公开(公告)号：US11665148B2

公开(公告)日：2023-05-30

申请号：US17208350

申请日：2021-03-22

Applicant: Cisco Technology Inc.

Inventor： Sujal Sheth ,  Eric Voit

IPC: H04L9/40 ,  G06F21/60

CPC classification number: H04L63/08 ,  G06F21/602

Abstract: The present disclosure is directed to systems and methods to address cryptoprocessor hardware scaling limitations, the method including the steps of establishing a communication path between a centralized server and a client device; generating, by the centralized server, a nonce for transmission to the client device, wherein the nonce is associated with an active time interval and corresponds to one of an existing nonce or a new nonce; transmitting the nonce to the client device; receiving a signed attestation result that includes the nonce from the client device, wherein, the signed attestation result comprises a previously-generated signed attestation result if the nonce corresponds to the existing nonce previously received by the client device; and the signed attestation result comprises a new signed attestation result if the nonce corresponds to the existing nonce newly received by the client device or corresponds to the new nonce.

公开(公告)号：US20230126851A1

公开(公告)日：2023-04-27

申请号：US17511415

申请日：2021-10-26

Applicant: Cisco Technology, Inc.

Inventor： Priyanka Bansal ,  Eric Voit

IPC: H04L29/06

Abstract: In one embodiment, methods for monitoring network traffic are described. The method may include receiving network traffic that is flowing through the network. The method further includes generating one or more packets that include metadata representing a monitored characteristic of the network traffic. Additionally, the method may include generating, at least partly by a secure hardware chip of the network device and using a private key, a signature indicating the metadata was generated at the network device and a time at which the metadata was generated at the network device. The method may further include populating the one or more packets with the signature. Additionally, the method may include sending the one or more packets to a collection system associated with a network monitoring system.

公开(公告)号：US20230054738A1

公开(公告)日：2023-02-23

申请号：US17406321

申请日：2021-08-19

Applicant: Cisco Technology, Inc.

Inventor： Swadesh Agrawal ,  Dhananjaya Kasargod Rao ,  Jakob Heitz ,  Eric Voit

IPC: H04L29/06 ,  H04L12/741 ,  H04L12/751 ,  H04L9/32

Abstract: Disclosed are systems, apparatuses, methods, and computer-readable media for secure network routing. A method includes: receiving, at a network node, an advertisement message for a network route including an IP address prefix; receiving, at the network node, a route origin authorization associated with the IP address prefix, the route origin authorization including a digital signature and a security requirement of a route to a destination that corresponds to the IP address prefix; determining, by the network node, one or more network nodes satisfies the security requirement to yield a determination; and determining, by the network node, to route network traffic to the IP address prefix based on the determination. In one example, the method can include, when the one or more network nodes satisfies the security requirement, advertising the route to the one or more network nodes that satisfies the security requirement.

公开(公告)号：US11558198B2

公开(公告)日：2023-01-17

申请号：US16841997

申请日：2020-04-07

Applicant: Cisco Technology, Inc.

Inventor： Eric Voit ,  Srinivas Vundru ,  Peter Panburana ,  David Wayne Mills ,  Pradeep Kumar Kathail

IPC: H04L29/06 ,  H04L9/32 ,  H04L9/30 ,  H04L9/08

Abstract: The present technology discloses methods and systems for receiving a security profile request from an integrity verifier, the request including a nonce; requesting, from a trusted platform module, a new nonce, wherein the new nonce is generated at least in part by the nonce and a current timestamp from a clock in the trusted platform module; receiving, from the trusted platform module, the new nonce; requesting, from a cryptoprocessor, a set of platform configuration registers; receiving, from the cryptoprocessor, the set of platform configuration registers; and sending a response to the integrity verifier, the response including the new nonce and the set of platform configuration registers to verify a security status of the trusted platform module and the cryptoprocessor.

公开(公告)号：US20220303256A1

公开(公告)日：2022-09-22

申请号：US17208350

申请日：2021-03-22

Applicant: Cisco Technology Inc.

Inventor： Sujal Sheth ,  Eric Voit

IPC: H04L29/06 ,  G06F21/60

Abstract: The present disclosure is directed to systems and methods to address cryptoprocessor hardware scaling limitations, the method including the steps of establishing a communication path between a centralized server and a client device; generating, by the centralized server, a nonce for transmission to the client device, wherein the nonce is associated with an active time interval and corresponds to one of an existing nonce or a new nonce; transmitting the nonce to the client device; receiving a signed attestation result that includes the nonce from the client device, wherein, the signed attestation result comprises a previously-generated signed attestation result if the nonce corresponds to the existing nonce previously received by the client device; and the signed attestation result comprises a new signed attestation result if the nonce corresponds to the existing nonce newly received by the client device or corresponds to the new nonce.

公开(公告)号：US11411994B2

公开(公告)日：2022-08-09

申请号：US16839576

申请日：2020-04-03

Applicant: Cisco Technology, Inc.

Inventor： Sujal Sheth ,  Shwetha Subray Bhandari ,  Eric Voit ,  William F. Sulzen ,  Frank Brockners

IPC: H04L29/06 ,  H04L9/40

Abstract: Systems, methods, and computer-readable media for discovering trustworthy devices through attestation and authenticating devices through mutual attestation. A relying node in a network environment can receive attestation information from an attester node in the network environment as part of a unidirectional push of information from the attester node according to a unidirectional link layer communication scheme. A trustworthiness of the attester node can be verified by identifying a level of trust of the attester node from the attestation information. Further, network service access of the attester node through the relying node in the network environment can be controlled based on the level of trust of the attester node identified from the attestation information.

公开(公告)号：US20220222347A1

公开(公告)日：2022-07-14

申请号：US17712499

申请日：2022-04-04

Applicant: Cisco Technology, Inc.

Inventor： Sujal Sheth ,  Shwetha Subray Bhandari ,  Eric Voit ,  William F. Sulzen ,  Frank Brockners

IPC: G06F21/57 ,  H04L9/08 ,  H04L9/32

Abstract: Technologies for attestation techniques, systems, and methods to confirm the integrity of a device for establishing and/or maintaining a trustworthy encrypted network session. An example method can include sending, via a server and using a cryptographic security protocol, a message associated with establishing an encrypted network session; receiving a response from a client device; identifying a level of trust of the client device based on the response; determining whether to perform a next step in the cryptographic security protocol based on the level of trust, wherein the cryptographic security protocol comprises at least one of a Secure Shell (SSH) protocol, a Transport Layer Security (TLS) protocol, a Secure Sockets Layer (SSL) protocol, and an Internet Protocol Security (IPsec) protocol.

公开(公告)号：US11283812B2

公开(公告)日：2022-03-22

申请号：US16715271

申请日：2019-12-16

Applicant: Cisco Technology, Inc.

Inventor： Pradeep Kumar Kathail ,  Eric Voit

IPC: H04L29/06 ,  H04L12/24 ,  H04L41/0803

Abstract: Systems, methods, and computer-readable media for evaluation of trustworthiness of network devices are proposed. In one aspect, a first network device can determine a first determine a first probability of a security compromise of a second network device based on visible indicators. The first network device can also determine a second probability of the security compromise of the second device based on invisible indicators. The first network device also determines a trust degradation score for the second network device and establishes, based on the trust degradation score, a specified type of communication session with the second network device.

公开(公告)号：US20210314161A1

公开(公告)日：2021-10-07

申请号：US16841997

申请日：2020-04-07

Applicant: Cisco Technology, Inc.

Inventor： Eric Voit ,  Srinivas Vundru ,  Peter Panburana ,  David Wayne Mills ,  Pradeep Kumar Kathail

IPC: H04L9/32 ,  H04L9/08 ,  H04L9/30

Abstract: The present technology discloses methods and systems for receiving a security profile request from an integrity verifier, the request including a nonce; requesting, from a trusted platform module, a new nonce, wherein the new nonce is generated at least in part by the nonce and a current timestamp from a clock in the trusted platform module; receiving, from the trusted platform module, the new nonce; requesting, from a cryptoprocessor, a set of platform configuration registers; receiving, from the cryptoprocessor, the set of platform configuration registers; and sending a response to the integrity verifier, the response including the new nonce and the set of platform configuration registers to verify a security status of the trusted platform module and the cryptoprocessor.

公开(公告)号：US20210306256A1

公开(公告)日：2021-09-30

申请号：US16833197

申请日：2020-03-27

Applicant: Cisco Technology, Inc.

Inventor： David Delano Ward ,  Jakob Heitz ,  William Michael Hudson, JR. ,  Eric Voit

IPC: H04L12/725 ,  H04L12/715 ,  H04L9/32 ,  H04L9/06 ,  H04L29/12

Abstract: A verifier peer system transmits a request to an application of another peer system to obtain integrity data of the application. In response to the request, the verifier peer system obtains a response that includes kernel secure boot metrics of the other peer system and integrity data of the application and of any application dependencies. If the verifier peer system determines that the response is valid, the verifier peer system evaluates the integrity data and the kernel secure boot metrics against a set of Known Good Values to determine whether the integrity data and the kernel secure boot metrics are valid. If the integrity data and the kernel secure boot metrics are valid, the verifier peer system determines that the other peer system is trustworthy.