control portion comprises information identifying the incoming PDU, and/or destination information indicative of at least one destination node for the incoming PDU. A stage one cache lookup is performed, based on at least a portion of the incoming PDU in the obfuscated state, to determine whether the incoming PDU matches information on a previously received PDU cached in a stage one cache. Depending on the stage one cache lookup, the node determines whether to perform a deobfuscation operation to deobfuscate the control portion of the incoming PDU and whether to perform continued processing the incoming PDU. This limits the number of deobfuscation operations required, which can save processing resource and power.

Abstract: Various embodiments include a network manager for managing network keys in a network having a plurality of nodes, the device including: a memory; and a processor configured to: determine N nodes to blacklist, wherein N is an integer; select a polynomial function from a plurality of polynomial functions of degree K and wherein the polynomial functions define plurality of secret network keys; generate K-N random abscissa values, wherein none of the random abscissa values are not found in a list of node abscissa values; calculate K-N polynomial function values for the K-N random abscissa values; calculate N polynomial function values for N node abscissa values associated with the N blacklisted nodes; transmit a message to nodes in the network including an indication of the selected polynomial function, the K-N random abscissa values, the N node abscissa values associated with the N blacklisted nodes, the K-N calculated polynomial function values, and the N calculated polynomial function values.

Abstract: A peripheral device and central device in a communication network, such as a Bluetooth Low Energy network, maintain privacy while establishing a connection. During the connection set-up, energy may be saved in the peripheral device by linking the advertising address of the peripheral device to the resolvable private address of the central device, thereby minimizing the search effort of the peripheral device.

Abstract: Adaptive message caches are disclosed for packet replay and/or flood protection in mesh network devices. The adaptive message cache includes a replay protection area (RPA) and a flood protection area (FPA). For each received packet, a packet security processor compares packet metadata to metadata entries stored for prior packets within the RPA to provide a replay protection check. If a replay protection check is not passed, the packet is dropped. If passed, the packet security processor compares the packet metadata to metadata entries stored for prior packets within the FPA to provide a flood protection check. If the flood protection check is not passed, the packet is dropped. If passed, the received packet is authenticated for the mesh network. Entries within the RPA/FPA are then updated using the packet metadata. Further, the sizes of the RPA and FPA can be adaptively adjusted based upon the packet metadata.

Abstract: A peripheral and central device in a wireless network, such as a Bluetooth Low Energy network, may maintain privacy while connecting. During connecting energy in the peripheral device may be saved by linking an advertised address of the peripheral device to a resolvable private address of the central device, thereby providing an early indication if the central device is, according to the peripheral device, allowed to connect to the peripheral device. Hence a peripheral device performing such linking may have an improved resistance to a denial-of-service attack.

Abstract: Various embodiments include a network manager for managing network keys in a network having a plurality of nodes, the device including: a memory; and a processor configured to: determine N nodes to blacklist, wherein N is an integer; select a polynomial function from a plurality of polynomial functions of degree K and wherein the polynomial functions define plurality of secret network keys; generate K-N random abscissa values, wherein none of the random abscissa values are not found in a list of node abscissa values; calculate K-N polynomial function values for the K-N random abscissa values; calculate N polynomial function values for N node abscissa values associated with the N blacklisted nodes; transmit a message to nodes in the network including an indication of the selected polynomial function, the K-N random abscissa values, the N node abscissa values associated with the N blacklisted nodes, the K-N calculated polynomial function values, and the N calculated polynomial function values.

Abstract: Adaptive message caches are disclosed for packet replay and/or flood protection in mesh network devices. The adaptive message cache includes a replay protection area (RPA) and a flood protection area (FPA). For each received packet, a packet security processor compares packet metadata to metadata entries stored for prior packets within the RPA to provide a replay protection check. If a replay protection check is not passed, the packet is dropped. If passed, the packet security processor compares the packet metadata to metadata entries stored for prior packets within the FPA to provide a flood protection check. If the flood protection check is not passed, the packet is dropped. If passed, the received packet is authenticated for the mesh network. Entries within the RPA/FPA are then updated using the packet metadata. Further, the sizes of the RPA and FPA can be adaptively adjusted based upon the packet metadata.

Abstract: A peripheral and central device in a wireless network, such as a Bluetooth Low Energy network, may maintain privacy while connecting. During connecting energy in the peripheral device may be saved by linking an advertised address of the peripheral device to a resolvable private address of the central device, thereby providing an early indication if the central device is, according to the peripheral device, allowed to connect to the peripheral device. Hence a peripheral device performing such linking may have an improved resistance to a denial-of-service attack.

Abstract: A peripheral device and central device in a communication network, such as a Bluetooth Low Energy network, maintain privacy while establishing a connection. During the connection set-up, energy may be saved in the peripheral device by linking the advertising address of the peripheral device to the resolvable private address of the central device, thereby minimizing the search effort of the peripheral device.

Abstract: Methods and systems are disclosed for multiple connection management for Bluetooth (BT) devices, and more particularly for BT Low Energy (BLE) devices, to multiple different bonded BT peer devices. A BT device database within a non-volatile memory (NVM) stores identification and persistent information for each bonded BT peer device. At power-on reset (PoR), only device identification information (DII) data, such as an address (ADDR) and an IRK (identity resolving key), for each bonded BT peer device is copied from the NVM to a volatile memory that is used for run-time operation. When a bonded BT peer device forms an active connection, it is identified using the DII data, and its persistent data is copied from NVM to volatile memory as run-time data. The BT device then communicates with the actively connected BT peer device at least in part using the run-time data for the actively connected BT peer device.

Abstract: Methods and systems are disclosed for multiple connection management for Bluetooth (BT) devices, and more particularly for BT Low Energy (BLE) devices, to multiple different bonded BT peer devices. A BT device database within a non-volatile memory (NVM) stores identification and persistent information for each bonded BT peer device. At power-on reset (PoR), only device identification information (DII) data, such as an address (ADDR) and an IRK (identity resolving key), for each bonded BT peer device is copied from the NVM to a volatile memory that is used for run-time operation. When a bonded BT peer device forms an active connection, it is identified using the DII data, and its persistent data is copied from NVM to volatile memory as run-time data. The BT device then communicates with the actively connected BT peer device at least in part using the run-time data for the actively connected BT peer device.