公开(公告)号：US5428615A

公开(公告)日：1995-06-27

申请号：US278686

申请日：1994-07-21

申请人： Floyd J. Backes ,  William R. Hawe ,  G. Paul Koning ,  David J. Mitton ,  Radia J. Perlman

发明人： Floyd J. Backes ,  William R. Hawe ,  G. Paul Koning ,  David J. Mitton ,  Radia J. Perlman

IPC分类号： H04L12/18 ,  H04L12/46

CPC分类号： H04L45/742 ,  H04L12/1836 ,  H04L12/46 ,  H04L2212/00

摘要： A connection apparatus for connecting a first communication system with a second communication system and a third communication system. A first frame is received from the first communication system, where the first frame has a multicast address as a destination address, and where the destination address requires the first frame to be transmitted onto the second communication system. The multicast address is translated into a functional address, and the functional address is written into a second frame transmitted onto the second communication system. The second frame is received and is transmitted onto a third communication system, and the functional address is translated into a multicast address for the third communication system, and the multicast address is written into a destination field of the frame as it is transmitted onto the third communication system. The second communication system may be a token ring system based upon an IEEE 802.5 standard, and the functional address may be written into a DSAP field and into a PROTOCOL TYPE field of an 802.5 Standard frame.

摘要翻译： 一种用于将第一通信系统与第二通信系统和第三通信系统连接的连接装置。 从第一通信系统接收第一帧，其中第一帧具有多播地址作为目的地地址，并且其中目的地地址要求将第一帧发送到第二通信系统。 将多播地址转换为功能地址，将功能地址写入发送到第二通信系统的第二帧。 第二帧被接收并被发送到第三通信系统，并且将功能地址转换为第三通信系统的多播地址，并且将多播地址写入帧的目的地字段，因为它被发送到第三通信系统 通讯系统 第二通信系统可以是基于IEEE 802.5标准的令牌环系统，并且功能地址可以被写入DSAP字段和802.5标准帧的协议类型字段中。

公开(公告)号：US5351295A

公开(公告)日：1994-09-27

申请号：US86596

申请日：1993-07-01

申请人： Radia J. Perlman ,  Charles W. Kaufman

发明人： Radia J. Perlman ,  Charles W. Kaufman

IPC分类号： H04L9/32 ,  H04L9/00

CPC分类号： H04L9/3226 ,  H04L9/3297

摘要： A secure arrangement in which stations in a communications network are informed of the addresses of their neighbors by means of identifying messages transmitted by the stations. To prevent the insertion of illegitimate stations into the network, the system makes use of passwords included in the station-identifying messages. In networks where eavesdropping is possible, the passwords are encrypted versions of the identities of the stations transmitting the messages and in systems where stations can also be impersonated, the encrypted passwords also include time stamps.

摘要翻译： 通过识别站发送的消息，可以将通信网络中的站通知其邻居的地址。 为了防止将非法站插入网络，系统利用站识别消息中包含的密码。 在可能进行窃听的网络中，密码是发送消息的电台的身份的加密版本，以及在电台也可以被模拟的系统中，加密的密码也包括时间戳。

公开(公告)号：US08488782B2

公开(公告)日：2013-07-16

申请号：US12582276

申请日：2009-10-20

申请人： Radia J. Perlman

发明人： Radia J. Perlman

IPC分类号： H04L9/20 ,  H04L9/34

CPC分类号： G06F21/602

摘要： Some embodiments provide systems and techniques for performing parameterizable cryptography. An encryption key can be determined based at least on a string associated with an authorization policy. The encryption key can then be used to encrypt information. The decryption key can also be determined based at least on the string associated with the authorization policy. Note that the authorization policy must be satisfied to decrypt information. In some embodiments, the systems and techniques for performing parameterizable cryptography are blindable. These blindable embodiments can be used to preserve privacy.

摘要翻译： 一些实施例提供用于执行可参数化密码术的系统和技术。 可以至少基于与授权策略相关联的字符串来确定加密密钥。 然后可以使用加密密钥来加密信息。 解密密钥也可以至少基于与授权策略关联的字符串来确定。 请注意，解密信息必须满足授权策略。 在一些实施例中，用于执行可参数化密码术的系统和技术是盲目的。 这些不确定的实施例可用于保护隐私。

公开(公告)号：US07660423B2

公开(公告)日：2010-02-09

申请号：US11325203

申请日：2006-01-03

申请人： Radia J. Perlman

发明人： Radia J. Perlman

IPC分类号： H04L9/08

CPC分类号： H04L9/0897 ,  G06Q20/341 ,  G06Q20/40975 ,  G07F7/1008 ,  G07F7/1016 ,  H04L9/0822

摘要： One embodiment of the present invention provides a system that maintains keys using limited storage space on a computing device, such as a smart card. During operation, the system receives a request at the computing device to perform an operation involving a key. While processing the request, the system obtains an encrypted key from remote storage located outside of the computing device, wherein the encrypted key was created by encrypting the key along with an expiration time for the key. Next, the system decrypts the encrypted key to restore the key and the expiration time, wherein the encrypted key is decrypted using a computing-device key, which is maintained locally on the computing device. Finally, if the expiration time has not passed, the system uses the key to perform the requested operation. Note that by storing the encrypted key in remote storage, the computing device is able to use the key without consuming local storage space to store the key.

摘要翻译： 本发明的一个实施例提供了一种使用有限的存储空间来维护密钥的系统，所述计算设备例如是智能卡。 在操作期间，系统在计算设备处接收请求以执行涉及密钥的操作。 在处理请求时，系统从位于计算设备外部的远程存储器获得加密密钥，其中通过对密钥加密密钥以及密钥的到期时间来创建加密的密钥。 接下来，系统解密加密的密钥以恢复密钥和到期时间，其中使用计算设备密钥来解密加密的密钥，计算设备密钥在计算设备上本地维护。 最后，如果到期时间尚未通过，系统将使用该键执行请求的操作。 请注意，通过将加密密钥存储在远程存储中，计算设备能够使用密钥而不消耗本地存储空间来存储密钥。

公开(公告)号：US20090296926A1

公开(公告)日：2009-12-03

申请号：US12131525

申请日：2008-06-02

申请人： Radia J. Perlman

发明人： Radia J. Perlman

IPC分类号： H04L9/28

CPC分类号： H04L9/0866 ,  H04L9/083

摘要： Some embodiments of the present invention provide a system that generates and retrieves a key derived from a master key. During operation, the system receives a request at a key manager to generate a new key, or to retrieve an existing key. To generate a new key, the system generates a key identifier and then derives the new key by cryptographically combining the generated key identifier with the master key. To retrieve an existing key, the system obtains a key identifier for the existing key from the request and then cryptographically combines the obtained key identifier with the master key to produce the existing key.

摘要翻译： 本发明的一些实施例提供一种生成和检索从主密钥导出的密钥的系统。 在操作期间，系统在密钥管理器处接收请求以生成新的密钥，或者检索现有密钥。 为了生成新密钥，系统生成密钥标识符，然后通过将生成的密钥标识符与主密钥加密组合来导出新密钥。 为了检索现有密钥，系统从请求中获取现有密钥的密钥标识符，然后将获得的密钥标识符与主密钥加密组合以产生现有密钥。

公开(公告)号：US07398322B1

公开(公告)日：2008-07-08

申请号：US10824974

申请日：2004-04-14

申请人： Radia J. Perlman

发明人： Radia J. Perlman

IPC分类号： G06F15/173

CPC分类号： H04L12/462 ,  H04L29/12028 ,  H04L45/04 ,  H04L45/18 ,  H04L45/20 ,  H04L45/48 ,  H04L45/66 ,  H04L61/103 ,  H04L69/16 ,  H04L2212/00

摘要： One embodiment of the present invention provides a system that transparently interconnects multiple network links into a single virtual network link. During operation, a Rbridge (Rbridge) within the system receives a packet, wherein the Rbridge belongs to a set of one or more Rbridges that transparently interconnect the multiple network links into the single virtual network link. These Rbridges automatically obtain information specifying which endnodes are located on the multiple network links without the endnodes having to proactively announce their presence to the Rbridges. If a destination for the packet resides on the same virtual network link, the Rbridge routes the packet to the destination. This route can be an optimal path to the destination, and is not constrained to lie along a spanning tree through the set of Rbridges.

摘要翻译： 本发明的一个实施例提供一种将多个网络链路透明地互连成单个虚拟网络链路的系统。 在运行期间，系统内的Rbridge（Rbridge）接收分组，其中Rbridge属于一组一个或多个R桥，其将多个网络链路透明地互连到单个虚拟网络链路中。 这些Rbridges自动获取指定哪些终端位于多个网络链路上的信息，而终端不必主动地将其存在通知给Rbridges。 如果分组的目的地位于同一个虚拟网络链路上，则Rbridge将该分组路由到目的地。 该路由可以是到达目的地的最佳路径，并且不限于通过Rbridges集合沿着生成树。

公开(公告)号：US07395549B1

公开(公告)日：2008-07-01

申请号：US09691278

申请日：2000-10-17

申请人： Radia J. Perlman ,  Stephen R. Hanna

发明人： Radia J. Perlman ,  Stephen R. Hanna

IPC分类号： H04L9/00

CPC分类号： H04L9/083 ,  H04L9/0825 ,  H04L9/3213 ,  H04L9/3265

摘要： One embodiment of the present invention provides a system for operating a key distribution center (KDC) that provides keys to facilitate secure communications between clients and servers across a computer network, wherein the system operates without having to store long-term server secrets. The system operates by receiving a communication from a server at the KDC. This communication includes an identifier for the server, as well as a temporary secret key to be used in communications between a client and the server for a limited time period. In response the communication, the system attempts to authenticate the server. If the server is successfully authenticated, the system stores the temporary secret key at the KDC, so that the temporary secret key can be subsequently used to facilitate communications with the server. Upon subsequently receiving a request at the KDC from a client that desires to communicate with the server, the system produces a session key to be used in communications between the client and server, and then creates a ticket to the server by encrypting an identifier for the client and the session key with the temporary secret key for the server. Next, the system assembles a message that includes the identifier for the server, the session key and the ticket to the server, and sends the message to the client in a secure manner. The system subsequently allows the client to forward the ticket to the server in order to initiate communications between the client and the server.

摘要翻译： 本发明的一个实施例提供了一种用于操作密钥分发中心（KDC）的系统，其提供密钥以促进跨越计算机网络的客户端和服务器之间的安全通信，其中系统在不必存储长期服务器秘密的情况下操作。 系统通过从KDC的服务器接收通信来进行操作。 该通信包括用于服务器的标识符，以及在有限时间段内在客户端和服务器之间的通信中使用的临时秘密密钥。 为响应通信，系统尝试对服务器进行身份验证。 如果服务器成功认证，则系统将临时密钥存储在KDC，以便随后可以使用临时密钥来促进与服务器的通信。 在随后从客户端收到希望与服务器进行通信的客户端的请求时，系统产生用于客户端与服务器之间的通信中的会话密钥，然后通过加密用于 客户端和会话密钥与服务器的临时秘密密钥。 接下来，系统组装包括服务器的标识符，会话密钥和到服务器的故障单的消息，并以安全的方式将消息发送给客户端。 系统随后允许客户机将票转发到服务器，以便启动客户端和服务器之间的通信。

公开(公告)号：US07339900B2

公开(公告)日：2008-03-04

申请号：US10671643

申请日：2003-09-26

申请人： Radia J. Perlman

发明人： Radia J. Perlman

IPC分类号： H04L12/28

CPC分类号： H04L45/28 ,  H04L12/4625 ,  H04L45/18 ,  H04L45/48

摘要： One embodiment of the present invention provides a system that prevents loops from occurring when spanning tree configuration messages are lost while executing a spanning tree protocol on bridges in a network. During operation, the system executes the spanning tree protocol on a bridge. This spanning tree protocol configures each port coupled to the bridge into either a forwarding state, in which messages are forwarded to and from the port, or a backup state, in which messages are not forwarded to or from the port. The system also monitors ports coupled to the bridge to determine when messages are lost by the ports. If one or more messages are lost on a port, the system refrains from forwarding messages to or from the port until no messages are lost by the port for an amount of time.

摘要翻译： 本发明的一个实施例提供了一种在网络中的桥上执行生成树协议时防止生成树配置消息丢失时发生环路的系统。 在运行过程中，系统在桥上执行生成树协议。 该生成树协议将耦合到网桥的每个端口配置为转发状态，其中消息被转发到端口或从端口转发，或者备份状态，其中消息不被转发到端口或从端口转发。 系统还监视耦合到网桥的端口，以确定端口何时丢失消息。 如果端口上有一个或多个消息丢失，则系统将禁止向端口转发消息，直到端口丢失一段消息。

公开(公告)号：US07016499B2

公开(公告)日：2006-03-21

申请号：US09880470

申请日：2001-06-13

申请人： Radia J. Perlman

发明人： Radia J. Perlman

IPC分类号： H04L9/00

CPC分类号： H04L9/083 ,  H04L9/088

摘要： A method and apparatus for securely communicating ephemeral information from a first node to a second node. In a first embodiment, the first node encodes and transmits an ephemeral message encrypted at least in part with an ephemeral key, from the first node to the second node. Only the second node has available to it the information that is needed to achieve decryption by an ephemeral key server of a decryption key that is needed to decrypt certain encrypted payload information contained within the message communicated from the first node to the second node. In a second embodiment the first node transmits to the second node an ephemeral message that is encrypted at least in part with an ephemeral key. The ephemeral message includes enough information to permit the second node to communicate at least a portion of the message to an ephemeral key server and for the ephemeral key server to verify that the second node is an authorized decryption agent for the message. After verifying that the second node is an authorized decryption agent for the message, the ephemeral key server returns to the second node an encrypted decryption key that is needed to decrypt the encrypted message. The ephemeral message may comprise an encrypted decryption key that may be used after decryption of the decryption key to decrypt other encrypted information communicated to the second node.

公开(公告)号：US06801998B1

公开(公告)日：2004-10-05

申请号：US09439246

申请日：1999-11-12

申请人： Stephen R. Hanna ,  Anne H. Anderson ,  Yassir K. Elley ,  Radia J. Perlman ,  Sean J. Mullan

发明人： Stephen R. Hanna ,  Anne H. Anderson ,  Yassir K. Elley ,  Radia J. Perlman ,  Sean J. Mullan

IPC分类号： H04L900

CPC分类号： H04L63/045 ,  H04L63/065 ,  H04L63/105

摘要： A method and system for granting an applicant associated with a client computer in a client-server system access to a requested service without providing the applicant with intelligible information regarding group membership. The applicant transmits a request for service to an application server over a computer network. In response, the application server prepares an encrypted message which includes the identification of the group or groups having access privileges and transmits the encrypted message to the client along with a request that the client prove membership in at least one of the groups. The message is encrypted with an encryption key which can be decrypted by a group membership server.

摘要翻译： 一种方法和系统，用于在客户机 - 服务器系统中授予与客户端计算机相关联的申请人访问所请求的服务，而不向申请人提供关于组成员身份的可理解信息。 申请人通过计算机网络向应用服务器发送服务请求。 作为响应，应用服务器准备加密的消息，其包括具有访问权限的组或组的标识，并且将客户端证明成员资格的请求与客户端一起发送给客户端。 消息使用加密密钥进行加密，加密密钥可以由组成员服务器进行解密。