公开(公告)号：US11212119B2

公开(公告)日：2021-12-28

申请号：US16782235

申请日：2020-02-05

Applicant: Cisco Technology, Inc.

Inventor： Shwetha Subray Bhandari ,  Eric Voit ,  Jesse Daniel Backman ,  Robert Stephen Rodgers ,  Joseph Eryx Malcolm

IPC: H04L29/06 ,  H04L9/32 ,  G06F21/72 ,  G06F21/57 ,  H04L9/08

Abstract: A methodology for requesting at least one signed security measurement from at least one module with a corresponding cryptoprocessor is provided. The methodology includes receiving the at least one signed security measurement from the at least one module with the corresponding cryptoprocessor; validating the at least one signed security measurement; generating a signed dossier including all validated signed security measurements in a secure enclave, the signed dossier being used by an external network device for remote attestation of the device.

公开(公告)号：US11171786B1

公开(公告)日：2021-11-09

申请号：US16360753

申请日：2019-03-21

Applicant: Cisco Technology, Inc.

Inventor： Eric Voit ,  David C. Lapier ,  William F. Sulzen ,  Pagalavan Krishnamoorthy

IPC: H04L29/06 ,  H04L9/32

Abstract: A secure bus for pre-placement of device capabilities across a set of cryptoprocessors may be provided. A first cryptoprocessor may receive a key corresponding to a second cryptoprocessor and it may receive an object in response to the object being instantiated on the second cryptoprocessor. Next, the first cryptoprocessor may use the key to determine that the second cryptoprocessor signed the object. The first cryptoprocessor may then store the object in the first cryptoprocessor in response to determining that the second cryptoprocessor signed the object. Then the first cryptoprocessor may receive a request for the object and provide a response to the request.

公开(公告)号：US11165861B2

公开(公告)日：2021-11-02

申请号：US16783942

申请日：2020-02-06

Applicant: Cisco Technology, Inc.

Inventor： Sujal Sheth ,  Shwetha Subray Bhandari ,  Eric Voit ,  William F. Sulzen ,  Frank Brockners

IPC: G06F15/173 ,  H04L29/08 ,  H04L29/06 ,  H04W24/10 ,  H04L29/12 ,  H04L9/32

Abstract: A verifier peer system transmits a request to an application of another peer system to obtain integrity data of the application. In response to the request, the verifier peer system obtains a response that includes kernel secure boot metrics of the other peer system and integrity data of the application and of any application dependencies. If the verifier peer system determines that the response is valid, the verifier peer system evaluates the integrity data and the kernel secure boot metrics against a set of Known Good Values to determine whether the integrity data and the kernel secure boot metrics are valid. If the integrity data and the kernel secure boot metrics are valid, the verifier peer system determines that the other peer system is trustworthy.

公开(公告)号：US20200322353A1

公开(公告)日：2020-10-08

申请号：US16555869

申请日：2019-08-29

Applicant: Cisco Technology, Inc.

Inventor： Shwetha Subray Bhandari ,  Eric Voit ,  Frank Brockners ,  Carlos M. Pignataro ,  Nagendra Kumar Nainar

IPC: H04L29/06

Abstract: Technologies for proving packet transit through uncompromised nodes are provided. An example method can include receiving a packet including one or more metadata elements generated based on security measurements from a plurality of nodes along a path of the packet; determining a validity of the one or more metadata elements based on a comparison of one or more values in the one or more metadata elements with one or more expected values calculated for the one or more metadata elements, one or more signatures in the one or more metadata elements, and/or timing information associated with the one or more metadata elements; and based on the one or more metadata elements, determining whether the packet traversed any compromised nodes along the path of the packet.

公开(公告)号：US20200322334A1

公开(公告)日：2020-10-08

申请号：US16782903

申请日：2020-02-05

Applicant: Cisco Technology, Inc.

Inventor： Sujal Sheth ,  Shwetha Subray Bhandari ,  Eric Voit ,  William F. Sulzen ,  Frank Brockners

IPC: H04L29/06

Abstract: Systems, methods, and computer-readable media for authenticating extensible authentication protocol (EAP) messages include receiving, at a first node, EAP messages from a second node. The first node and the second node including network devices and the EAP messages can be based on Diameter protocol or other. The first node can obtain attestation information from one or more EAP messages to determine whether the second node is authentic and trustworthy based on the attestation information. The EAP messages can include a Capabilities Exchange Request (CER) or a Capabilities Exchange Answer (CEA) whose fields or combination of fields can include the attestation information. The EAP messages can also include a Trust Information Request (TIR) or a Trust Information Answer (TIA) which include the authentication information. The attestation information can include Proof of Integrity based on a hardware fingerprint, device identifier, or Canary Stamp.

公开(公告)号：US10735308B2

公开(公告)日：2020-08-04

申请号：US16230751

申请日：2018-12-21

Applicant: Cisco Technology, Inc.

Inventor： Eric Voit ,  Shwetha Subray Bhandari ,  William F. Sulzen ,  Sujal Sheth

IPC: H04L12/761 ,  H04L29/06 ,  H04L12/721 ,  H04L12/773 ,  H04L12/751

Abstract: At a networking device, a method includes obtaining, according to a predefined protocol, a first plurality of attestation vectors from a corresponding plurality of candidate next-hop nodes. Each of the plurality of candidate next-hop nodes is included within a respective route between a particular node and a destination node. The method further includes determining a plurality of confidence scores. Each of the plurality of confidence scores is based on a comparison between a corresponding one of the first plurality of attestation vectors and a trusted image vector. The method further includes selecting, from the plurality of confidence scores, a particular confidence score that satisfies one or more selection criteria. Each of the particular confidence score is associated with a particular candidate next-hop node of the plurality of candidate next-hop nodes. The method further includes directing, to the particular candidate next-hop node, a data packet destined for the destination node.

公开(公告)号：US10057344B2

公开(公告)日：2018-08-21

申请号：US15095502

申请日：2016-04-11

Applicant: Cisco Technology, Inc.

Inventor： Alexander Clemm ,  Eric Voit ,  Alberto Gonzalez Prieto

IPC: H04L29/08

CPC classification number: H04L67/1095 ,  H04L67/06 ,  H04L67/1097 ,  H04L67/26

Abstract: Techniques related to efficient transport of data encoded using multiple templates are disclosed. A sending computing device sends an internet message including internet message segments toward a receiving computing device. The internet message stores information about a data object that includes property types corresponding to property values. A portion of the data object includes multiple instances of a particular property type, and each instance corresponds to a property value. The internet message segments store the property values according to multiple templates, and each internet message segment corresponds to a template. Among the multiple templates is a particular template for the portion of the data object that includes the multiple instances of the particular property type. The multiple templates include fields that correspond to field identifiers. Based on a property-type-to-field-identifier mapping, a corresponding property type can be determined for each property value that is stored in the internet message segments.

公开(公告)号：US20240195868A1

公开(公告)日：2024-06-13

申请号：US18418156

申请日：2024-01-19

Applicant: Cisco Technology, Inc.

Inventor： Sujal Sheth ,  Shwetha Subray Bhandari ,  Eric Voit ,  William F. Sulzen ,  Frank Brockners

IPC: H04L67/104 ,  H04L9/32 ,  H04L9/40 ,  H04L61/4511 ,  H04L67/1001 ,  H04W24/10

CPC classification number: H04L67/104 ,  H04L9/3247 ,  H04L61/4511 ,  H04L63/0823 ,  H04L67/1001 ,  H04W24/10

Abstract: A verifier peer system transmits a request to an application of another peer system to obtain integrity data of the application. In response to the request, the verifier peer system obtains a response that includes kernel secure boot metrics of the other peer system and integrity data of the application and of any application dependencies. If the verifier peer system determines that the response is valid, the verifier peer system evaluates the integrity data and the kernel secure boot metrics against a set of Known Good Values to determine whether the integrity data and the kernel secure boot metrics are valid. If the integrity data and the kernel secure boot metrics are valid, the verifier peer system determines that the other peer system is trustworthy.

公开(公告)号：US20230185939A1

公开(公告)日：2023-06-15

申请号：US17546991

申请日：2021-12-09

Applicant: Cisco Technology, Inc.

Inventor： Nancy Patricia Cam-Winget ,  Eric Voit

IPC: G06F21/62 ,  G06F21/57 ,  G06F21/12 ,  G06F16/14

CPC classification number: G06F21/6218 ,  G06F21/57 ,  G06F21/123 ,  G06F16/144

Abstract: Techniques for maintaining geographic-based data privacy rules in networked environments. An example method includes receiving a request from a user device; generating, based on the request, a query for data associated with fulfilling the request; transmitting, to a data controller, the query; transmitting, to the data controller, an indication of a geographic region in which at least one device implementing the entity is located; and receiving, from the data controller, a portion of the data associated with fulfilling the request.

公开(公告)号：US20230185918A1

公开(公告)日：2023-06-15

申请号：US17547084

申请日：2021-12-09

Applicant: Cisco Technology, Inc.

Inventor： Eric Voit ,  Einar Nilsen-Nygaard ,  Frank Brockners ,  Pradeep Kumar Kathail

IPC: G06F21/57

CPC classification number: G06F21/57 ,  G06F2221/033

Abstract: This disclosure describes techniques for selectively placing and maintaining sensitive workloads in subsystems that achieve a minimum level of trustworthiness. An example method includes identifying at least one trustworthiness requirement associated with an application and transmitting, to a first subsystem, a request for at least one trustworthiness characteristic of the first subsystem and at least one second subsystem connected to the first subsystem. A response indicating the at least one trustworthiness characteristic is received from the first subsystem. The example method further includes determining that the at least one trustworthiness characteristic satisfies the at least one trustworthiness requirement; and causing the application to operate on a mesh comprising the first subsystem and the at least one second subsystem.