公开(公告)号：US20050027985A1

公开(公告)日：2005-02-03

申请号：US10893047

申请日：2004-07-15

Applicant: Eric Sprunk ,  Paul Moroney ,  Alexander Medvinsky ,  Steven Anderson ,  Jonathan Fellows

Inventor： Eric Sprunk ,  Paul Moroney ,  Alexander Medvinsky ,  Steven Anderson ,  Jonathan Fellows

IPC: G06F1/00 ,  G06F12/14 ,  G06F21/00 ,  H04L9/32 ,  H04L29/06 ,  H04L12/16

CPC classification number: H04L29/06027 ,  G06F12/1408 ,  G06F21/606 ,  G06F2207/7219 ,  G06F2211/008 ,  G06F2221/2129 ,  H04L9/083 ,  H04L9/0841 ,  H04L9/3213 ,  H04L9/3263 ,  H04L63/0435 ,  H04L63/0442 ,  H04L63/061 ,  H04L63/062 ,  H04L63/0807 ,  H04L63/12 ,  H04L65/1043

Abstract: A secure Internet Protocol (IP) telephony system, apparatus, and methods are disclosed. Communications over an IP telephony system can be secured by securing communications to and from a Cable Telephony Adapter (CTA). The system can include one or more CTAs, network servers, servers configured as signaling controllers, key distribution centers (KDC), and can include gateways that couple the IP telephony system to a Public Switched Telephone Network (PSTN). Each CTA can be configured as secure hardware and can be configured with multiple encryption keys that are used to communicate signaling or bearer channel communications. The KDC can be configured to periodically distribute symmetric encryption keys to secure communications between devices that have been provisioned to operate in the system and signaling controllers. The secure devices, such as the CTA, can communicate with other secure devices by establishing signaling and bearer channels that are encrypted with session specific symmetric keys derived from a symmetric key distributed by a signaling controller.

Abstract translation: 公开了一种安全的因特网协议（IP）电话系统，装置和方法。 通过IP电话系统的通信可以通过保护与有线电话适配器（CTA）的通信来保护。 该系统可以包括一个或多个CTA，网络服务器，配置为信令控制器的服务器，密钥分配中心（KDC），并且可以包括将IP电话系统耦合到公共交换电话网络（PSTN）的网关。 每个CTA都可以配置为安全硬件，并且可以配置多个用于通信信令或承载信道通信的加密密钥。 KDC可以被配置为周期性地分配对称加密密钥以保护已经被提供以在系统和信令控制器中操作的设备之间的通信。 诸如CTA之类的安全设备可以通过建立用由信令控制器分配的对称密钥导出的会话专用对称密钥加密的信令和承载信道来与其他安全设备进行通信。

公开(公告)号：US20050022019A1

公开(公告)日：2005-01-27

申请号：US10613868

申请日：2003-07-05

Applicant: Alexander Medvinsky ,  Eric Sprunk

Inventor： Alexander Medvinsky ,  Eric Sprunk

IPC: G06F20060101 ,  G06F15/16 ,  G06F15/173 ,  H04H60/31 ,  H04L9/00 ,  H04L9/32 ,  H04N7/173

CPC classification number: H04L9/32 ,  G06F21/10 ,  G06F2221/2135 ,  G11B20/00086 ,  G11B20/00753 ,  G11B20/0084 ,  G11B20/00869 ,  G11B2220/2545 ,  H04L2209/56 ,  H04L2209/603 ,  H04N21/254 ,  H04N21/2541 ,  H04N21/4405 ,  H04N21/44204 ,  H04N21/4627 ,  H04N21/835 ,  H04N21/8355

Abstract: A system for restricting playback of an electronic presentation, such as a digital video or song. The system uses a playback time limit that specifies a duration of allowable playback time. The playback time limit is typically longer than the running time of the presentation so that a user is able to use standard transport controls such as pause, stop, rewind, fast forward, etc., that affect the overall playback time needed to view the presentation in its entirety. One approach uses a secure time base that is provided by a server over a network to a client device that includes a playback device. The secure time base is received and used by secure processing within the playback device. This approach allows rendering of the presentation to an output device to be performed by non-secure processing without unduly compromising the security of the system.

Abstract translation: 一种用于限制诸如数字视频或歌曲之类的电子演示文稿播放的系统。 系统使用播放时间限制，指定播放时间允许的持续时间。 播放时间限制通常比演示的运行时间长，以便用户能够使用影响观看演示所需的整体播放时间的标准传输控制，例如暂停，停止，倒退，快进等 的全部。 一种方法使用由服务器通过网络向包括回放设备的客户端设备提供的安全时基。 通过播放设备内的安全处理来接收和使用安全时基。 该方法允许将呈现呈现给输出设备以通过非安全处理来执行，而不会不适当地危及系统的安全性。

公开(公告)号：US5822431A

公开(公告)日：1998-10-13

申请号：US661968

申请日：1996-06-12

Applicant: Eric Sprunk

Inventor： Eric Sprunk

IPC: H04L9/32 ,  G06F1/00 ,  G06F21/00 ,  H04L29/06 ,  H04K1/00 ,  H04L9/00

CPC classification number: H04L63/126 ,  G06F21/445 ,  G06F21/57 ,  G06F2211/008

Abstract: The integrity of a group of secure processing elements in a communication system is ensured with a validation scheme. Member elements are checked by adjacent members to determine whether a member has been tampered with or operatively removed from a group. If a member is found to be untrustworthy, propagation of group characteristic information to that member will be halted. The group characteristic information defines the group, and is required by each group member in order to function. The untrustworthy member is therefore effectively exiled from the group. An efficient network topology minimizes inter-member message traffic while maintaining group robustness.

Abstract translation: 通过验证方案确保通信系统中的一组安全处理元件的完整性。 会员元素由相邻成员进行检查，以确定会员是否被篡改或从组中有效地移除。 如果一个成员被认定是不可信的，那么组合特征信息向该成员的传播将被停止。 组特征信息定义组，并且是每个组成员要求的功能。 因此，不可信的会员从集团中被有效流放。 有效的网络拓扑最小化成员间消息流量，同时保持组的鲁棒性。

公开(公告)号：US5606616A

公开(公告)日：1997-02-25

申请号：US497880

申请日：1995-07-03

Applicant: Eric Sprunk ,  Paul Moroney ,  Candace Anderson

Inventor： Eric Sprunk ,  Paul Moroney ,  Candace Anderson

IPC: G09C1/00 ,  H04L9/06 ,  H04L9/18 ,  H04L9/00

CPC classification number: H04L9/0643 ,  H04L2209/125

Abstract: Apparatus is provided for authenticating information using a double feedforward hash function to provide complementarity in the implementation of an encryption algorithm. A cryptographic processor has a first input for receiving plaintext, a second input for receiving a key and an output for outputting ciphertext generated by cryptographically processing the plaintext and key. A first circuit element is responsive to the ciphertext and plaintext for outputting a first ciphertext derivative. A second circuit element is responsive to at least a portion of the first ciphertext derivative and the key for outputting a second ciphertext derivative. The first and second circuit elements can be XOR gates. Alternatively, these elements can be provided using lookup tables. Subsequent cryptographic processor stages can be provided having a first input for receiving second plaintext, a second input for receiving the second ciphertext derivative as a key, and an output for outputting second ciphertext generated by cryptographically processing the second plaintext and the second ciphertext derivative. In an illustrated embodiment, the cryptographic processor is a DES processor.

Abstract translation: 提供了用于使用双前馈散列函数来认证信息的装置，以在实现加密算法中提供互补性。 密码处理器具有用于接收明文的第一输入，用于接收密钥的第二输入和用于输出通过密码处理明文和密钥产生的密文的输出。 第一电路元件响应密文和明文输出第一密文导数。 第二电路元件响应于第一密文导数的至少一部分和用于输出第二密文导数的密钥。 第一和第二电路元件可以是异或门。 或者，可以使用查找表来提供这些元素。 可以提供后续的加密处理器级，其具有用于接收第二明文的第一输入，用于接收第二密文导数作为键的第二输入，以及用于输出通过密码处理第二明文和第二密文导数而生成的第二密文的输出。 在所示实施例中，密码处理器是DES处理器。

公开(公告)号：US20060150252A1

公开(公告)日：2006-07-06

申请号：US11027206

申请日：2004-12-30

Applicant: John Okimoto ,  Bridget Kimball ,  Annie Chen ,  Michael Habrat ,  Douglas Petty ,  Eric Sprunk ,  Lawrence Tang

Inventor： John Okimoto ,  Bridget Kimball ,  Annie Chen ,  Michael Habrat ,  Douglas Petty ,  Eric Sprunk ,  Lawrence Tang

IPC: H04N7/16

CPC classification number: G06F21/10 ,  H04N7/1675 ,  H04N21/4147 ,  H04N21/4405 ,  H04N21/4408 ,  H04N21/8355

Abstract: The present invention discloses an apparatus and method for defining and enforcing rules of transition between two security domains, e.g., a transport domain and a persistent security domain. In turn, a border guard, e.g., a security device, is provided between these two domains that enforce rules for transition between the two security domains. This novel approach of defining a transport domain and a persistent security domain simplifies the classification of the digital content and its movement through the system. Namely, the border guard once established between the two systems can enforce DRM rules associated with how contents are moved between the two domains.

Abstract translation: 本发明公开了一种用于定义和实施两个安全域（例如传输域和持久安全域）之间的转换规则的装置和方法。 反过来，在这两个域之间提供边界警卫，例如安全装置，这两个域执行两个安全域之间的转换规则。 这种定义传输域和持久安全域的新颖方法简化了数字内容的分类及其通过系统的移动。 也就是说，在两个系统之间建立的边界守卫可以实施与内容在两个域之间移动的相关联的DRM规则。

公开(公告)号：US20060059342A1

公开(公告)日：2006-03-16

申请号：US11228180

申请日：2005-09-16

Applicant: Alexander Medvinsky ,  Paul Moroney ,  Eric Sprunk ,  Petr Peterka

Inventor： Alexander Medvinsky ,  Paul Moroney ,  Eric Sprunk ,  Petr Peterka

IPC: H04L9/00

CPC classification number: H04L9/0825 ,  G11B20/0021 ,  G11B20/00731 ,  H04L9/0822 ,  H04L9/083 ,  H04L2209/603 ,  H04N21/26606 ,  H04N21/26613 ,  H04N21/4181 ,  H04N21/63345 ,  H04N21/8355

Abstract: Described herein are embodiments that provide an approach to cryptographic key management for a digital rights management (DRM) architecture that includes multiple levels of key management for minimizing bandwidth usage while maximizing security for the DRM architecture. In one embodiment, there is provided a data structure for cryptographic key management that includes a public/private key pair and three additional layers of symmetric keys for authorizing access to a plurality of contents.

Abstract translation: 这里描述的是提供用于数字版权管理（DRM）架构的加密密钥管理的方法的实施例，其包括用于最小化带宽使用的多级密钥管理，同时最大化DRM架构的安全性。 在一个实施例中，提供了一种用于加密密钥管理的数据结构，其包括用于授权访问多个内容的公钥/私钥对和三个对称密钥层。

公开(公告)号：US06898285B1

公开(公告)日：2005-05-24

申请号：US09586064

申请日：2000-06-02

Applicant: George T. Hutchings ,  Eric Sprunk ,  Lawrence D. Vince ,  Richard DiColli ,  Mark DePietro

Inventor： George T. Hutchings ,  Eric Sprunk ,  Lawrence D. Vince ,  Richard DiColli ,  Mark DePietro

IPC: H04N7/167 ,  H04N21/2347 ,  H04N21/266 ,  H04N21/4623

CPC classification number: H04N7/1675 ,  G06F21/62 ,  H04L63/0428 ,  H04L63/062 ,  H04N21/2347 ,  H04N21/26606 ,  H04N21/4623

Abstract: A system for streaming encrypted conditional access (CA) data, such as control words, from a primary or master conditional access provider (CAP) to one or more secondary CAPS. The primary CAP encrypts content (program data) that is to be access-controlled, such as a television program, according to the associated CA data. A first group of user terminals is compatible with the CA data of the primary CAP. The CA data is then provided to the secondary CAPs to provide corresponding CA data for the content in the secondary CAPs' associated formats for compatibility with other groups of terminals. The invention can be used in any packet-based distribution system, including a broadband television network headend, and avoids the need for the secondary CAPs to request the control words on an as-needed basis. Moreover, the CA data for a current crypto-period and a number of future crypto-periods are provided in a “sliding window” to allow the secondary CAP to begin preparing its CA data in advance. Moreover, the CA data can be provided to the secondary CAPs on a real-time basis, or well beforehand when the content is pre-encrypted and stored, e.g., at a file server.

Abstract translation: 用于将加密条件访问（CA）数据（诸如控制字）从主要或主条件访问提供者（CAP）流式传输到一个或多个辅助CAPS的系统。 主CAP根据相关联的CA数据来加密要被访问控制的内容（节目数据），诸如电视节目。 第一组用户终端与主CAP的CA数据兼容。 然后将CA数据提供给辅助CAP，以便为辅助CAP相关格式的内容提供相应的CA数据，以与其他终端组相容。 本发明可以用于包括宽带电视网络头端在内的任何基于分组的分发系统中，并且避免了辅助CAP在需要的基础上请求控制字的需要。 此外，在“滑动窗口”中提供用于当前密码周期的CA数据和未来密码周期数，以允许辅助CAP预先开始准备其CA数据。 此外，可以将CA数据实时地提供给辅助CAP，或者当内容被预先加密并存储在例如文件服务器上时，可以预先提供CA数据。

公开(公告)号：US08392702B2

公开(公告)日：2013-03-05

申请号：US12175444

申请日：2008-07-17

Applicant: Xin Qiu ,  Eric Sprunk ,  Liqiang Chen ,  Jason Pasion

Inventor： Xin Qiu ,  Eric Sprunk ,  Liqiang Chen ,  Jason Pasion

IPC: H04L29/06

CPC classification number: H04L9/006 ,  H04L9/3234 ,  H04L9/3263 ,  H04L63/0442 ,  H04L63/0823 ,  H04L63/0853 ,  H04L63/101 ,  H04L63/123 ,  H04L63/166 ,  H04L2209/56 ,  H04L2209/60 ,  H04L2209/80

Abstract: A system for token-based management of a PKI (public key infrastructure) personalization process includes a token request and management system (TRMS) configured to gather request information from a requestor; and a token personalization system (TPS) configured to personalize a hardware token such that usage of the hardware token is constrained by the request information. A method for token-based management of a PKI personalization process includes: requesting a hardware token; personalizing a hardware token such that the hardware token is confined to operation within limiting parameters; binding the hardware token to a workstation which is configured receive the hardware token and use credentials within the hardware token to request and download PKI data from a PKI server, the workstation being further configured to personalize an end user product by loading the PKI data into internal memory contained within the end user product; and monitoring usage of the hardware token and the PKI data.

Abstract translation: 用于PKI（公共密钥基础设施）个性化过程的基于令牌的管理的系统包括被配置为从请求者收集请求信息的令牌请求和管理系统（TRMS） 以及被配置为个性化硬件令牌的令牌个性化系统（TPS），使得所述硬件令牌的使用被所述请求信息约束。 用于PKI个性化处理的基于令牌的管理的方法包括：请求硬件令牌; 个性化硬件令牌，使得硬件令牌限制在限制参数内的操作; 将硬件令牌绑定到配置的接收硬件令牌并使用硬件令牌内的凭证的工作站，以从PKI服务器请求和下载PKI数据，该工作站进一步配置为通过将PKI数据加载到内部来个性化最终用户产品 包含在最终用户产品中的内存; 并监视硬件令牌和PKI数据的使用情况。

公开(公告)号：US20090031131A1

公开(公告)日：2009-01-29

申请号：US12175444

申请日：2008-07-17

Applicant: Xin Qiu ,  Eric Sprunk ,  Liqiang Chen ,  Jason Pasion

Inventor： Xin Qiu ,  Eric Sprunk ,  Liqiang Chen ,  Jason Pasion

IPC: H04L9/00

CPC classification number: H04L9/006 ,  H04L9/3234 ,  H04L9/3263 ,  H04L63/0442 ,  H04L63/0823 ,  H04L63/0853 ,  H04L63/101 ,  H04L63/123 ,  H04L63/166 ,  H04L2209/56 ,  H04L2209/60 ,  H04L2209/80

Abstract: A system for token-based management of a PKI personalization process includes a token request and management system (TRMS) configured to gather request information from a requestor; and a token personalization system (TPS) configured to personalize a hardware token such that usage of the hardware token is constrained by the request information. A method for token-based management of a PKI personalization process includes: requesting a hardware token; personalizing a hardware token such that the hardware token is confined to operation within limiting parameters; binding the hardware token to a workstation which is configured receive the hardware token and use credentials within the hardware token to request and download PKI data from a PKI server, the workstation being further configured to personalize an end user product by loading the PKI data into internal memory contained within the end user product; and monitoring usage of the hardware token and the PKI data.

Abstract translation: 用于PKI个性化处理的基于令牌的管理的系统包括被配置为从请求者收集请求信息的令牌请求和管理系统（TRMS）; 以及被配置为个性化硬件令牌的令牌个性化系统（TPS），使得所述硬件令牌的使用被所述请求信息约束。 用于PKI个性化处理的基于令牌的管理的方法包括：请求硬件令牌; 个性化硬件令牌，使得硬件令牌限制在限制参数内的操作; 将硬件令牌绑定到配置的接收硬件令牌并使用硬件令牌内的凭证的工作站，以从PKI服务器请求和下载PKI数据，该工作站进一步配置为通过将PKI数据加载到内部来个性化最终用户产品 包含在最终用户产品中的内存; 并监视硬件令牌和PKI数据的使用情况。

公开(公告)号：US20070294171A1

公开(公告)日：2007-12-20

申请号：US11447561

申请日：2006-06-06

Applicant: Eric Sprunk

Inventor： Eric Sprunk

IPC: H04L9/00

CPC classification number: H04L63/083

Abstract: A method and apparatus of providing a virtual universe associated with a product is disclosed. A virtual universe of amenities is established. The virtual universe of amenities is sponsored by the vendor of a product. A security code is provided as part of the sale of the product. The security code provides access to a portion of the virtual universe of amenities. A user is permitted to access the portion of the virtual universe of amenities when the security code is authenticated at a virtual universe server.

Abstract translation: 公开了一种提供与产品相关联的虚拟宇宙的方法和装置。 建立了一个虚拟宇宙的设施。 设计的虚拟世界由产品的供应商赞助。 作为销售产品的一部分提供了安全代码。 安全代码提供对虚拟宇宙设施的一部分的访问。 当在虚拟宇宙服务器上验证安全码时，允许用户访问虚拟宇宙的部分。