Method of enforcing a policy on a computer network
    11.
    发明授权
    Method of enforcing a policy on a computer network 失效
    在计算机网络上执行策略的方法

    公开(公告)号:US06941465B1

    公开(公告)日:2005-09-06

    申请号:US09360912

    申请日:1999-07-26

    IPC分类号: G06F21/00 H04L9/00 H04L29/06

    摘要: A policy server program evaluates one or more policy statements based on the group or groups to which a user belongs as well as other conditions. Each policy statement expresses an implementation of the access policy of the network, and is associated with a profile. The profile contains one or more actions that are to be applied to the user. The policy server program determines the identity of the group or groups to which the user belongs by referencing one or more group attributes contained in a user object which is located in a directory on the network. The user object and its group parameters are established when the user is added to the directory, while a policy statement for a group can be created at any time.

    摘要翻译: 策略服务器程序根据用户所属的组或其他条件来评估一个或多个策略语句。 每个策略语句表示网络的访问策略的实现,并且与配置文件相关联。 配置文件包含要应用于用户的一个或多个操作。 策略服务器程序通过引用位于网络上的目录中的用户对象中包含的一个或多个组属性来确定用户所属的组或组的身份。 当用户添加到目录时,建立用户对象及其组参数,同时可以创建组的策略语句。

    System and method for improved network security
    12.
    发明授权
    System and method for improved network security 有权
    提高网络安全性的系统和方法

    公开(公告)号:US07856655B2

    公开(公告)日:2010-12-21

    申请号:US10882537

    申请日:2004-06-30

    摘要: A system is provided for establishing a secure link among multiple users on a single machine with a remote machine. The system includes a subsystem to filter traffic so that traffic from each user is separate. The subsystem generates and associates a Security Association (SA) with at least one filter corresponding to the user and the traffic, and employs the SA to establish the secure link. An Internet Key Exchange module and a policy module may be included to generate and associate the security association, wherein the policy module is configured via Internet Protocol Security (IPSEC).

    摘要翻译: 提供了一种用于在具有远程机器的单个机器上的多个用户之间建立安全链路的系统。 该系统包括一个过滤流量的子系统,以便来自每个用户的流量是分开的。 子系统生成并将安全关联(SA)与至少一个与用户和流量对应的过滤器关联起来,并使用SA建立安全链路。 可以包括互联网密钥交换模块和策略模块以生成和关联安全关联,其中策略模块通过因特网协议安全(IPSEC)配置。

    System and method for maintaining network system information
    13.
    发明授权
    System and method for maintaining network system information 有权
    维护网络系统信息的系统和方法

    公开(公告)号:US07394821B2

    公开(公告)日:2008-07-01

    申请号:US10875255

    申请日:2004-06-24

    IPC分类号: H04L12/56

    CPC分类号: H04L45/00 H04L41/22

    摘要: A system for maintaining network information. The system resides in a network comprising a plurality of sub-networks in communication with one another over a communications backbone. Each sub-network has a router for use in performing communications with other sub-networks. A directory service is linked to the communications backbone and includes a database. The database stores router attribute information that is published by each of the routers. Using a query engine associated with the directory service, meaningful information can be gathered from the database as a function of specified router attribute information.

    摘要翻译: 维护网络信息的系统。 系统驻留在包括通过通信骨干彼此通信的多个子网络的网络中。 每个子网络具有用于与其他子网络进行通信的路由器。 目录服务链接到通信骨干网,并包括一个数据库。 数据库存储每个路由器发布的路由器属性信息。 使用与目录服务相关联的查询引擎,可以根据指定的路由器属性信息从数据库收集有意义的信息。

    System and method for improved network security
    14.
    发明授权
    System and method for improved network security 失效
    提高网络安全性的系统和方法

    公开(公告)号:US06915437B2

    公开(公告)日:2005-07-05

    申请号:US09741217

    申请日:2000-12-20

    摘要: A system is provided for establishing a secure link among multiple users on a single machine with a remote machine. The system includes a subsystem to filter traffic so that traffic from each user is separate. The subsystem generates and associates a Security Association (SA) with at least one filter corresponding to the user and the traffic, and employs the SA to establish the secure link. An Internet Key Exchange module and a policy module may be included to generate and associate the security association, wherein the policy module is configured via Internet Protocol Security (IPSEC).

    摘要翻译: 提供了一种用于在具有远程机器的单个机器上的多个用户之间建立安全链路的系统。 该系统包括一个过滤流量的子系统,以便来自每个用户的流量是分开的。 子系统生成并将安全关联(SA)与至少一个与用户和流量对应的过滤器关联起来,并使用SA建立安全链路。 可以包括互联网密钥交换模块和策略模块以生成和关联安全关联,其中策略模块通过因特网协议安全(IPSEC)配置。

    Methods for iteratively deriving security keys for communications sessions
    15.
    发明授权
    Methods for iteratively deriving security keys for communications sessions 有权
    用于迭代地导出通信会话的安全密钥的方法

    公开(公告)号:US07464265B2

    公开(公告)日:2008-12-09

    申请号:US10138868

    申请日:2002-05-03

    IPC分类号: H04L9/00

    摘要: Disclosed are methods for a client, having established one set of security keys, to establish a new set without having to communicate with an authentication server. When the client joins a group, master session security keys are derived and made known to the client and to the group's access server. From the master session security keys, the access server and client each derive transient session security keys, used for authentication and encryption. To change the transient session security keys, the access server creates “liveness” information and sends it to the client. New master session security keys are derived from the liveness information and the current set of transient session security keys. From these new master session security keys are derived new transient session security keys. This process limits the amount of data sent using one set of transient session security keys and thus limits the effectiveness of any statistical attacker.

    摘要翻译: 已经公开了已经建立了一组安全密钥的客户端的方法来建立新的集合而不必与认证服务器进行通信。 当客户端加入一个组时,主会话安全密钥被导出,并被客户机和组的访问服务器所知。 从主会话安全密钥,访问服务器和客户端都派生用于认证和加密的瞬态会话安全密钥。 要更改瞬态会话安全密钥,访问服务器创建“活动”信息并将其发送给客户端。 新的主会话安全密钥来源于活动信息和当前的一组暂存会话安全密钥。 从这些新的主会话安全密钥导出新的临时会话安全密钥。 此过程限制使用一组瞬态会话安全密钥发送的数据量,从而限制任何统计攻击者的有效性。

    Establishing secure peer networking in trust webs on open networks using shared secret device key
    16.
    发明授权
    Establishing secure peer networking in trust webs on open networks using shared secret device key 有权
    使用共享密钥设备密钥在开放网络上的信任网络中建立安全的对等网络

    公开(公告)号:US07290132B2

    公开(公告)日:2007-10-30

    申请号:US11104694

    申请日:2005-04-11

    IPC分类号: H04L9/00 H04L9/32

    CPC分类号: H04L63/04

    摘要: A trust web keying process provides secure peer networking of computing devices on an open network. A device is initially keyed at distribution to an end user or installer with a device-specific cryptographic key, and programmed to respond only to peer networking communication secured using the device's key. The device-specific key is manually entered into a keying device that transmits a re-keying command secured with the device-specific key to the device for re-keying the device with a group cryptographic key. The device then securely peer networks with other devices also keyed with the group cryptographic key, forming a trust web. Guest devices can be securely peer networked with the trust web devices via a trust web gateway.

    摘要翻译: 信任网络密钥过程在开放网络上提供计算设备的安全对等网络。 设备最初被密钥分发给具有设备专用加密密钥的最终用户或安装者,并被编程为只响应使用设备密钥保护的对等网络通信。 特定于设备的密钥被手动输入到密钥设备中,该密钥设备将用设备专用密钥保护的重新密钥命令发送到设备,以用组加密密钥重新设置设备。 该设备然后安全地与其他设备对等网络,也与组加密密钥相关联,形成信任网络。 访客设备可以通过信任网关与安全地与信任网页设备进行网络联网。

    Increasing the level of automation when provisioning a computer system to access a network
    17.
    发明授权
    Increasing the level of automation when provisioning a computer system to access a network 有权
    在配置计算机系统以访问网络时,增加自动化程度

    公开(公告)号:US07284062B2

    公开(公告)日:2007-10-16

    申请号:US10313084

    申请日:2002-12-06

    IPC分类号: G06F15/16

    摘要: A computer system attempts to authenticate with a server to gain authorization to access a first network. It is determined by the server that the computer system is not authorized to access the first network. The computer system is given authorization to access a second network for at least the purpose of downloading files (e.g., signup and configuration files) needed to access the first network. A user-interface for receiving user-entered signup information is automatically presented at the computer system. A first schema-based document including user-entered information is transferred to the server. If the server determines that the user-entered information is appropriate, a second-schema document, which includes an indication of authorization to access the first network (e.g., a user-identifier and password), is received. A third schema-based document is executed at the computer system to compatibly configure the computer system for accessing the first network.

    摘要翻译: 计算机系统尝试使用服务器进行身份验证以获得访问第一个网络的授权。 由服务器确定计算机系统未被授权访问第一个网络。 计算机系统被授权访问第二网络,用于至少下载访问第一网络所需的文件(例如,注册和配置文件)的目的。 用于接收用户输入的注册信息的用户界面在计算机系统中自动呈现。 包含用户输入的信息的第一个基于模式的文档被传送到服务器。 如果服务器确定用户输入的信息是适当的,则接收包括访问第一网络的授权指示(例如,用户标识符和密码)的第二模式文档。 在计算机系统上执行第三基于模式的文档,以兼容地配置用于访问第一网络的计算机系统。

    Establishing secure peer networking in trust webs on open networks using shared secret device key

    公开(公告)号:US07082200B2

    公开(公告)日:2006-07-25

    申请号:US09948475

    申请日:2001-09-06

    IPC分类号: H04K1/00 H04L9/00 G06F7/04

    CPC分类号: H04L63/04

    摘要: A trust web keying process provides secure peer networking of computing devices on an open network. A device is initially keyed at distribution to an end user or installer with a device-specific cryptographic key, and programmed to respond only to peer networking communication secured using the device's key. The device-specific key is manually entered into a keying device that transmits a re-keying command secured with the device-specific key to the device for re-keying the device with a group cryptographic key. The device then securely peer networks with other devices also keyed with the group cryptographic key, forming a trust web. Guest devices can be securely peer networked with the trust web devices via a trust web gateway.

    Method of enforcing a policy on a computer network
    19.
    发明授权
    Method of enforcing a policy on a computer network 失效
    在计算机网络上执行策略的方法

    公开(公告)号:US07636935B2

    公开(公告)日:2009-12-22

    申请号:US11197155

    申请日:2005-08-04

    IPC分类号: H04L9/00 H04L9/32

    摘要: A policy server program evaluates one or more policy statements based on the group or groups to which a user belongs as well as other conditions. Each policy statement expresses an implementation of the access policy of the network, and is associated with a profile. The profile contains one or more actions that are to be applied to the user. The policy server program determines the identity of the group or groups to which the user belongs by referencing one or more group attributes contained in a user object which is located in a directory on the network. The user object and its group parameters are established when the user is added to the directory, while a policy statement for a group can be created at any time.

    摘要翻译: 策略服务器程序根据用户所属的组或其他条件来评估一个或多个策略语句。 每个策略语句表示网络的访问策略的实现,并且与配置文件相关联。 配置文件包含要应用于用户的一个或多个操作。 策略服务器程序通过引用位于网络上的目录中的用户对象中包含的一个或多个组属性来确定用户所属的组或组的身份。 当用户添加到目录时,建立用户对象及其组参数,同时可以创建组的策略语句。

    Efficient and secure authentication of computing systems
    20.
    发明授权
    Efficient and secure authentication of computing systems 有权
    计算系统的高效安全认证

    公开(公告)号:US07549048B2

    公开(公告)日:2009-06-16

    申请号:US10804591

    申请日:2004-03-19

    IPC分类号: H04L9/00

    摘要: The principles of the present invention relate to systems, methods, and computer program products for more efficiently and securely authenticating computing systems. In some embodiments, a limited use credential is used to provision more permanent credentials. A client receives a limited-use (e.g., a single-use) credential and submits the limited-use credential over a secure link to a server. The server provisions an additional credential (for subsequent authentication) and sends the additional credential to the client over the secure link. In other embodiments, computing systems automatically negotiate authentication methods using an extensible protocol. A mutually deployed authentication method is selected and secure authentication is facilitated with a tunnel key that is used encrypt (and subsequently decrypt) authentication content transferred between a client and a server. The tunnel key is derived from a shared secret (e.g., a session key) and nonces.

    摘要翻译: 本发明的原理涉及用于更有效和安全地认证计算系统的系统,方法和计算机程序产品。 在一些实施例中,使用有限使用凭证来提供更多的永久证书。 客户端接收有限使用(例如,一次性使用)凭证,并通过安全链接提交有限使用凭证到服务器。 服务器提供附加证书(用于后续认证),并通过安全链路将附加证书发送给客户端。 在其他实施例中,计算系统使用可扩展协议自动协商认证方法。 选择相互部署的认证方法,并且利用在客户机和服务器之间传送的认证内容进行加密(并且随后解密)的隧道密钥来促进安全认证。 隧道密钥从共享秘密(例如,会话密钥)和随机数导出。