公开(公告)号：US20060251256A1

公开(公告)日：2006-11-09

申请号：US11169328

申请日：2005-06-29

申请人： Nadarajah Asokan ,  Philip Ginzboorg ,  Seamus Moloney ,  Kari Kostiainen ,  Sampo Sovio ,  Jan-Erik Ekberg ,  Jari Takala

发明人： Nadarajah Asokan ,  Philip Ginzboorg ,  Seamus Moloney ,  Kari Kostiainen ,  Sampo Sovio ,  Jan-Erik Ekberg ,  Jari Takala

IPC分类号： H04K1/00

CPC分类号： H04W12/04 ,  H04L9/0838 ,  H04L9/3215 ,  H04L63/065 ,  H04L63/18 ,  H04L2209/80 ,  H04W12/06 ,  H04W48/20 ,  H04W84/12 ,  H04W88/08

摘要： Methods and systems for managing access to a wireless local area network are provided. A wireless access point (AP) may use a unified approach that utilizes an out-of-band channel to communicate authentication key and network address information to a guest device, and utilizes an in-band channel to establish communications with the guest device, and also provides support for in-band setup on all devices. The ability to use out-of-band where possible provides for an increase to security and usability, and the possibility of delegating access from one device to another. The unified approach thereby also provides easy management of guest access to the WLAN.

公开(公告)号：US09087198B2

公开(公告)日：2015-07-21

申请号：US13578955

申请日：2011-02-14

申请人： Jan-Erik Ekberg ,  Nadarajah Asokan ,  Kari Kostiainen

发明人： Jan-Erik Ekberg ,  Nadarajah Asokan ,  Kari Kostiainen

IPC分类号： H04L29/06 ,  G06F21/00 ,  G06F21/57

CPC分类号： G06F21/57

摘要： In accordance with the exemplary embodiments of the invention there is at least a method, apparatus, and executable program of computer instructions to perform the operations of establishing and initializing a set of platform configuration registers, where a first subset of platform configuration registers is defined as being non-resettable, and a second subset of platform configuration registers is defined as being resettable, storing initial boot-up system state information in one or more non-resettable platform configuration registers, dynamically resetting (2) a value of a platform configuration register identified by a reference integrity metric to reflect a measurement value provided by the reference integrity metric, and responding to an attestation request (0) with an attestation response (5) including dynamic information from the platform configuration register that was reset and system state information from a non-resettable platform configuration register.

摘要翻译： 根据本发明的示例性实施例，至少有一种计算机指令的方法，装置和可执行程序，用于执行建立和初始化一组平台配置寄存器的操作，其中平台配置寄存器的第一子集被定义为 不可复位，并且平台配置寄存器的第二子集被定义为可重置，将初始启动系统状态信息存储在一个或多个不可重置的平台配置寄存器中，动态地重置（2）平台配置寄存器的值 由参考完整性度量标识，以反映由参考完整性度量提供的测量值，以及响应具有认证响应（5）的认证请求（5），该证明响应（5）包括来自重置的平台配置寄存器的动态信息，以及来自 一个不可重置的平台配置寄存器。

公开(公告)号：US08724819B2

公开(公告)日：2014-05-13

申请号：US12738616

申请日：2007-10-16

申请人： Nadarajah Asokan ,  Jan-Erik Ekberg ,  Aarne Rantala ,  Markku Kylänpää

发明人： Nadarajah Asokan ,  Jan-Erik Ekberg ,  Aarne Rantala ,  Markku Kylänpää

IPC分类号： H04L29/06

CPC分类号： H04L63/0853 ,  H04L9/0833 ,  H04L9/3271 ,  H04L63/06 ,  H04W12/04

摘要： Disclosed is a method in a provisioning apparatus. The method comprises obtaining a family key, a family key defining a family; submitting the family key to a security element in a secure manner (2-2); using the family key for securing credential data; submitting said secured credential data to the security element (2-4); using the family key for binding an application to the family; and submitting said binding to the security element (2-5). Also a method in a related security element and related apparatuses, systems and computer programs are disclosed.

摘要翻译： 公开了一种供应装置中的方法。 该方法包括获得家庭密钥，定义家庭的家庭密钥; 以安全的方式将家庭密钥提交给安全要素（2-2）; 使用家庭密钥来确保凭证数据; 将所述安全凭证数据提交给安全元件（2-4）; 使用家庭密钥将申请绑定到家庭; 并将所述绑定提交给安全元件（2-5）。 还公开了相关安全元件和相关装置，系统和计算机程序中的方法。

公开(公告)号：US07512796B2

公开(公告)日：2009-03-31

申请号：US11459719

申请日：2006-07-25

申请人： Henry Haverinen ,  Jukka-Pekka Honkanen ,  Antti Kuikka ,  Nadarajah Asokan ,  Patrik Flykt ,  Juha Ala-Laurila ,  Jyri Rinnemaa ,  Timo Takamäki ,  Raimo Vuonnala ,  Jan-Erik Ekberg ,  Tommi Mikkonen ,  Petri Aalto ,  Seppo Honkanen

发明人： Henry Haverinen ,  Jukka-Pekka Honkanen ,  Antti Kuikka ,  Nadarajah Asokan ,  Patrik Flykt ,  Juha Ala-Laurila ,  Jyri Rinnemaa ,  Timo Takamäki ,  Raimo Vuonnala ,  Jan-Erik Ekberg ,  Tommi Mikkonen ,  Petri Aalto ,  Seppo Honkanen

IPC分类号： H04L9/32 ,  G06F7/04 ,  H04N7/173 ,  H04M1/66 ,  G06F17/30 ,  H04K1/00

CPC分类号： H04L63/08 ,  H04L63/0435 ,  H04L63/061 ,  H04L63/0853 ,  H04L63/0869 ,  H04L63/162 ,  H04W12/06

摘要： Authentication method for authenticating a mobile node to a packet data network, in which a shared secret for both the mobile node and the packet data network is arranged by using a shared secret of the mobile node and a telecommunications network authentication centre. In the method, the mobile node sends its subscriber identity to the packet data network together with a replay attack protector. The packet data network obtains authentication triplets, forms a session key using them, and sends back to the mobile node challenges and a cryptographic authenticator made by using the session key. The mobile node can then form the rest of the authentication triplets using the challenges and then form the session key. With the session key, the mobile node can check the validity of the cryptographic authenticator. If the authenticator is correct, the mobile node sends a cryptographic response formed using the session key to the packet data network for authenticating itself to the packet data network.

摘要翻译： 用于将移动节点认证到分组数据网络的认证方法，其中通过使用移动节点的共享秘密和电信网络认证中心来布置移动节点和分组数据网络的共享秘密。 在该方法中，移动节点与重播攻击保护器一起将其用户身份发送到分组数据网络。 分组数据网络获得认证三元组，使用它们形成会话密钥，并且将回送给移动节点的挑战以及使用会话密钥进行的密码认证。 移动节点然后可以使用挑战来形成其余的认证三元组，然后形成会话密钥。 使用会话密钥，移动节点可以检查密码验证器的有效性。 如果认证器是正确的，则移动节点将使用该会话密钥形成的加密响应发送到分组数据网络，以将其自身认证到分组数据网络。

公开(公告)号：US07194438B2

公开(公告)日：2007-03-20

申请号：US10785025

申请日：2004-02-25

申请人： Sampo Sovio ,  Jan-Erik Ekberg ,  Nadarajah Asokan ,  Pekka Lahtinen

发明人： Sampo Sovio ,  Jan-Erik Ekberg ,  Nadarajah Asokan ,  Pekka Lahtinen

IPC分类号： G06Q99/00 ,  H04K1/00 ,  H04L9/00

CPC分类号： G07F7/1008 ,  G06Q20/20 ,  G06Q20/327 ,  G06Q20/3278 ,  G06Q20/341 ,  G06Q20/382 ,  G06Q20/3827 ,  G06Q20/388 ,  G07F7/0886 ,  H04M15/68 ,  H04M2215/0196

摘要： A short-range transaction system enables a user to conduct transactions with a self-service terminal in a user-friendly environment without using currency. The user carries a portable smart card, which interacts with a mobile phone. After authentication via an RFID connection, the device MAC address and a security key (K) are imprinted in the card. In operation, the user waves the smart card past the self-service terminal and activates an RFID connection. The terminal sends the card a random number. The card returns the MAC address and a result (RES) computed using the hash value and the security key. The terminal using the MAC address and security key establishes a secure connection with the device. The terminal downloads the user's transaction interface from the device and displays the user interface at the self-service terminal. The user completes a transaction at the terminal via the user interface.

摘要翻译： 短距离交易系统使用户能够在不使用货币的情况下在用户友好的环境中与自助终端进行交易。 用户携带便携式智能卡，其与移动电话交互。 通过RFID连接认证后，设备的MAC地址和安全密钥（K）被印在卡中。 在操作中，用户通过自助终端来移动智能卡并激活RFID连接。 终端发送卡片随机数。 卡返回MAC地址和使用哈希值和安全密钥计算的结果（RES）。 使用MAC地址和安全密钥的终端建立与设备的安全连接。 终端从设备下载用户的交易界面，并在自助终端显示用户界面。 用户通过用户界面在终端完成事务。

公开(公告)号：US20070060106A1

公开(公告)日：2007-03-15

申请号：US11459719

申请日：2006-07-25

申请人： Henry Haverinen ,  Jukka-Pekka Honkanen ,  Antti Kuikka ,  Nadarajah Asokan ,  Patrik Flykt ,  Juha Ala-Laurila ,  Jyri Rinnemaa ,  Timo Takamaki ,  Raimo Vuonnala ,  Jan-Erik Ekberg ,  Tommi Mikkonen ,  Petri Aalto ,  Seppo Honkanen

发明人： Henry Haverinen ,  Jukka-Pekka Honkanen ,  Antti Kuikka ,  Nadarajah Asokan ,  Patrik Flykt ,  Juha Ala-Laurila ,  Jyri Rinnemaa ,  Timo Takamaki ,  Raimo Vuonnala ,  Jan-Erik Ekberg ,  Tommi Mikkonen ,  Petri Aalto ,  Seppo Honkanen

IPC分类号： H04M3/16

CPC分类号： H04L63/08 ,  H04L63/0435 ,  H04L63/061 ,  H04L63/0853 ,  H04L63/0869 ,  H04L63/162 ,  H04W12/06

摘要： Authentication method for authenticating a mobile node to a packet data network, in which a shared secret for both the mobile node and the packet data network is arranged by using a shared secret of the mobile node and a telecommunications network authentication centre. In the method, the mobile node sends its subscriber identity to the packet data network together with a replay attack protector. The packet data network obtains authentication triplets, forms a session key using them, and sends back to the mobile node challenges and a cryptographic authenticator made by using the session key. The mobile node can then form the rest of the authentication triplets using the challenges and then form the session key. With the session key, the mobile node can check the validity of the cryptographic authenticator. If the authenticator is correct, the mobile node sends a cryptographic response formed using the session key to the packet data network for authenticating itself to the packet data network.

摘要翻译： 用于将移动节点认证到分组数据网络的认证方法，其中通过使用移动节点的共享秘密和电信网络认证中心来布置移动节点和分组数据网络的共享秘密。 在该方法中，移动节点与重播攻击保护器一起将其用户身份发送到分组数据网络。 分组数据网络获得认证三元组，使用它们形成会话密钥，并且将回送给移动节点的挑战以及使用会话密钥进行的密码认证。 移动节点然后可以使用挑战来形成其余的认证三元组，然后形成会话密钥。 使用会话密钥，移动节点可以检查密码验证器的有效性。 如果认证器是正确的，则移动节点将使用该会话密钥形成的加密响应发送到分组数据网络，以将其自身认证到分组数据网络。

公开(公告)号：US07178041B2

公开(公告)日：2007-02-13

申请号：US10046274

申请日：2002-01-16

申请人： Nadarajah Asokan ,  Jan-Erik Ekberg ,  Lauri Paatero

发明人： Nadarajah Asokan ,  Jan-Erik Ekberg ,  Lauri Paatero

IPC分类号： H04L9/32 ,  G06F7/04

CPC分类号： G07F7/1008 ,  G06Q20/04 ,  G06Q20/045 ,  G06Q20/1235 ,  G06Q20/341 ,  G06Q20/346 ,  G06Q20/35765 ,  G06Q20/3823 ,  G07F7/082 ,  G07F7/0826 ,  G07F7/1083 ,  H04M2250/14

摘要： Method, system and computer program product for implementing a trusted counter in a personal communication device. In particular, the method, system and computer program product utilizes cryptography and an external, read-write storage device that stores important state information that cannot be modified without detection. Using the present invention, the counter can be implemented in a personal even if state information is stored in an insecure storage device.

摘要翻译： 用于在个人通信设备中实现可信计数器的方法，系统和计算机程序产品。 特别地，方法，系统和计算机程序产品利用密码学和外部读写存储设备，其存储在没有检测的情况下不能修改的重要状态信息。 使用本发明，即使将状态信息存储在不安全的存储设备中，也可以以个人身份实现计数器。

公开(公告)号：US20060259790A1

公开(公告)日：2006-11-16

申请号：US11128676

申请日：2005-05-13

申请人： Nadarajah Asokan ,  Jan-Erik Ekberg ,  Lauri Paatero

发明人： Nadarajah Asokan ,  Jan-Erik Ekberg ,  Lauri Paatero

IPC分类号： G06F12/14

CPC分类号： H04L63/0428 ,  G06F21/606 ,  G06F21/62 ,  G06F21/71 ,  G06F21/78 ,  G06F21/79 ,  G06Q20/341 ,  G06Q20/3576 ,  G06Q20/40975 ,  G07F7/1008 ,  H04L9/0833 ,  H04L9/0838 ,  H04L9/0891 ,  H04L67/1097 ,  H04L2209/12 ,  H04L2209/603 ,  H04L2209/80

摘要： An internal but not integrated security token is provided for a device which includes a first integrated circuitry including a secure processor. The security token is provided by a second integrated circuitry separate from the first circuitry. The second integrated circuitry includes a secure non-volatile storage. The secure processor communicates information to the second circuitry in a secure manner for the secure information to be securely stored in the secure non-volatile storage, and the second integrated circuitry communicates information stored in its secure non-volatile storage to the secure processor in a secure manner. Communications is secured by means of cryptography. The first integrated circuitry and the second integrated circuitry are internal parts of the device. An initialization method for distributing a secure key to be shared between the circuitries and to be used in cryptography is also disclosed.

公开(公告)号：US20060259789A1

公开(公告)日：2006-11-16

申请号：US11128670

申请日：2005-05-13

申请人： Jan-Erik Ekberg ,  Nadarajah Asokan ,  Lauri Paatero

发明人： Jan-Erik Ekberg ,  Nadarajah Asokan ,  Lauri Paatero

IPC分类号： G06F12/14

CPC分类号： G06F21/79 ,  G06F12/1458 ,  G06F2212/2022 ,  Y02D10/13

摘要： State information necessary to maintain securely is saved on a probabilistic basis onto a flash memory of protected memory chip. The protected memory chip has a communication logics that prevents access to the flash memory unless appropriate cryptographically protected instructions are given. By saving data on a probabilistic basis, the aging of the flash memory can be reduced so as to inhibit malicious destruction of the flash memory. The communication logics can also address different parts of the flash memory selectively so that any time the state information changes, something is written to the flash memory. To yet avoid premature aging of the whole flash memory, a dedicated disposable portion can be used for normal writing so that the remainder of the flash memory remains operable. Corresponding security circuitry, assembly module and computer programs are also described.

摘要翻译： 将可靠地维护所需的状态信息以概率方式保存到受保护的存储器芯片的闪速存储器中。 受保护的存储器芯片具有防止访问闪速存储器的通信逻辑，除非给出适当的加密保护指令。 通过以概率的方式保存数据，可以减少闪速存储器的老化，从而抑制闪存的恶意破坏。 通信逻辑还可以选择性地对闪速存储器的不同部分进行寻址，使得任何时候状态信息改变，一些东西被写入闪速存储器。 为了避免整个闪存的过早老化，专用的一次性部分可以用于正常写入，使得闪存的其余部分保持可操作。 还描述了相应的安全电路，组装模块和计算机程序。

公开(公告)号：US07107620B2

公开(公告)日：2006-09-12

申请号：US09756346

申请日：2001-01-08

申请人： Henry Haverinen ,  Jukka-Pekka Honkanen ,  Antti Kuikka ,  Nadarajah Asokan ,  Patrik Flykt ,  Juha Ala-Laurila ,  Jyri Rinnemaa ,  Timo Takamäki ,  Raimo Vuonnala ,  Jan-Erik Ekberg ,  Tommi Mikkonen ,  Petri Aalto ,  Seppo Honkanen

发明人： Henry Haverinen ,  Jukka-Pekka Honkanen ,  Antti Kuikka ,  Nadarajah Asokan ,  Patrik Flykt ,  Juha Ala-Laurila ,  Jyri Rinnemaa ,  Timo Takamäki ,  Raimo Vuonnala ,  Jan-Erik Ekberg ,  Tommi Mikkonen ,  Petri Aalto ,  Seppo Honkanen

IPC分类号： G06F7/04 ,  H04L9/00 ,  H04M1/66 ,  H04M1/68 ,  H04M3/16 ,  H04K1/00

CPC分类号： H04L63/08 ,  H04L63/0435 ,  H04L63/061 ,  H04L63/0853 ,  H04L63/0869 ,  H04L63/162 ,  H04W12/06

摘要： Authentication method for authenticating a mobile node to a packet data network, in which a shared secret for both the mobile node and the packet data network is arranged by using a shared secret of the mobile node and a telecommunications network authentication center. In the method, the mobile node sends its subscriber identity to the packet data network together with a replay attack protector. The packet data network obtains authentication triplets, forms a session key using them, and sends back to the mobile node challenges and a cryptographic authenticator made by using the session key. The mobile node can then form the rest of the authentication triplets using the challenges and then form the session key. With the session key, the mobile node can check the validity of the cryptographic authenticator. If the authenticator is correct, the mobile node sends a cryptographic response formed using the session key to the packet data network for authenticating itself to the packet data network.