公开(公告)号：US6055316A

公开(公告)日：2000-04-25

申请号：US998520

申请日：1997-12-26

申请人： Radia J. Perlman ,  Stephen R. Hanna

发明人： Radia J. Perlman ,  Stephen R. Hanna

IPC分类号： G09C1/00 ,  H04L9/12 ,  H04L9/00

CPC分类号： H04L9/0637 ,  H04L9/0643

摘要： A secure communications arrangement is disclosed including a source device and a destination device interconnected by a network. The source device generates message packets for transfer to the destination device, each message packet including information in ciphertext form. The source device generates the ciphertext from plaintext in accordance with the cipher block chaining mode, using an initialization vector that is generated using a hash function selected so that small changes in an input result in large changes in the initialization vector. As a result values such as sequence numbers or time stamps can be used in generating the initialization vector, while still providing for cryptographic security for the ciphertext as against cryptanalytic attack. The destination device receives the message packet and decrypts the ciphertext to generate plaintext in accordance with the cipher block chaining mode, using an initialization vector that is generated using the corresponding hash function. Although the secure communications arrangement is described in connection with the cipher block chaining mode, other modes, such as the cipher-feedback mode, output-feedback mode and other encryption modes which make use of initialization vectors, could also be used.

摘要翻译： 公开了一种安全通信装置，其包括由网络互连的源设备和目的设备。 源设备生成用于传送到目的设备的消息分组，每个消息分组包括密文形式的信息。 源设备根据密码块链接模式，使用使用选择的散列函数生成的初始化向量，从明文生成密文，使得输入中的小变化导致初始化向量的大的变化。 因此，可以使用诸如序列号或时间戳的值来生成初始化向量，同时仍然为密文提供加密安全性以防止密码分析攻击。 目的设备使用使用相应散列函数生成的初始化向量，接收消息分组并解密密文以根据密码块链接模式生成明文。 虽然结合密码块链接模式描述了安全通信布置，但是也可以使用诸如密码反馈模式，输出反馈模式和利用初始化向量的其他加密模式的其他模式。

公开(公告)号：US08352998B1

公开(公告)日：2013-01-08

申请号：US11465263

申请日：2006-08-17

申请人： Panagiotis Kougiouris ,  Roger Chickering ,  Paul James Kirner ,  Stephen R. Hanna

发明人： Panagiotis Kougiouris ,  Roger Chickering ,  Paul James Kirner ,  Stephen R. Hanna

IPC分类号： H04L9/00

CPC分类号： H04L63/20 ,  H04L63/10

摘要： A module may include interface logic to receive information identifying a state related to a client device via logic related to a controlled environment, and to send a valid policy result to a host device, where the valid policy result is related to the state. The module may include processing logic to process policy content according to a resource policy, where the processing is based on the information, and to produce the valid policy result based on the processing using the resource policy, where the valid policy result is adapted for use by the host device when implementing the network policy with respect to a destination device when the client device attempts to communicate with the destination device.

摘要翻译： 模块可以包括接口逻辑，用于通过与受控环境相关的逻辑来接收标识与客户端设备有关的状态的信息，并且向主机设备发送有效的策略结果，其中有效的策略结果与状态相关。 该模块可以包括根据资源策略来处理策略内容的处理逻辑，其中处理基于该信息，并且基于使用资源策略的处理产生有效的策略结果，其中有效的策略结果适于使用 当客户机设备尝试与目的地设备通信时，通过主机设备实现关于目的地设备的网络策略。

公开(公告)号：US20090041252A1

公开(公告)日：2009-02-12

申请号：US11857111

申请日：2007-09-18

申请人： Stephen R. Hanna

发明人： Stephen R. Hanna

IPC分类号： H04L9/08 ,  H04L9/32

CPC分类号： H04L63/08 ,  H04L63/12

摘要： In general, techniques are described for securely exchanging network access control information. The techniques may be useful in situations where an endpoint device and an access control device perform a tightly-constrained handshake sequence of a network protocol when the endpoint device requests access to a network. The handshake sequence may be constrained in a variety of ways. Due to the constraints of the handshake sequence, the endpoint device and the access control device may be unable to negotiate a set of nonce information during the handshake sequence. For this reason, the access control device uses a previously negotiated set of nonce information and other configuration information associated with the endpoint device as part of a process to determine whether the endpoint device should be allowed to access the protected networks.

摘要翻译： 通常，描述了用于安全地交换网络访问控制信息的技术。 当端点设备和访问控制设备在端点设备请求访问网络时执行网络协议的紧密约束的握手序列的情况下，这些技术可能是有用的。 握手顺序可以以各种方式来限制。 由于握手序列的限制，端点设备和访问控制设备可能在握手序列期间无法协商一组随机数信息。 为此，访问控制设备使用与端点设备相关联的先前协商的随机数信息和其它配置信息作为过程的一部分，以确定是否允许端点设备访问受保护的网络。

公开(公告)号：US06693907B1

公开(公告)日：2004-02-17

申请号：US09546946

申请日：2000-04-11

申请人： Joseph S. Wesley ,  Dah Ming Chiu ,  Miriam C. Kadansky ,  Joseph E. Provino ,  Stephen R. Hanna

发明人： Joseph S. Wesley ,  Dah Ming Chiu ,  Miriam C. Kadansky ,  Joseph E. Provino ,  Stephen R. Hanna

IPC分类号： H04L1228

CPC分类号： H04L12/1854 ,  H04L12/185 ,  H04L12/1868 ,  H04L47/10 ,  H04L47/11 ,  H04L47/15 ,  H04L47/263 ,  H04L47/27

摘要： A method and system for accurately measuring the reception characteristics of receivers in a multicast data distribution group having a sending node and a plurality of receivers. The multicast group is organized as a repair tree in which selected nodes of the multicast group comprise repair nodes for downstream receivers. Multicast data packets transmitted by the repair nodes include a retransmission count field in addition to the multicast packet header information, a session identifier, a packet sequence number and payload data. The retransmission count provides an indication of the number of times the respective packet has been retransmitted in response to a repair request. The receivers include an original packet counter and a retransmission count counter for each multicast session. Each receiver increments the original packet counter upon receipt of a packet that has not been previously received. Each receiver adds the value contained in the retransmission count field of a received packet to the retransmission count counter upon receipt of a retransmitted multicast packet that corresponds to a packet identified as a missing packet by the respective receiver. The data in the actual packet count counter and the retransmission count counter is employed to generate a loss metric at each receiver that provides a measure of the reception characteristic of the respective receiver for the particular multicast session.

摘要翻译： 一种用于在具有发送节点和多个接收机的组播数据分发组中精确地测量接收机的接收特性的方法和系统。 组播组被组织为修复树，其中多播组的选定节点包括下游接收机的修复节点。 由修复节点发送的组播数据分组除了组播分组头部信息，会话标识符，分组序列号和有效载荷数据之外还包括重传计数字段。 重传计数提供响应于修复请求重新发送相应分组的次数的指示。 接收机包括每个多播会话的原始分组计数器和重传计数计数器。 每个接收器在接收到先前未被接收到的分组时递增原始分组计数器。 每个接收者在接收到相应于由相应接收机识别为丢失分组的分组的重传的多播分组时，将接收分组的重传计数字段中包含的值添加到重传计数计数器。 采用实际分组计数计数器和重传计数计数器中的数据来在每个接收机处产生丢失度量，以提供针对特定多播会话的相应接收机的接收特性的测量。

公开(公告)号：US06510523B1

公开(公告)日：2003-01-21

申请号：US09253550

申请日：1999-02-22

申请人： Radia J. Perlman ,  Stephen R. Hanna

发明人： Radia J. Perlman ,  Stephen R. Hanna

IPC分类号： G06F1130

CPC分类号： H04L9/3213 ,  H04L9/3263 ,  H04L63/0823 ,  H04L63/105

摘要： A method and system for providing limited access privileges with an untrusted terminal allows a user to perform privileged operations between the untrusted terminal and a remote terminal in a controlled manner. The user can establish a secure communications channel between the untrusted terminal and a credentials server to receive credentials therefrom. Once the user receives the credentials, the secure communications channel is closed. The user can then use the credentials to perform privileged operations on a remote terminal through the untrusted terminal. The remote terminal knows to grant the user limited privileges based on information included in the credentials. The effects of malicious actions by the untrusted terminal are limited and controlled.

摘要翻译： 用不受信任的终端提供有限的访问权限的方法和系统允许用户以受控的方式在不信任的终端和远程终端之间执行特权操作。 用户可以在不信任的终端和凭证服务器之间建立安全通信信道，以从中接收凭据。 一旦用户收到凭证，安全通信通道就关闭了。 然后，用户可以使用凭证通过不可信终端在远程终端上执行特权操作。 远程终端知道基于凭证中包含的信息来授予用户有限权限。 不信任终端的恶意行为的影响受到限制和控制。

公开(公告)号：US06427166B1

公开(公告)日：2002-07-30

申请号：US09668432

申请日：2000-09-22

申请人： Stephen A. Hurst ,  Joseph Wesley ,  Stephen R. Hanna ,  Miriam C. Kadansky ,  Philip M. Rosenzweig

发明人： Stephen A. Hurst ,  Joseph Wesley ,  Stephen R. Hanna ,  Miriam C. Kadansky ,  Philip M. Rosenzweig

IPC分类号： G06F1300

CPC分类号： H04L1/1867 ,  H04L12/185 ,  H04L12/1863 ,  H04L2001/0093 ,  H04L2001/0097

摘要： An embodiment consistent with the present invention includes a method and apparatus for distributing multicast data. The method may be performed by a data processor and comprises the steps of forming a multicast repair tree including a sender, a plurality of heads, and a plurality of receivers, wherein at least one head is associated with the sender and at least one receiver is associated with the head; sending, by a sender to the plurality of heads and the plurality of receivers, a plurality of multicast messages at a data rate; receiving, by the sender from one of the plurality of heads, a congestion status associated with a receiver of the head; and slowing the data rate, by the sender, in accordance with the congestion status.

摘要翻译： 与本发明一致的实施例包括用于分发多播数据的方法和装置。 该方法可以由数据处理器执行，并且包括以下步骤：形成包括发送器，多个头部和多个接收器的多播修复树，其中至少一个头部与发送器相关联，并且至少一个接收器是 与头相关; 发送方向所述多个头部和所述多个接收机发送数据速率的多个多播消息; 所述发送者从所述多个头中的一个接收与所述头部的接收器相关联的拥塞状态; 并根据拥塞状态，由发送方减慢数据速率。

公开(公告)号：US09658872B1

公开(公告)日：2017-05-23

申请号：US13463489

申请日：2012-05-03

申请人： Stephen R. Hanna

发明人： Stephen R. Hanna

IPC分类号： G06F9/455 ,  G06F9/46 ,  G06F9/50

CPC分类号： G06F9/45558 ,  G06F9/4451 ,  G06F9/455 ,  G06F9/50 ,  G06F11/34 ,  G06F2009/45562

摘要： The identity of a user of a computerized system is maintained by operating a virtual machine used only by the user, such that logged actions made by the virtual machine can be associated with the user, wherein the user is not otherwise directly identified by the virtual machine. Information requests made from the virtual machine to a specific resource may be logged to enable tracking and auditing of resource access by the user. The virtual machine is managed by an access device to a data center for the enterprise system, a server, or other device within the data center.

公开(公告)号：US08104073B2

公开(公告)日：2012-01-24

申请号：US11857111

申请日：2007-09-18

申请人： Stephen R. Hanna

发明人： Stephen R. Hanna

IPC分类号： H04L29/04 ,  H04L9/32

CPC分类号： H04L63/08 ,  H04L63/12

摘要： In general, techniques are described for securely exchanging network access control information. The techniques may be useful in situations where an endpoint device and an access control device perform a tightly-constrained handshake sequence of a network protocol when the endpoint device requests access to a network. The handshake sequence may be constrained in a variety of ways. Due to the constraints of the handshake sequence, the endpoint device and the access control device may be unable to negotiate a set of nonce information during the handshake sequence. For this reason, the access control device uses a previously negotiated set of nonce information and other configuration information associated with the endpoint device as part of a process to determine whether the endpoint device should be allowed to access the protected networks.

摘要翻译： 通常，描述了用于安全地交换网络访问控制信息的技术。 当端点设备和访问控制设备在端点设备请求访问网络时执行网络协议的紧密约束的握手序列的情况下，这些技术可能是有用的。 握手顺序可以以各种方式来限制。 由于握手序列的限制，端点设备和访问控制设备可能在握手序列期间无法协商一组随机数信息。 为此，访问控制设备使用与端点设备相关联的先前协商的随机数信息和其它配置信息作为过程的一部分，以确定是否允许端点设备访问受保护的网络。

公开(公告)号：US08103909B2

公开(公告)日：2012-01-24

申请号：US12400574

申请日：2009-03-09

申请人： Stephen R. Hanna

发明人： Stephen R. Hanna

IPC分类号： G06F11/00

CPC分类号： G06F21/575

摘要： In general, techniques are described for hardware-based detection and automatic restoration of a computing device from a compromised state. Moreover, the techniques provide for automatic, hardware-based restoration of selective software components from a trusted repository. The hardware-based detection and automatic restoration techniques may be integrated within a boot sequence of a computing device so as to efficiently and cleanly replace only any infected software component.

摘要翻译： 通常，描述了用于基于硬件的检测和从受损状态自动恢复计算设备的技术。 此外，这些技术提供了从受信任的存储库自动，基于硬件的选择性软件组件的恢复。 基于硬件的检测和自动恢复技术可以集成在计算设备的引导序列中，以便有效且干净地替换任何感染的软件组件。

公开(公告)号：US07996713B2

公开(公告)日：2011-08-09

申请号：US12334611

申请日：2008-12-15

申请人： Stephen R. Hanna

发明人： Stephen R. Hanna

IPC分类号： G06F11/00

CPC分类号： H04L41/0869 ,  G06F21/577 ,  H04L9/3271 ,  H04L41/0806 ,  H04L41/082 ,  H04L41/0856 ,  H04L63/029 ,  H04L63/08 ,  H04L63/145 ,  H04L67/02 ,  H04L69/40 ,  H04L2209/56

摘要： A method performed by a primary server includes receiving integrity criteria and sending a health check request to a secondary server based on the received integrity criteria. The method also includes receiving integrity information from the secondary server and checking the integrity information against the integrity criteria. The method further includes initiating a non-compliance action if the integrity information does not comply with the integrity criteria.

摘要翻译： 主服务器执行的方法包括接收完整性标准，并根据接收到的完整性标准向第二服务器发送健康检查请求。 该方法还包括从辅助服务器接收完整性信息并根据完整性标准检查完整性信息。 该方法还包括如果完整性信息不符合完整性标准，则启动不合规动作。