公开(公告)号：US08452957B2

公开(公告)日：2013-05-28

申请号：US12768034

申请日：2010-04-27

申请人： Makan Pourzandi ,  Mats Naslund

发明人： Makan Pourzandi ,  Mats Naslund

IPC分类号： G06F21/00

CPC分类号： H04W12/02 ,  G06F21/6218 ,  H04L9/083 ,  H04L9/0869 ,  H04L63/0435 ,  H04L63/061 ,  H04L63/062 ,  H04L2209/60 ,  H04L2209/80 ,  H04L2463/061 ,  H04W12/04 ,  H04W12/06 ,  H04W88/08

摘要： A mobile node, a gateway node and methods are provided for securely storing a content into a remote node. The mobile node, or a gateway node of a network providing access to the mobile node, applies a content key to the content prior to sending the content for storage in the remote node. The content key is generated at the mobile node, based on a random value obtained from an authentication server, or directly at the authentication server if applied by the gateway node. The content key is not preserved in the mobile node or in the gateway node, for security purposes. When the mobile node or the gateway node fetches again the content from the remote node, the same content key is generated again for decrypting the content. The remote node does not have access to the content key and can therefore no read or modify the content.

摘要翻译： 提供移动节点，网关节点和方法以将内容安全地存储到远程节点中。 移动节点或提供对移动节点的访问的网络的网关节点在发送用于存储在远程节点内的内容之前向内容应用内容密钥。 基于从认证服务器获得的随机值，或者如果由网关节点应用，则直接在认证服务器处，在移动节点生成内容密钥。 出于安全考虑，内容密钥不会保留在移动节点或网关节点中。 当移动节点或网关节点从远程节点再次获取内容时，再次产生相同的内容密钥以解密该内容。 远程节点无法访问内容密钥，因此无法读取或修改内容。

公开(公告)号：US07933591B2

公开(公告)日：2011-04-26

申请号：US11570186

申请日：2005-05-17

申请人： Rolf Blom ,  Mats Naslund

发明人： Rolf Blom ,  Mats Naslund

IPC分类号： H04W88/02

CPC分类号： H04L9/0838 ,  H04L9/3273 ,  H04L63/0428 ,  H04L63/0853 ,  H04L2209/80 ,  H04W12/04 ,  H04W12/06 ,  H04W88/06

摘要： When a mobile terminal (10), having a basic identity module (12) operative according to a first security standard, initiates a service access, the home network (30) determines whether the mobile terminal has an executable program (14) configured to interact with the basic identity module for emulating an identity module according to the second security standard. If it is concluded that the mobile terminal has such an executable program, a security algorithm is executed at the home network (30) to provide security data according to the second security standard. At least part of these security data are then transferred, transparently to a visited network (20), to the mobile terminal (10). On the mobile terminal side, the executable program (14) is executed for emulating an identity module according to the second security standard using at least part of the transferred security data as input. Preferably, the first security standard corresponds to a 2G standard, basically the GSM standard and the second security standard at least in part corresponds to a 3G standard such as the UMTS standard, and/or the IP Multimedia Sub-system (IMS) standard.

摘要翻译： 当具有根据第一安全标准操作的基本身份模块（12）的移动终端（10）启动服务访问时，家庭网络（30）确定移动终端是否具有被配置为相互作用的可执行程序（14） 具有用于根据第二安全标准模拟身份模块的基本身份模块。 如果确定移动终端具有这样的可执行程序，则在归属网络（30）处执行安全算法以根据第二安全标准提供安全数据。 这些安全数据的至少一部分然后被透明地传送到被访问网络（20）到移动终端（10）。 在移动终端侧，执行可执行程序（14），用于使用至少部分传送的安全数据作为输入来根据第二安全标准来模拟身份模块。 优选地，第一安全标准对应于2G标准，基本上GSM标准和第二安全标准至少部分地对应于诸如UMTS标准和/或IP多媒体子系统（IMS）标准的3G标准。

公开(公告)号：US20110004758A1

公开(公告)日：2011-01-06

申请号：US12867687

申请日：2008-02-15

申请人： John Michael Walker ,  Susana Fernandez Alonso ,  Mats Naslund

发明人： John Michael Walker ,  Susana Fernandez Alonso ,  Mats Naslund

IPC分类号： H04L9/32

CPC分类号： H04L63/062 ,  H04L12/06 ,  H04L63/083 ,  H04W12/06

摘要： An authentication method comprises providing a set of N plural number of master keys both to a user terminal (13) and to home network entity (11) and, when performing an authentication key agreement (AKA) transaction for an application, selecting one of the N number of master keys to serve as a master key for use both at the user terminal and the home network entity for deriving further keys for the application. For example, when performing an authentication key agreement (AKA) transaction for a first application, the method involves randomly selecting one of the N number of master keys to serve as a first master key for use both at the user terminal and the home network entity for deriving further keys for the first application; but when 10 performing an authentication key agreement (AKA) transaction for another application, the method involves randomly selecting another one of the N number of master keys to serve as master key for use both at the user terminal and the home network entity for deriving further keys for the another application.

摘要翻译： 认证方法包括向用户终端（13）和家庭网络实体（11）提供N个多个主密钥的集合，并且当为应用执行认证密钥协商（AKA）事务时，选择一个 N个主密钥用作用于用户终端和家庭网络实体的主密钥，用于导出用于应用的另外的密钥。 例如，当对第一应用执行认证密钥协商（AKA）事务时，该方法包括随机选择N个主密钥中的一个作为第一主密钥，用于在用户终端和家庭网络实体 用于导出用于第一应用的另外的键; 但是当10执行针对另一应用的认证密钥协议（AKA）事务时，该方法包括随机选择N个主密钥中的另一个作为主密钥，以在用户终端和归属网络实体处用于进一步导出 另一个应用程序的键。

公开(公告)号：US20100195829A1

公开(公告)日：2010-08-05

申请号：US12598014

申请日：2008-04-26

申请人： Rolf Blom ,  Mats Naslund

发明人： Rolf Blom ,  Mats Naslund

IPC分类号： H04L9/06 ,  G06F7/58

CPC分类号： G06F7/588 ,  G01S19/14 ,  H04L9/0662 ,  H04L9/0872 ,  H04L9/0891 ,  H04L2209/80

摘要： A communications apparatus includes a mobile device. The apparatus includes a receiver for receiving at the mobile device a plurality of signals carrying information including received signals which provides randomly varying data related to location of the mobile device. The apparatus includes a random number generator which generates a random number as a function of the data. The apparatus includes acryptographickey generator which generates a cryptographic key using the random number. A method to establish at a mobile device a random number for cryptographic operations includes the steps of receiving at the mobile device a plurality of signals carrying information including received signals which provides randomly varying data related to location of the mobile device. There is the step of estimating signal entropy for at least one of the received signals in dependence of location where the signals are received by the mobile device. There is the step of selecting the at least one entropy estimated signal having estimated entropy—satisfying a predetermined property. There is the step of generating from the at least one entropy estimated signal the random number.

摘要翻译： 通信装置包括移动装置。 该装置包括接收机，用于在移动设备处接收携带包括接收信号的信息的多个信号，所述接收信号提供与移动设备的位置相关的随机变化的数据。 该装置包括随机数生成器，其生成作为数据的函数的随机数。 该装置包括使用随机数生成加密密钥的加密映射生成器。 在移动设备处建立用于密码操作的随机数的方法包括以下步骤：在移动设备处接收携带包括接收信号的信息的多个信号，所述接收信号提供与移动设备的位置相关的随机变化的数据。 根据移动设备接收信号的位置，估计接收到的信号中的至少一个信号熵的步骤。 选择具有估计熵的至少一个熵估计信号满足预定特性的步骤。 存在从至少一个熵估计信号产生随机数的步骤。

公开(公告)号：US20100150006A1

公开(公告)日：2010-06-17

申请号：US12337254

申请日：2008-12-17

申请人： Makan Pourzandi ,  Michael Liljenstam ,  Andras Mehes ,  Mats Naslund

发明人： Makan Pourzandi ,  Michael Liljenstam ,  Andras Mehes ,  Mats Naslund

IPC分类号： G06F11/30

CPC分类号： H04L63/1408 ,  H04L43/16 ,  H04L63/1441

摘要： A method for detecting a particular data traffic in a communication network having a plurality of nodes comprises: maintaining a list of detecting scans to be applied to an incoming data traffic; receiving the incoming data traffic; and applying a subset of the detecting scans in the list to the incoming data traffic. A network node for detecting a particular traffic in a communication network having a plurality of nodes comprises: a list of detecting scans to be applied to an incoming data traffic; an input for receiving the incoming data traffic; and an inspection chain, which applies a subset of detecting scans in the list to the incoming data traffic.

摘要翻译： 一种用于检测具有多个节点的通信网络中的特定数据业务的方法，包括：维护要应用于输入数据业务的检测扫描的列表; 接收传入数据流量; 以及将列表中的检测扫描的子集应用于输入数据业务。 用于检测具有多个节点的通信网络中的特定业务的网络节点包括：要应用于输入数据业务的检测扫描的列表; 用于接收输入数据流量的输入; 以及检查链，其将列表中的检测扫描的子集应用于输入数据流量。

公开(公告)号：US20090313466A1

公开(公告)日：2009-12-17

申请号：US12520476

申请日：2006-12-19

申请人： Mats Naslund ,  Jari Arkko

发明人： Mats Naslund ,  Jari Arkko

IPC分类号： H04L29/06

CPC分类号： H04W12/04 ,  H04L63/061 ,  H04L63/062 ,  H04L63/067 ,  H04L63/08 ,  H04L63/0884 ,  H04L63/0892 ,  H04L63/162 ,  H04W12/06 ,  H04W80/04

摘要： A method of operating a node for performing handover between access networks wherein a user has authenticated for network access in a first access network. The method comprises receiving from a home network a first session key and a temporary identifier allocated to the user for the duration of a communication session. The identifier is mapped to the first session key, and the mapped identifier and key are stored at the node. A second session key is derived from the first session key and the second session key is sent to an access network, and the identifier sent to a user terminal. When the user subsequently moves to a second access network, the node receives the identifier from the user terminal. The node then retrieves the first session key mapped to the received identifier, derives a third session key and sends the third session key to the second access network.

摘要翻译： 一种操作节点的方法，用于在接入网络之间执行切换，其中用户已经在第一接入网络中对网络接入进行了认证。 该方法包括：在通信会话期间，从家庭网络接收分配给用户的第一会话密钥和临时标识符。 标识符被映射到第一个会话密钥，映射的标识符和密钥存储在节点处。 从第一会话密钥导出第二会话密钥，将第二会话密钥发送到接入网络，并将该标识符发送给用户终端。 当用户随后移动到第二接入网络时，节点从用户终端接收标识符。 然后，节点检索映射到接收到的标识符的第一会话密钥，导出第三会话密钥，并将第三会话密钥发送到第二接入网络。

公开(公告)号：US20090190758A1

公开(公告)日：2009-07-30

申请号：US12020185

申请日：2008-01-25

申请人： Makan Pourzandi ,  Frederic Rossi ,  Mats Naslund

发明人： Makan Pourzandi ,  Frederic Rossi ,  Mats Naslund

IPC分类号： H04L9/00

CPC分类号： G06F11/1482 ,  G06F9/468 ,  G06F11/2025 ,  G06F11/203

摘要： A method and communication node for providing secure communications and services in a High Availability (HA) cluster. The communication node comprises an Operating System (OS) that detects an unavailability of a first service application process and switches a second service application process from the first state to the second state, the second service application being selected for taking over service currently provided from the first service application process, the first state and the second state each being associated to a set of rights in the cluster. The OS generates a private key for the second service application process based on its second state. The set of rights associated to the second state allows the OS to replace the first service application process with the second service application process for providing secure communications between the second service application and other service application processes in the HA cluster.

摘要翻译： 一种用于在高可用性（HA）集群中提供安全通信和服务的方法和通信节点。 通信节点包括检测第一服务应用进程的不可用性的操作系统（OS），并且将第二服务应用进程从第一状态切换到第二状态，第二服务应用被选择用于接管目前从 第一服务应用进程，第一状态和第二状态各自与集群中的一组权限相关联。 操作系统基于其第二状态为第二服务应用进程生成私钥。 与第二状态相关联的一组权限允许OS用第二服务应用进程替换第一服务应用进程，以在第二服务应用和HA群集中的其他服务应用进程之间提供安全通信。

公开(公告)号：US20060072743A1

公开(公告)日：2006-04-06

申请号：US10271947

申请日：2002-10-17

申请人： Mats Naslund ,  Rolf Blom

发明人： Mats Naslund ,  Rolf Blom

IPC分类号： H04L9/28

CPC分类号： G06F7/724 ,  G06Q20/3829 ,  H04L9/0841 ,  H04L9/3066

摘要： A cryptographic method is described. The method comprises storing binary data representing at least a portion of a field element of an odd-characteristic finite field GF(pk) in a register, p being an odd prime number, the field element comprising k coefficients in accordance with a polynomial-basis representation, the binary data comprising plural groups of data bits, wherein each group of data bits represents an associated one of the k coefficients and processing the binary data in accordance with a cryptographic algorithm such that the plural groups of data bits are processed in parallel. An apparatus comprising a memory and a processing unit coupled to the memory to carry out the method is also described.

摘要翻译： 描述密码方法。 所述方法包括将表示奇数特性有限域GF（p ^{k）的场元素的至少一部分的二进制数据存储在寄存器中，p是奇素数，所述场元素包括k 根据多项式基表示的系数，所述二进制数据包括多组数据位，其中每组数据位表示k个系数中的相关联的一个，并且根据密码算法处理二进制数据，使得多个组 的数据位被并行处理。 还描述了包括存储器和耦合到存储器以执行该方法的处理单元的装置。}

公开(公告)号：US08665874B2

公开(公告)日：2014-03-04

申请号：US13128012

申请日：2008-11-07

申请人： Andras Czaszar ,  Lars G. Magnusson ,  Mats Naslund ,  Lars Westberg

发明人： Andras Czaszar ,  Lars G. Magnusson ,  Mats Naslund ,  Lars Westberg

IPC分类号： H04L12/28 ,  H04L12/56

CPC分类号： H04L45/00 ,  H04L63/0227

摘要： Method and apparatus for supporting the forwarding of received data packets in a router (402,702) of a packet-switched network. A forwarding table (706a) is configured in the router based on aggregating router keys and associated aggregation related instructions received from a key manager (400,700). Each aggregating router key represents a set of destinations. When a data packet (P) is received comprising an ingress tag derived from a sender key or router key, the ingress tag is matched with entries in the forwarding table. An outgoing port is selected for the packet according to a found matching table entry that further comprises an associated aggregation related instruction. An egress tag is then created according to the aggregation related instruction, and the packet with the created egress tag attached is sent from the selected outgoing port to a next hop router.

摘要翻译： 用于支持在分组交换网络的路由器（402,702）中转发所接收的数据分组的方法和装置。 基于从密钥管理器（400,700）接收的聚合路由器密钥和相关联的聚合相关指令，在路由器中配置转发表（706a）。 每个聚合路由器密钥代表一组目的地。 当接收到包含从发送方密钥或路由器密钥导出的入口标签的数据分组（P）时，入口标签与转发表中的条目匹配。 根据发现的匹配表条目，为分组选择输出端口，进一步包括相关联的聚合相关指令。 然后根据聚合相关指令创建出口标签，并将附加了创建的出口标签的数据包从所选出口端口发送到下一跳路由器。

公开(公告)号：US08649378B2

公开(公告)日：2014-02-11

申请号：US12993674

申请日：2008-05-22

申请人： Lars Westberg ,  Andras Csaszar ,  Mats Naslund

发明人： Lars Westberg ,  Andras Csaszar ,  Mats Naslund

IPC分类号： H04L12/28 ,  H04L12/56

CPC分类号： H04L45/00 ,  H04L47/20 ,  H04L61/1511 ,  H04L63/0227 ,  H04L63/0428 ,  H04L63/104

摘要： Method and apparatus for controlling the routing of data packets in an IP network (200). A DNS system (202) stores a packet admission policy configured for a first end-host (B) that dictates conditions for allowing other end-hosts to get across data packets to the first end-host or not. A routing voucher is defined which is required for routing data packets to the first end-host. The routing voucher is distributed to routers (R) in the IP network. When an address query is received at the DNS system (202) from a second end-host, the voucher is supplied to the second end-host if the configured policy allows the second end-host to convey data packets. Otherwise, the voucher is not supplied. If allowed, the second end-host will add the routing voucher to any data packets directed to the first end-host. When a valid routing voucher is present in a packet at a router (204) in the network, the packet will be forwarded to the next router in the IP network. The router will otherwise discard the packet.

摘要翻译： 控制IP网络中数据分组路由的方法和装置（200）。 DNS系统（202）存储为第一终端主机（B）配置的分组准入策略，其指示允许其他终端主机跨数据分组到达第一终端主机的条件。 定义了路由凭证，用于将数据包路由到第一个终端主机。 路由凭证分配给IP网络中的路由器（R）。 当从第二终端主机在DNS系统（202）处接收到地址查询时，如果所配置的策略允许第二终端主机传送数据分组，则将凭证提供给第二终端主机。 否则，不提供凭证。 如果允许，则第二个终端主机会将路由凭证添加到指向第一个终端主机的任何数据包。 当在网络中的路由器（204）的分组中存在有效的路由凭证时，分组将被转发到IP网络中的下一个路由器。 否则路由器将丢弃该数据包。