公开(公告)号：US20120278623A1

公开(公告)日：2012-11-01

申请号：US13516967

申请日：2010-06-02

申请人： Manxia Tie ,  Jun Cao ,  Oin Li ,  Li Ge ,  Zhenhai Huang

发明人： Manxia Tie ,  Jun Cao ,  Oin Li ,  Li Ge ,  Zhenhai Huang

IPC分类号： H04L9/32 ,  H04L12/56

CPC分类号： H04L63/0464 ,  H04L9/0827 ,  H04L45/26 ,  H04L63/0435 ,  H04L63/0471 ,  H04L63/062 ,  H04L63/162

摘要： The present invention discloses a method and system for secret communication between nodes in a wired Local Area Network (LAN). The method of secret communication between nodes in the wired LAN includes the following steps: 1) a sharing key is established; 2) the route probe is exchanged; 3) the data communication is classified; 4) the secret communication is processed among the nodes. According to the different communication situations among the nodes, the method of secret communication between nodes provided in the present invention can process the classification and select an appropriate secret communication strategy; compared with per-hop encryption, the calculation load of the exchange equipment is reduced, and the transmission delay of data packets is shortened; compared with the method that inter-station keys are established in pairs of nodes in order to protect the communication secret, the key number is reduced, and the key management is simplified.

摘要翻译： 本发明公开了一种用于有线局域网（LAN）中的节点之间的秘密通信的方法和系统。 有线局域网节点之间的秘密通信方法包括以下步骤：1）建立共享密钥; 2）交换路由探测器; 3）数据通信分类; 4）节点之间处理秘密通信。 根据节点之间不同的通信情况，本发明提供的节点之间的秘密通信方法可以处理分类并选择适当的秘密通信策略; 与每跳加密相比，交换设备的计算负载减少，数据包的传输延迟缩短; 与站间密钥建立成对节点的方法相比，为了保护通信秘密，密钥号码减少，密钥管理简化。

公开(公告)号：US20120036553A1

公开(公告)日：2012-02-09

申请号：US13264683

申请日：2009-12-09

申请人： Yuelei Xiao ,  Jun Cao ,  Li Ge ,  Zhenhai Huang

发明人： Yuelei Xiao ,  Jun Cao ,  Li Ge ,  Zhenhai Huang

IPC分类号： G06F21/20 ,  H04L29/06 ,  G06F15/16

CPC分类号： H04L67/104 ,  G06F21/57 ,  H04L63/08 ,  H04L63/0876 ,  H04L63/105 ,  H04L63/20

摘要： The present invention provides a method for establishing the trusted network connect framework of tri-element peer authentication. The method includes: the implement of trusted network transport interface (IF-TNT); the implement of authentication policy service interface (IF-APS); the implement of trusted network connect (TNC) client-TNC access point interface (IF-TNCCAP); the implement of evaluation policy service interface (IF-EPS); the implement of integrity measurement collector interface (IF-IMC); the implement of integrity measurement verifier interface (IF-IMV); and the implement of integrity measurement (IF-IM). The embodiments of the present invention can establish the trust of the terminals, implement the trusted network connect of the terminals, implement the trusted authentication among the terminals, implement the trusted management of the terminals, and establish the TNC framework based on tri-element peer authentication (TePA) by defining the interfaces.

摘要翻译： 本发明提供了一种建立三元对等认证的可信网络连接框架的方法。 该方法包括：实现可信网络传输接口（IF-TNT）; 认证策略服务接口（IF-APS）的实现; 可信网络连接（TNC）客户端 - TNC接入点接口（IF-TNCCAP）的实现; 评估政策服务界面（IF-EPS）的实施; 完整性测量收集器接口（IF-IMC）的实现; 完整性测量验证器接口（IF-IMV）的实现; 和完整性测量（IF-IM）的实施。 本发明的实施例可以建立终端的信任，实现终端的可信网络连接，在终端之间实现可信认证，实现终端的可信管理，并建立基于三元对等体的TNC框架 认证（TePA）通过定义接口。

公开(公告)号：US08855018B2

公开(公告)日：2014-10-07

申请号：US13203643

申请日：2009-12-14

申请人： Manxia Tie ,  Jun Cao ,  Zhiqiang Du ,  Xiaolong Lai ,  Li Ge ,  Zhenhai Huang

发明人： Manxia Tie ,  Jun Cao ,  Zhiqiang Du ,  Xiaolong Lai ,  Li Ge ,  Zhenhai Huang

IPC分类号： H04L12/28 ,  H04W12/06 ,  H04W12/04 ,  H04W84/12

CPC分类号： H04W12/06 ,  H04W12/04 ,  H04W84/12

摘要： A method for realizing a convergent Wireless Local Area Networks (WLAN) Authentication and Privacy Infrastructure (WAPI) network architecture with a split Medium Access Control (MAC) mode involves the steps: a split MAC mode for realizing WLAN Privacy Infrastructure (WPI) by a wireless terminal point is constructed through separating the MAC function and the WAPI function of the wireless access point apart to the wireless terminal point and an access controller; integration of a WAPI and a convergent WLAN network system architecture is realized under the split MAC mode that the wireless terminal point realizes WPI; the association connection process is performed among a station point, a wireless terminal point and an access controller; the process for announcing the start of performing the WLAN Authentication Infrastructure (WAI) protocol between the access controller and the wireless terminal point is performed; the process for performing the WAI protocol between the station point and the access controller is performed; the process for announcing the end of performing the WAI protocol between the access controller and the wireless terminal point is performed; the secret communication process is performed between the wireless terminal point and the station by using WPI.

摘要翻译： 用于实现具有分离式媒体接入控制（MAC）模式的融合无线局域网（WLAN）认证和隐私基础设施（WAPI）网络架构的方法包括以下步骤：用于通过以下方式实现WLAN隐私基础设施（WPI）的分割MAC模式 无线终端通过将无线接入点的MAC功能和WAPI功能分离到无线终端点和接入控制器来构建; 在无线终端实现WPI的分割MAC模式下实现WAPI和融合WLAN网络系统架构的集成; 在站点，无线终端点和访问控制器之间执行关联连接处理; 执行在接入控制器和无线终端点之间通知执行WLAN认证基础设施（WAI）协议的开始的过程; 执行在站点和访问控制器之间执行WAI协议的过程; 执行用于在接入控制器和无线终端点之间通知执行WAI协议的结束的过程; 通过使用WPI在无线终端点和站之间执行秘密通信处理。

公开(公告)号：US08831227B2

公开(公告)日：2014-09-09

申请号：US13516257

申请日：2010-05-21

申请人： Li Ge ,  Jun Cao ,  Manxia Tie ,  Qin Li ,  Xiaolong Lai

发明人： Li Ge ,  Jun Cao ,  Manxia Tie ,  Qin Li ,  Xiaolong Lai

IPC分类号： G06F21/00 ,  H04L9/08 ,  H04L29/06

CPC分类号： H04L9/083 ,  H04L63/061

摘要： A method and system for establishing a secure connection between stations are disclosed. The method includes that: 1) a switch device receives an inter-station key request packet sent by a first user terminal; 2) the switch device generates an inter-station key, constructs an inter-station key announcement packet and sends it to a second user terminal; 3) the switch device receives an inter-station key announcement response packet sent by the second user terminal; 4) the switch device constructs an inter-station key announcement response packet and sends it to the first user terminal; 5) the switch device receives an inter-station key announcement response packet sent by the first user terminal. The switch device establishes an inter-station key for the two stations which are connected to the switch device directly, by which the embodiments of the present invention ensure the confidentiality and integrality of user data between the stations.

摘要翻译： 公开了一种在站间建立安全连接的方法和系统。 该方法包括：1）交换设备接收由第一用户终端发送的站间密钥请求分组; 2）交换设备生成站间密钥，构建站间密钥通告报文，并发送给第二用户终端; 3）交换设备接收由第二用户终端发送的站间密钥通告响应报文; 4）交换机构建一个站间密钥通知应答报文，并发送给第一用户终端; 5）交换机接收第一用户终端发送的站间密钥通告响应报文。 交换设备为直接连接到交换机设备的两个站建立站间密钥，本发明的实施例通过该站点密钥确保站点之间的用户数据的机密性和完整性。

公开(公告)号：US08789134B2

公开(公告)日：2014-07-22

申请号：US13264683

申请日：2009-12-09

申请人： Yuelei Xiao ,  Jun Cao ,  Li Ge ,  Zhenhai Huang

发明人： Yuelei Xiao ,  Jun Cao ,  Li Ge ,  Zhenhai Huang

IPC分类号： H04L29/06

CPC分类号： H04L67/104 ,  G06F21/57 ,  H04L63/08 ,  H04L63/0876 ,  H04L63/105 ,  H04L63/20

摘要： The present invention provides a method for establishing the trusted network connect framework of tri-element peer authentication. The method includes: the implement of trusted network transport interface (IF-TNT); the implement of authentication policy service interface (IF-APS); the implement of trusted network connect (TNC) client-TNC access point interface (IF-TNCCAP); the implement of evaluation policy service interface (IF-EPS); the implement of integrity measurement collector interface (IF-IMC); the implement of integrity measurement verifier interface (IF-IMV); and the implement of integrity measurement (IF-IM). The embodiments of the present invention can establish the trust of the terminals, implement the trusted network connect of the terminals, implement the trusted authentication among the terminals, implement the trusted management of the terminals, and establish the TNC framework based on tri-element peer authentication (TePA) by defining the interfaces.

摘要翻译： 本发明提供了一种建立三元对等认证的可信网络连接框架的方法。 该方法包括：实现可信网络传输接口（IF-TNT）; 认证策略服务接口（IF-APS）的实现; 可信网络连接（TNC）客户端 - TNC接入点接口（IF-TNCCAP）的实现; 评估政策服务界面（IF-EPS）的实施; 完整性测量采集器接口（IF-IMC）的实现; 完整性测量验证器接口（IF-IMV）的实现; 和完整性测量（IF-IM）的实施。 本发明的实施例可以建立终端的信任，实现终端的可信网络连接，在终端之间实现可信认证，实现终端的可信管理，并建立基于三元对等体的TNC框架 认证（TePA）通过定义接口。

公开(公告)号：US08719897B2

公开(公告)日：2014-05-06

申请号：US13377098

申请日：2009-12-09

申请人： Yuelei Xiao ,  Jun Cao ,  Zhenhai Huang ,  Li Ge

发明人： Yuelei Xiao ,  Jun Cao ,  Zhenhai Huang ,  Li Ge

IPC分类号： H04L29/06 ,  G06F17/00

CPC分类号： H04L63/0869 ,  H04L63/0876

摘要： An access control method for a TePA-based TNC architecture is provided, including: 1) performing encapsulation of user authentication protocol data and platform authentication protocol data in the TePA-based TNC architecture: 1.1) encapsulating the user authentication protocol data in a Data field of TAEP packets, and interacting with the TAEP packets between an access requestor and an access controller, and between the access controller and a policy manager, to perform mutual user authentication between the access requestor and the access controller, and establish a secure channel between the access requestor and the access controller; and 1.2) encapsulating the platform authentication protocol data in a Data field of TAEP packets, and, for platform authentication protocol data between the access requestor and the access controller, encapsulating a TAEP packet of the platform authentication protocol data in a Data field of another TAEP packet to form a nested encapsulation.

摘要翻译： 提供了一种基于TePA的TNC架构的访问控制方法，包括：1）在基于TePA的TNC架构中执行用户认证协议数据和平台认证协议数据的封装：1.1）将用户认证协议数据封装在数据字段 的TAEP分组，并且与访问请求者和访问控制器之间的TAEP分组以及访问控制器和策略管理器之间的TAEP分组进行交互，以在接入请求者和接入控制器之间执行相互用户认证，并在接入控制器和接入控制器之间建立安全信道 访问请求者和访问控制器; 和1.2）将平台认证协议数据封装在TAEP数据包的数据字段中，并且对于接入请求者和接入控制器之间的平台认证协议数据，将平台认证协议数据的TAEP分组封装在另一个TAEP的数据字段中 数据包形成嵌套封装。

公开(公告)号：US08713303B2

公开(公告)日：2014-04-29

申请号：US13515394

申请日：2010-05-26

申请人： Qin Li ,  Jun Cao ,  Li Ge ,  Manxia Tie ,  Zhenhai Huang

发明人： Qin Li ,  Jun Cao ,  Li Ge ,  Manxia Tie ,  Zhenhai Huang

IPC分类号： H04L29/06 ,  H04K1/00 ,  H04L9/08 ,  H04W12/04 ,  H04L9/32

CPC分类号： H04L9/0838 ,  H04L12/6418 ,  H04L63/0428 ,  H04L63/061 ,  H04L63/162

摘要： A method and a system for establishing a security connection between switch equipments are disclosed in the present invention. The system includes the first switch equipment and the second switch equipment; the first switch equipment sends the switch key negotiation activation packet and the switch key negotiation response packet to the second switch equipment; the second switch equipment sends the switch key negotiation request packet to the first switch equipment. The embodiments of the present invention provide a security policy for data security transmission between switch equipments by establishing shared switch key between each two switch equipments, thus guaranteeing the confidentiality of the data transmission process between switch equipments in the data link layer. The calculation burden of switch equipment and the delay of the data packets transmitted from the transmission end to the reception end can be reduced and the efficiency of network transmission can be improved.

摘要翻译： 在本发明中公开了一种用于在交换机设备之间建立安全连接的方法和系统。 该系统包括第一开关设备和第二开关设备; 第一交换机设备向第二交换机设备发送交换机密钥协商激活分组和交换机密钥协商响应分组; 第二交换机设备向第一交换机设备发送交换机密钥协商请求报文。 本发明的实施例通过在两个交换机设备之间建立共享切换密钥来提供交换机设备之间数据安全传输的安全策略，从而保证了数据链路层交换机设备之间数据传输过程的机密性。 可以减少交换机的计算负担和从发送端到接收端的数据包的延迟，提高网络传输的效率。

公开(公告)号：US08533806B2

公开(公告)日：2013-09-10

申请号：US13119909

申请日：2009-11-03

申请人： Yuelei Xiao ,  Jun Cao ,  Li Ge ,  Xiaolong Lai ,  Zhenhai Huang

发明人： Yuelei Xiao ,  Jun Cao ,  Li Ge ,  Xiaolong Lai ,  Zhenhai Huang

IPC分类号： G06F7/04 ,  G06F15/16 ,  G06F17/30 ,  H04L29/06

CPC分类号： H04L63/083 ,  G06F21/33 ,  H04L9/321 ,  H04L9/3234 ,  H04L9/3247 ,  H04L9/3263 ,  H04L63/0876 ,  H04L63/105 ,  H04L63/20 ,  H04L2209/80

摘要： A method for authenticating a trusted platform based on the Tri-element Peer Authentication (TePA). The method includes the following steps: A) a second attesting system sends the first message to a first attesting system; B) the first attesting system sends a second message to the second attesting system after receiving the first message; C) the second attesting system sends a third message to a Trusted Third Party (TTP) after receiving the second message; D) the TTP sends a fourth message to the second attesting system after receiving the third message; E) the second attesting system sends a fifth message to the first attesting system after receiving the fourth message; and F) the first attesting system performs an access control after receiving the fifth message. The method for authenticating a trusted platform based on TePA of the present invention adopts the security architecture of TePA, and improves the safety of an evaluation agreement of the trusted platform, realizes the mutual evaluation of the trusted platform between the attesting systems, and extends the application ranges.

摘要翻译： 一种基于三元素对等认证（TePA）认证可信平台的方法。 该方法包括以下步骤：A）第二证明系统将第一消息发送到第一认证系统; B）第一证明系统在接收到第一消息之后向第二认证系统发送第二消息; C）第二证明系统在接收到第二消息之后向受信任的第三方（TTP）发送第三消息; D）TTP在接收到第三消息之后向第二认证系统发送第四消息; E）第二证明系统在接收到第四消息之后向第一认证系统发送第五消息; 和F）第一认证系统在接收到第五消息之后执行访问控制。 本发明基于TePA认证信任平台的方法采用了TePA的安全架构，提高了可信平台评估协议的安全性，实现了认证系统之间信任平台的相互评估，并扩展了 应用范围。

公开(公告)号：US20120254617A1

公开(公告)日：2012-10-04

申请号：US13515394

申请日：2010-05-26

申请人： Qin Li ,  Jun Cao ,  Li Ge ,  Manxia Tie ,  Zhenhai Huang

发明人： Qin Li ,  Jun Cao ,  Li Ge ,  Manxia Tie ,  Zhenhai Huang

IPC分类号： H04L9/32

CPC分类号： H04L9/0838 ,  H04L12/6418 ,  H04L63/0428 ,  H04L63/061 ,  H04L63/162

摘要： A method and a system for establishing a security connection between switch equipments are disclosed in the present invention. The system includes the first switch equipment and the second switch equipment; the first switch equipment sends the switch key negotiation activation packet and the switch key negotiation response packet to the second switch equipment; the second switch equipment sends the switch key negotiation request packet to the first switch equipment. The embodiments of the present invention provide a security policy for data security transmission between switch equipments by establishing shared switch key between each two switch equipments, thus guaranteeing the confidentiality of the data transmission process between switch equipments in the data link layer. The calculation burden of switch equipment and the delay of the data packets transmitted from the transmission end to the reception end can be reduced and the efficiency of network transmission can be improved.

摘要翻译： 在本发明中公开了一种用于在交换机设备之间建立安全连接的方法和系统。 该系统包括第一开关设备和第二开关设备; 第一交换机设备向第二交换机设备发送交换机密钥协商激活分组和交换机密钥协商响应分组; 第二交换机设备向第一交换机设备发送交换机密钥协商请求报文。 本发明的实施例通过在两个交换机设备之间建立共享切换密钥来提供交换机设备之间数据安全传输的安全策略，从而保证了数据链路层交换机设备之间数据传输过程的机密性。 可以减少交换机的计算负担和从发送端到接收端的数据包的延迟，提高网络传输的效率。

公开(公告)号：US20120159587A1

公开(公告)日：2012-06-21

申请号：US13391526

申请日：2009-12-24

申请人： Li Ge ,  Jun Cao ,  Manxia Tie ,  Qin Li ,  Zhenhai Huang

发明人： Li Ge ,  Jun Cao ,  Manxia Tie ,  Qin Li ,  Zhenhai Huang

IPC分类号： G06F21/20

CPC分类号： H04L63/061 ,  H04L63/0869 ,  H04L63/20

摘要： A method and system for pre-shared-key-based network access control are disclosed. The method includes the following steps: 1) security policy negotiation is implemented between a REQuester(REQ) and Authentication Access Controller(AAC); 2) identity authentication and uni-cast key negotiation are implemented between REQ and AAC; 3) a group-cast key is notified between REQ and AAC. Applying the method and system, rapid bidirectional authentication can be implemented between a user and network.

摘要翻译： 公开了一种基于预共享密钥的网络访问控制的方法和系统。 该方法包括以下步骤：1）在REQuester（REQ）和认证接入控制器（AAC）之间实现安全策略协商; 2）在REQ和AAC之间实现身份认证和单播密钥协商; 3）REQ和AAC之间通知组播密钥。 应用该方法和系统，可以在用户和网络之间实现快速双向认证。