公开(公告)号：US11956273B2

公开(公告)日：2024-04-09

申请号：US17818147

申请日：2022-08-08

Applicant: Cisco Technology, Inc.

Inventor： Sujal Sheth ,  Shwetha Subray Bhandari ,  Eric Voit ,  William F. Sulzen ,  Frank Brockners

IPC: H04L9/40

CPC classification number: H04L63/162 ,  H04L63/083 ,  H04L63/0853 ,  H04L63/126 ,  H04L63/1433

Abstract: Systems, methods, and computer-readable media for discovering trustworthy devices through attestation and authenticating devices through mutual attestation. A relying node in a network environment can receive attestation information from an attester node in the network environment as part of a unidirectional push of information from the attester node according to a unidirectional link layer communication scheme. A trustworthiness of the attester node can be verified by identifying a level of trust of the attester node from the attestation information. Further, network service access of the attester node through the relying node in the network environment can be controlled based on the level of trust of the attester node identified from the attestation information.

公开(公告)号：US11924043B2

公开(公告)日：2024-03-05

申请号：US17517622

申请日：2021-11-02

Applicant: Cisco Technology, Inc.

Inventor： Sujal Sheth ,  Shwetha Subray Bhandari ,  Eric Voit ,  William F. Sulzen ,  Frank Brockners

IPC: H04L41/12 ,  H04L45/00 ,  H04L45/02 ,  H04W40/24 ,  H04W84/18

CPC classification number: H04L41/12 ,  H04L45/02 ,  H04L45/26 ,  H04W40/246 ,  H04W84/18

Abstract: Systems, methods, and computer-readable media for assessing reliability and trustworthiness of devices operating within a network. A recipient node in a network environment can receive a neighbor discovery (ND) message from an originating node in the network environment that are both implementing a neighbor discovery protocol. Trustworthiness of the originating node can be verified by identifying a level of trust of the originating node based on attestation information for the originating node included in the ND message received at the recipient node. Connectivity with the recipient node through the network environment can be managed based on the level of trust of the originating node identified from the attestation information included in the ND message.

公开(公告)号：US11909872B2

公开(公告)日：2024-02-20

申请号：US18054219

申请日：2022-11-10

Applicant: Cisco Technology, Inc.

Inventor： Amjad Inamdar ,  Lionel Florit ,  Eric Voit ,  Sujal Sheth ,  Chennakesava Reddy Gaddam

IPC: H04L9/08 ,  H04L9/30

CPC classification number: H04L9/0852 ,  H04L9/0827 ,  H04L9/0869 ,  H04L9/304

Abstract: Systems and methods are provided for quantum-resistant secure key distribution between a peer and an EAP authenticator by using an authentication server. The systems and methods include receiving requests for a COMMON-SEED and a quantum-safe public key from a peer and an EAP authenticator. The COMMON-SEED is encrypted using the quantum-safe public key of the peer and the quantum-safe public key of the EAP authenticator, and the encrypted COMMON-SEED is sent to the peer along with a request for a PPK_ID from the peer to complete authentication of the peer. The PPK_ID is received from the peer, and the encrypted COMMON-SEED and PPK_ID is sent to the EAP authenticator. A quantum-resistant secure channel is established between the peer and the EAP authenticator when the peer and the EAP authenticator share the same COMMON-SEED and the same PPK-ID.

公开(公告)号：US11757630B2

公开(公告)日：2023-09-12

申请号：US17377303

申请日：2021-07-15

Applicant: Cisco Technology, Inc.

Inventor： Amjad Inamdar ,  Lionel Florit ,  Eric Voit ,  Sujal Sheth ,  Chennakesava Reddy Gaddam

IPC: H04L9/08 ,  H04L9/30

CPC classification number: H04L9/0852 ,  H04L9/0827 ,  H04L9/0869 ,  H04L9/304

Abstract: Systems and methods are provided for quantum-resistant secure key distribution between a peer and an EAP authenticator by using an authentication server. The systems and methods include receiving requests for a COMMON-SEED and a quantum-safe public key from a peer and an EAP authenticator. The COMMON-SEED is encrypted using the quantum-safe public key of the peer and the quantum-safe public key of the EAP authenticator, and the encrypted COMMON-SEED is sent to the peer along with a request for a PPK ID from the peer to complete authentication of the peer. The PPK ID is received from the peer, and the encrypted COMMON-SEED and PPK ID is sent to the EAP authenticator. A quantum-resistant secure channel is established between the peer and the EAP authenticator when the peer and the EAP authenticator share the same COMMON-SEED and the same PPK-ID.

公开(公告)号：US20230071333A1

公开(公告)日：2023-03-09

申请号：US18054219

申请日：2022-11-10

Applicant: Cisco Technology, Inc.

Inventor： Amjad Inamdar ,  Lionel Florit ,  Eric Voit ,  Sujal Sheth ,  Chennakesava Reddy Gaddam

IPC: H04L9/08 ,  H04L9/30

Abstract: Systems and methods are provided for quantum-resistant secure key distribution between a peer and an EAP authenticator by using an authentication server. The systems and methods include receiving requests for a COMMON-SEED and a quantum-safe public key from a peer and an EAP authenticator. The COMMON-SEED is encrypted using the quantum-safe public key of the peer and the quantum-safe public key of the EAP authenticator, and the encrypted COMMON-SEED is sent to the peer along with a request for a PPK_ID from the peer to complete authentication of the peer. The PPK_ID is received from the peer, and the encrypted COMMON-SEED and PPK_ID is sent to the EAP authenticator. A quantum-resistant secure channel is established between the peer and the EAP authenticator when the peer and the EAP authenticator share the same COMMON-SEED and the same PPK-ID.

公开(公告)号：US11601292B2

公开(公告)日：2023-03-07

申请号：US17542142

申请日：2021-12-03

Applicant: Cisco Technology, Inc.

Inventor： Shwetha Subray Bhandari ,  Eric Voit ,  Jesse Daniel Backman ,  Robert Stephen Rodgers ,  Joseph Eryx Malcolm

IPC: H04L29/06 ,  H04L9/32 ,  G06F21/72 ,  G06F21/57 ,  H04L9/40 ,  H04L9/08

Abstract: A methodology for requesting at least one signed security measurement from at least one module is provided. The methodology includes receiving the at least one signed security measurement from the at least one module; validating the at least one signed security measurement; generating a signed dossier including all validated signed security measurements in a secure enclave, the signed dossier being used by an external network device for remote attestation of the device.

公开(公告)号：US20220345300A1

公开(公告)日：2022-10-27

申请号：US17377303

申请日：2021-07-15

Applicant: Cisco Technology, Inc.

Inventor： Amjad Inamdar ,  Lionel Florit ,  Eric Voit ,  Sujal Sheth ,  Chennakesava Reddy Gaddam

IPC: H04L9/08 ,  H04L9/30

Abstract: A method is provided for quantum-resistant secure key distribution between a peer and an extendible authentication protocol (EAP) authenticator by using an authentication server. The method may include receiving requests for a COMMON-SEED and a McEliece public key from a peer and an EAP authenticator by an authentication server using an EAP method, encrypting the COMMON-SEED using the McEliece public key of the peer and the McEliece public key of the EAP authenticator by the authentication server, and sending the encrypted COMMON-SEED from the authentication server to the peer along with a request for a PPK_ID from the peer using the EAP method to complete authentication of the peer. The method may also include receiving the PPK_ID from the peer using the EAP method, where the PPK_ID is from a key pair consisting of PPK_ID and PPK obtained from a first SKS server in electrical communication with the peer based upon the encrypted COMMON-SEED. The method may also include sending the encrypted COMMON-SEED and PPK_ID from the authentication server to the EAP authenticator, and establishing a quantum-resistant secure channel between the peer and the EAP authenticator, where a message of EAP success is delivered from the EAP authenticator to the peer when the peer and the EAP authenticator share the same COMMON-SEED and the same PPK-ID.

公开(公告)号：US11470105B2

公开(公告)日：2022-10-11

申请号：US16721513

申请日：2019-12-19

Applicant: Cisco Technology, Inc.

Inventor： David Delano Ward ,  Nancy Cam-Winget ,  Eric Voit ,  Jesse Daniel Backman

IPC: G06F21/57 ,  G06F21/70 ,  H04L9/40

Abstract: Systems, methods, and computer-readable media for assessing reliability and trustworthiness of devices across domains. Attestation information for an attester node in a first domain is received at a verifier gateway in the first domain. The attestation information is translated at the verifier gateway into translated attestation information for a second domain. Specifically, the attestation information is translated into translated attested information for a second domain that is a different administrative domain from the first domain. The translated attestation information can be provided to a verifier in the second domain. The verifier can be configured to verify the trustworthiness of the attester node for a relying node in the second domain by identifying a level of trust of the attester node based on the translated attestation information.

公开(公告)号：US20220321605A1

公开(公告)日：2022-10-06

申请号：US17583284

申请日：2022-01-25

Applicant: Cisco Technology, Inc.

Inventor： Eric Voit ,  Pradeep Kumar Kathail ,  Avinash Kalyanaraman

IPC: H04L9/40

Abstract: Disclosed are systems, apparatuses, methods, and computer-readable media for providing security postures for a service provided by a heterogenous system. A method for verifying trust by a service node includes receiving a request for a security information of the service node from a client device, wherein the request includes information identifying a service to receive from the service node, identifying a related node to communicate with the service node based on the service, after identifying the related node, requesting a security information of the related node, generating a composite security information from the security information of the service node and the security information of the related node, and sending the composite security information to the client device. The composite security information provides security claims for a service implemented by a heterogenous devices that have different trusted execution environments.

公开(公告)号：US11343261B2

公开(公告)日：2022-05-24

申请号：US16555869

申请日：2019-08-29

Applicant: Cisco Technology, Inc.

Inventor： Shwetha Subray Bhandari ,  Eric Voit ,  Frank Brockners ,  Carlos M. Pignataro ,  Nagendra Kumar Nainar

IPC: H04L29/06 ,  H04L69/22

Abstract: Technologies for proving packet transit through uncompromised nodes are provided. An example method can include receiving a packet including one or more metadata elements generated based on security measurements from a plurality of nodes along a path of the packet; determining a validity of the one or more metadata elements based on a comparison of one or more values in the one or more metadata elements with one or more expected values calculated for the one or more metadata elements, one or more signatures in the one or more metadata elements, and/or timing information associated with the one or more metadata elements; and based on the one or more metadata elements, determining whether the packet traversed any compromised nodes along the path of the packet.