公开(公告)号：US20110314286A1

公开(公告)日：2011-12-22

申请号：US12740082

申请日：2008-10-30

申请人： Manxia Tie ,  Jun Cao ,  Xiaolong Lai ,  Jiandong Li ,  Liaojun Pang ,  Zhenhai Huang

发明人： Manxia Tie ,  Jun Cao ,  Xiaolong Lai ,  Jiandong Li ,  Liaojun Pang ,  Zhenhai Huang

IPC分类号： H04L9/08 ,  G06F15/16

CPC分类号： H04W12/06 ,  H04L63/1466 ,  H04L63/162 ,  H04W12/04 ,  H04W84/12

摘要： An access authentication method applying to IBSS network involves the following steps of: 1) performing authentication role configuration for network entities; 2) authenticating an authentication entity and a request entity that have been performed the authentication role configuration via an authentication protocol; and 3) after finishing the authentication, the authentication entity and the request entity perform the key negotiation, wherein, the message integrity check field and protocol synchronization lock-in field are added in a key negotiation message. The access authentication method applying to IBSS network provided by the invention has the advantages of the better safeness and the higher execution efficiency.

摘要翻译： 适用于IBSS网络的接入认证方法包括以下步骤：1）对网络实体进行认证角色配置; 2）通过认证协议认证已经执行认证角色配置的认证实体和请求实体; 和3）认证完成后，认证实体和请求实体进行密钥协商，其中消息完整性检查字段和协议同步锁定字段被添加到密钥协商消息中。 适用于本发明提供的IBSS网络的接入认证方法具有安全性更高，执行效率更高的优点。

公开(公告)号：US20110289562A1

公开(公告)日：2011-11-24

申请号：US13059547

申请日：2009-08-20

申请人： Liaojun Pang ,  Jun Cao ,  Manxia Tie

发明人： Liaojun Pang ,  Jun Cao ,  Manxia Tie

IPC分类号： G06F17/30

CPC分类号： H04W12/04 ,  H04L9/085 ,  H04L9/3073 ,  H04L63/062 ,  H04L2209/601

摘要： A method for enhancing the security of the multicast or broadcast system comprises the following steps: after having established the system parameter, the base station receives the register request message transmitted by the terminal, and the register request message carries the device identity information of the terminal; the base station registers the terminal according to the register request message and transmits the authorization key to the terminal after successful registration. By the base station establishing the specific system parameter, generating and awarding the corresponding terminal's key based on the parameter, the embodiment of the present invention can construct a secure network system of multicast or broadcast effectively and solve the security problem of the multicast or broadcast from the base station to the terminal in the network system.

摘要翻译： 一种用于增强多播或广播系统的安全性的方法包括以下步骤：在建立了系统参数之后，基站接收终端发送的注册请求消息，并且注册请求消息携带终端的设备身份信息 ; 基站根据注册请求消息注册终端，并在成功注册后向终端发送授权密钥。 由基站建立具体的系统参数，根据参数生成和授予相应的终端密钥，本发明的实施例可以有效构建安全的组播或广播网络系统，解决组播或广播的安全问题 基站到终端在网络系统中。

公开(公告)号：US20110252239A1

公开(公告)日：2011-10-13

申请号：US13140632

申请日：2009-12-07

申请人： Xiaolong Lai ,  Jun Cao ,  Yuelei Xiao ,  Manxia Tie ,  Zhenhai Huang ,  Bianlin Zhang ,  Yanan Hu

发明人： Xiaolong Lai ,  Jun Cao ,  Yuelei Xiao ,  Manxia Tie ,  Zhenhai Huang ,  Bianlin Zhang ,  Yanan Hu

IPC分类号： H04L9/32

CPC分类号： H04W12/10 ,  H04L9/0838 ,  H04L9/3242 ,  H04L9/3273 ,  H04L63/123 ,  H04L2209/80

摘要： The present invention provides a method for protecting the first message of a security protocol and the method includes the following steps: 1) initialization step; 2) the initiating side sends the first message; 3) the responding side receives the first message. The method for protecting the first message of the security protocol provided by the present invention can implement that: 1) Pre-Shared Master Key (PSMK), which is shared by the initiating side and responding side, and the security parameter in the first message are bound by using computation function of Message Integrality Code (MIC) or Message Authentication Code (MAC), and thus the fabrication attack of the first message in the security protocol is avoided effectively; 2) during computing the MIC or MAC of the first message, only PSMK and the security parameter of the first message are selected to be computed, and thus the computation load of the initiating side and the responding side is effectively reduced and the computation resource is saved.

摘要翻译： 本发明提供一种保护安全协议的第一消息的方法，该方法包括以下步骤：1）初始化步骤; 2）发起方发送第一个消息; 3）响应端接收第一条消息。 用于保护本发明提供的安全协议的第一消息的方法可以实现：1）由发起端和响应侧共享的预共享主密钥（PSMK）和第一消息中的安全参数 通过使用消息完整性代码（MIC）或消息认证码（MAC）的计算功能来限制，从而有效地避免了安全协议中的第一消息的制造攻击; 2）在计算第一个消息的MIC或MAC期间，仅选择PSMK和第一个消息的安全参数进行计算，从而有效减少发起方和响应方的计算负载，计算资源为 保存

公开(公告)号：US20110238996A1

公开(公告)日：2011-09-29

申请号：US13132842

申请日：2009-12-08

申请人： Yuelei Xiao ,  Jun Cao ,  Li Ge ,  Zhenhai Huang

发明人： Yuelei Xiao ,  Jun Cao ,  Li Ge ,  Zhenhai Huang

IPC分类号： H04L9/32

CPC分类号： H04L63/0823 ,  G06F21/445 ,  H04L63/061 ,  H04L63/0876 ,  H04L63/105 ,  H04L63/123

摘要： A trusted network connect handshake method based on tri-element peer authentication is provided, which comprises the following steps. An access controller (AC) sends message 1 for handshake activation to an Access Requestor (AR). The AR sends message 2 for access handshake request to the AC after receiving message 1. The AC sends message 3 for certificate authentication and integrity evaluation request to a Policy Manager (PM) after receiving message 2. The PM sends message 4 for certificate authentication and integrity evaluation response to the AC after receiving message 3. The AC sends message 5 for access handshake response to the AR after receiving message 4. The trusted network connect handshake is completed after the AR receives message 5.

摘要翻译： 提供了一种基于三元对等体认证的可信网络连接握手方法，包括以下步骤。 访问控制器（AC）向接入请求者（AR）发送用于握手激活的消息1。 AR在接收到消息1后向AC发送接入握手请求消息2.AC在接收到消息2后向策略管理器（PM）发送证书认证和完整性评估请求消息3.PM发送消息4进行证书认证， 在接收到消息3之后，AC对AC进行完整性评估响应.AC在接收到消息4后向AC发送接入握手响应消息5.可信网络连接握手在AR收到消息5后完成。

公开(公告)号：US20110162042A1

公开(公告)日：2011-06-30

申请号：US13059798

申请日：2009-08-20

申请人： Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

发明人： Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

IPC分类号： G06F15/16

CPC分类号： H04L41/28 ,  H04L9/3234 ,  H04L9/3263 ,  H04L63/0823 ,  H04L63/0876 ,  H04L63/105 ,  H04L63/20 ,  H04L2209/127 ,  H04L2209/76

摘要： A trusted network management method of trusted network connections based on tri-element peer authentication. A trusted management proxy and a trusted management system are respectively installed and configured on a host to be managed and a management host, and are verified as local trusted. When the host to be managed and the management host are not connected to the trusted network, they use the trusted network connection method based on the tri-element peer authentication to connect to the trusted network respectively, and subsequently perform the authentications and the cipher key negotiations of the trusted management proxy and the trusted management system; when the host to be managed and the management host have not completed the user authentication and the cipher key negotiation process, they use the tri-element peer authentication protocol to complete the user authentication and the cipher key negotiation process, then use the tri-element peer authentication protocol to implement the remote trust of the trusted management proxy and the trusted management system, and finally perform network management. The present invention can actively defend attacks, reinforce the safety of the trusted network management architecture, and realize the trusted network management of distributed control and centralized management.

摘要翻译： 基于三元对等认证的可信网络连接的可信网络管理方法。 分别在要管理的主机和管理主机上安装和配置可信管理代理和可信管理系统，并将其验证为本地可信。 当要管理的主机和管理主机没有连接到可信网络时，他们使用基于三元对等认证的可信网络连接方法分别连接到可信网络，然后执行认证和密码密钥 可信管理代理和可信管理系统的协商; 当要管理的主机和管理主机尚未完成用户认证和密钥协商过程时，他们使用三元素对等体认证协议完成用户认证和密钥协商过程，然后使用三元素 对等体认证协议，实现可信管理代理和可信管理系统的远程信任，最终执行网络管理。 本发明可以积极防御攻击，加强可信网管理架构的安全性，实现分布式控制和集中管理的可信网络管理。

公开(公告)号：US20110145425A1

公开(公告)日：2011-06-16

申请号：US13058988

申请日：2009-08-20

申请人： Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

发明人： Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

IPC分类号： G06F15/16

CPC分类号： H04L41/28 ,  H04L63/0823 ,  H04L63/0876 ,  H04L63/105 ,  H04L63/20

摘要： A trusted network management method based on TCPA/TCG trusted network connection is provided. A trusted management agent and a trusted management system are installed and configured on a managed host and a managing host respectively and verified to be creditable locally; when the managed host and the managing host have not yet connected into a trusted network, they connect into the trusted network separately by using a method based on TCPA/TCG trusted network connection and then performs authentication and key negotiation procedure between the trusted management agent and the trusted management system; when the managed host and the managing host have not yet performed the user authentication and key negotiation procedure, they perform user authentication and key negotiation procedure, then realize the remote creditability of the trusted management agent and the trusted management system, and finally, perform network management.

摘要翻译： 提供了基于TCPA / TCG可信网络连接的可信网络管理方法。 在受管主机和管理主机上分别安装和配置可信管理代理和可信管理系统，并验证其在本地可信; 当托管主机和管理主机尚未连接到可信网络时，通过使用基于TCPA / TCG可信网络连接的方法，分别连接到可信网络中，然后在可信管理代理和 可信管理系统; 当托管主机和管理主机尚未执行用户认证和密钥协商过程时，进行用户认证和密钥协商过程，实现可信管理代理和可信管理系统的远程可信性，最后执行网络 管理。

公开(公告)号：US20100250952A1

公开(公告)日：2010-09-30

申请号：US12741982

申请日：2008-11-07

申请人： Liaojun Pang ,  Jun Cao ,  Manxia Tie ,  Zhenhai Huang

发明人： Liaojun Pang ,  Jun Cao ,  Manxia Tie ,  Zhenhai Huang

IPC分类号： H04L9/32 ,  G06F21/00

CPC分类号： H04L9/3247 ,  G06F21/445 ,  G06Q20/3823 ,  G06Q20/388 ,  G06Q20/4097 ,  H04L9/0847 ,  H04L9/321 ,  H04L9/3271 ,  H04L63/0869 ,  H04L2209/80 ,  H04W12/06

摘要： A two-way access authentication method comprises: According to the system parameters pre-established by the third entity, the first entity sends the access authentication request packet to the second entity, then the second entity validates whether the signature of first entity is correct, and if yes, the share master key of second entity is calculated; the second entity generates the access authentication response packet and sends it to the first entity, then the first entity validates whether the signature of access authentication response packet and the message integrity check code are correct; if yes, the share master key of first entity is calculated; the first entity sends the access authentication acknowledge packet to the second entity, then the second entity validates the integrity of the access authentication acknowledge packet, if passing the validation, the share master key of first entity is consistent with that of the second entity, and the access authentication is achieved. For improving the security, after received the access authentication request packet sent by the first entity, the second entity may perform the identity validity validation and generates the access authentication response packet after passing the validation.

摘要翻译： 双向接入认证方法包括：根据第三实体预先建立的系统参数，第一实体向第二实体发送接入认证请求报文，第二实体验证第一实体的签名是否正确， 如果是，则计算第二实体的共享主密钥; 第二实体生成接入认证响应报文并将其发送给第一实体，则第一实体验证接入认证响应报文的签名和消息完整性检查码是否正确; 如果是，则计算第一实体的共享主密钥; 第一实体向第二实体发送接入认证确认分组，则第二实体验证接入认证确认分组的完整性，如果通过验证，则第一实体的共享主密钥与第二实体的共享主密钥一致， 实现了访问认证。 为了提高安全性，在接收到由第一实体发送的接入认证请求分组之后，第二实体可以在通过验证之后执行身份有效性验证并生成接入认证响应分组。

公开(公告)号：US20100250941A1

公开(公告)日：2010-09-30

申请号：US12743032

申请日：2008-11-14

申请人： Manxia Tie ,  Liaojun Pang ,  Xiaolong Lai ,  Zhenhai Huang

发明人： Manxia Tie ,  Liaojun Pang ,  Xiaolong Lai ,  Zhenhai Huang

IPC分类号： H04L9/32

CPC分类号： H04L63/06 ,  H04L9/0844 ,  H04L9/3236 ,  H04L9/3273 ,  H04L63/1458 ,  H04W12/04 ,  H04W12/06 ,  H04W12/12

摘要： A WAPI unicast secret key negotiation method includes the following steps: 1 a authenticator entity adds a message integrity code onto a unicast secret key negotiation request packet, and transmits it to a authentication supplicant entity; 2 after the authentication supplicant entity receives the unicast secret key negotiation request packet, it performs validation, and it discards the packet directly if it is not correct; the authentication supplicant entity performs other validation if it is correct; when the validation is successful, it responds a unicast secret key negotiation response packet to the authenticator entity; 3 after the authenticator entity receives the unicast secret key negotiation response packet, it performs validation, if the validation is successful, it responds the unicast secret key negotiation acknowledge packet to the authentication supplicant entity; 4 after the authentication supplicant entity receives the unicast secret key negotiation acknowledge packet, it performs validation, if the validation is successful it negotiates and obtains a consistent unicast session secret key. The present invention resolves the DoS attacking problem which exists in the unicast secret key management protocol in the present WAPI security mechanism.

摘要翻译： WAPI单播密钥协商方法包括以下步骤：1，认证方实体将消息完整性代码添加到单播密钥协商请求报文中，并发送给认证请求方; 2，认证请求方实体收到单播密钥协商请求报文后，执行验证，如果不正确丢弃报文; 验证请求者实体执行其他验证，如果它是正确的; 当验证成功时，它向认证者实体响应单播密钥协商响应包; 3，认证实体收到单播密钥协商响应报文后，执行验证，验证成功后，向认证请求方实体回应单播密钥协商确认报文; 如图4所示，认证请求方实体接收到单播密钥协商确认报文后，执行验证，验证成功后，协商并获得一致的单播会话密钥。 本发明解决了目前的WAPI安全机制中的单播密钥管理协议中存在的DoS攻击问题。

公开(公告)号：US20100083349A1

公开(公告)日：2010-04-01

申请号：US12631491

申请日：2009-12-04

申请人： YUELEI XIAO ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

发明人： YUELEI XIAO ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

IPC分类号： G06F21/00 ,  G06F17/30

CPC分类号： H04L63/20

摘要： A method for realizing trusted network management is provided. A trusted management agent resides on a managed host, and a trusted management system resides on a management host. The trusted management agent and the trusted management system are software modules, which are both based on a trusted computing platform and signed after being authenticated by a trusted third party of the trusted management agent and the trusted management system. Trusted platform modules of the managed host and the management host can perform integrity measurement, storage, and report for the trusted management agent and the trusted management system. Therefore, the managed host and the management host can ensure that the trusted management agent and the trusted management system are trustworthy. Then, the trusted management agent and the trusted management system execute a network management function, thus realizing the trusted network management. Therefore, the technical problem in the prior art that the network management security cannot be ensured due to the mutual attack between an agent, a host where the agent resides, and a manager system is solved, and trusted network management is realized.

摘要翻译： 提供了一种实现可信网络管理的方法。 可信管理代理驻留在受管主机上，可管理系统驻留在管理主机上。 信任管理代理和信任管理系统是软件模块，它们都是基于可信计算平台，经信任管理代理和可信管理系统的信任第三方认证后进行签名。 托管主机和管理主机的可信平台模块可以对可信管理代理和可信管理系统执行完整性测量，存储和报告。 因此，托管主机和管理主机可以确保可信管理代理和可信管理系统是值得信赖的。 然后，信任管理代理和信任管理系统执行网络管理功能，从而实现可信网络管理。 因此，现有技术的技术问题是解决了代理，代理所在的主机与管理者系统之间的相互攻击而不能确保网络管理安全性，并实现了可信网络管理。

公开(公告)号：US20100077454A1

公开(公告)日：2010-03-25

申请号：US12626546

申请日：2009-11-25

申请人： YUELEI XIAO ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

发明人： YUELEI XIAO ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

IPC分类号： H04L9/32

CPC分类号： H04L9/3247 ,  H04L9/3234 ,  H04L9/3263 ,  H04L41/0893 ,  H04L63/0869 ,  H04L63/0876 ,  H04L63/105 ,  H04L63/20

摘要： A trusted network connect (TNC) method based on tri-element peer authentication is provided, which includes the following steps. Platform integrity information is prepared in advance. An integrity verification requirement is predefined. A network access requestor initiates an access request to a network access controller. The network access controller starts a mutual user authentication process, and performs a tri-element peer authentication protocol with a user authentication serving unit. After the mutual user authentication is successful, a TNC client, a TNC server, and a platform evaluation serving unit implement platform integrity evaluation by using a tri-element peer authentication method. The network access requestor and the network access controller control ports according to recommendations received respectively, so as to implement mutual access control between the access requestor and the access controller. Thus, the technical problems in the prior art of poor extensibility, complex key agreement process, low security, and that platform integrity evaluation is not peer-to-peer are solved by the present invention. Through the method of the present invention, key management and integrity verification mechanisms of the TNC are simplified, and the range of applicability of the TNC is expanded.

摘要翻译： 提供了基于三元对等认证的可信网络连接（TNC）方法，包括以下步骤。 平台完整性信息是事先准备的。 完整性验证要求是预先定义的。 网络访问请求者发起对网络访问控制器的访问请求。 网络访问控制器开始相互用户认证处理，并与用户认证服务单元执行三元对等认证协议。 相互用户认证成功后，TNC客户端，TNC服务器和平台评估服务单元通过三元素对等体认证方式实现平台完整性评估。 根据分别接收的建议，网络接入请求者和网络接入控制器控制端口，实现接入请求者和接入控制器之间的相互访问控制。 因此，通过本发明解决了现有技术中的扩展性差，复杂密钥协商过程，低安全性和平台完整性评估不是点对点的技术问题。 通过本发明的方法，简化了TNC的密钥管理和完整性验证机制，拓展了跨国公司的适用范围。