-
公开(公告)号:US07770213B2
公开(公告)日:2010-08-03
申请号:US11405980
申请日:2006-04-17
申请人: Radia J. Perlman , Anton B. Rang
发明人: Radia J. Perlman , Anton B. Rang
IPC分类号: G06F17/30
CPC分类号: H04L9/0836 , H04L9/0891 , H04L9/0894
摘要: One embodiment of the present invention provides a system that facilitates securely forgetting a secret. During operation, the system obtains a set of secrets which are encrypted with a secret key Si, wherein the set of secrets includes a secret to be forgotten and other secrets which are to be remembered. Next, the system decrypts the secrets to be remembered using Si, and also removes the secret to be forgotten from the set of secrets. The system then obtains a new secret key Si+1, and encrypts the secrets to be remembered using Si+1. Finally, the system forgets Si.
摘要翻译: 本发明的一个实施例提供一种便于安全地忘记秘密的系统。 在操作期间,系统获得用密钥Si加密的一组秘密,其中所述秘密集包括要被遗忘的秘密和要被记住的其他秘密。 接下来,系统使用Si解密要记住的秘密,并且还从秘密集中去除被遗忘的秘密。 然后系统获得新的密钥Si + 1,并使用Si + 1加密要记住的秘密。 最后,系统忘了Si。
-
82.发明授权Router based defense against denial of service attacks using dynamic feedback from attacked host 有权基于路由器的防御拒绝服务攻击使用受攻击主机的动态反馈公开(公告)号:US07760722B1
公开(公告)日:2010-07-20
申请号:US11256254
申请日:2005-10-21
CPC分类号: H04L63/1458
摘要: An edge device including a first list and a second list, a first queue and a second queue configured to receive packets, wherein packet information for each of the packets forwarded to the first queue is on a first list and packet information for each of the packets forwarded to the second queue is not on the first list. The edge device is configured to, for each of the packets stored in the second queue, send a message to a host to send a first test to a source of the packet, wherein the host is operatively connected to the edge device, obtain a response to the first test from the host, place the packet information on the first list, if a successful response to the first test is received, and place the packet information on a second list, if an unsuccessful response to the first test is received.
摘要翻译: 包括第一列表和第二列表的边缘设备,被配置为接收分组的第一队列和第二队列,其中转发到第一队列的每个分组的分组信息在第一列表上,并且每个分组的分组信息 转发到第二个队列不在第一个列表。 边缘设备被配置为对于存储在第二队列中的每个分组,向主机发送消息以向分组的源发送第一测试,其中主机可操作地连接到边缘设备,获得响应 如果对第一测试的成功响应被接收,则将分组信息放置在主机的第一测试中,并且将分组信息放置在第一列表上,并且如果接收到对第一测试的不成功响应,则将分组信息放置在第二列表上。
-
公开(公告)号:US20100142713A1
公开(公告)日:2010-06-10
申请号:US12331848
申请日:2008-12-10
申请人: Radia J. Perlman
发明人: Radia J. Perlman
IPC分类号: H04L9/06
CPC分类号: H04L9/0869 , H04L9/0894
摘要: Some embodiments provide a system to generate a key pair. During operation, the system can receive a request to generate the key pair, wherein the key pair is generated by a key assigner, and wherein the key pair is associated with a user. Next, the system can determine a secret associated with the key assigner. Specifically, the system can determine the secret by determining an initial secret associated with the key assigner, and by applying a one-way hash function to the initial secret one or more times. The system can then determine a seed based on the secret. Specifically, the system can determine the seed by cryptographically combining the secret with information associated with the user. Next, the system can generate the key pair by using the seed as an input to a key generator. The system can then return the key pair to a requestor.
摘要翻译: 一些实施例提供了一种生成密钥对的系统。 在操作期间,系统可以接收生成密钥对的请求,其中密钥对由密钥分配器生成,并且其中密钥对与用户相关联。 接下来,系统可以确定与密钥分配器相关联的秘密。 具体地,系统可以通过确定与密钥分配器相关联的初始秘密来确定秘密,并且通过将单向散列函数应用于初始秘密一次或多次。 然后,系统可以基于秘密来确定种子。 具体地说,系统可以通过密码地将秘密与与用户相关的信息进行组合来确定种子。 接下来,系统可以通过使用种子作为密钥生成器的输入来生成密钥对。 然后,系统可以将密钥对返回给请求者。
-
公开(公告)号:US20090279692A1
公开(公告)日:2009-11-12
申请号:US12118893
申请日:2008-05-12
申请人: Radia J. Perlman
发明人: Radia J. Perlman
IPC分类号: H04L9/28
CPC分类号: H04L9/0643 , H04L9/0869 , H04L2209/38
摘要: Some embodiments of the present invention provide a system that computes a target secret St in a sequence of secrets S0 . . . Sn. During operation, the system obtains k hash functions h1, . . . , hk, where h1 is known as the “lowest order hash function”, and hk is known as the “highest order hash function.” Associated with each hash function hi is a seed value seed comprising a pair (seedindexi, seedvaluei). Hash function hi operates on a pair (indexi, valuei) to produce a pair (newindexi, newvaluei), where newindexi>indexi. To compute target secret St, the hash functions are applied successively, starting with the highest order hash function whose associated seed's index value is largest without being greater than t, applying that hash function as many times as possible without having that hash function's output's index value become greater than t, and then applying each successive hash function in turn as many times as possible, until St has been computed. To delete the earliest computable secret in the chain, S1, the new seed for each of the hash functions is computed as follows. Let x=1+index1, (the index of the seed associated with the lowest order hash function). For each hash function hi, if x>indexi, then hi is applied to seedi. If the resulting indexi is greater than indexi+1, then (indexi+1, valuei+1) associated with hashi+1 is copied into the (index, value) associated with hashi. Otherwise, seed is replaced by hi(seedi).
摘要翻译: 本发明的一些实施例提供了一种以秘密序列S0计算目标秘密St的系统。 。 。 锡 在操作期间,系统获得k个哈希函数h1,。 。 。 ,hk,其中h1被称为“最低阶哈希函数”,并且hk被称为“最高阶哈希函数”。 与每个哈希函数相关联的是包括对(seedindexi,seedvaluei)的种子值种子。 哈希函数hi在一对(indexi,valuei)上运行以产生一对(newindexi,newvaluei),其中newindexi> indexi。 为了计算目标秘密St,哈希函数被连续地应用,从相关种子的索引值最大而不大于t的最高阶哈希函数开始,将哈希函数尽可能多地应用,而不需要哈希函数的输出的索引值 变得大于t,然后依次应用每个连续的哈希函数,直到St被计算为止。 要删除链中最早的可计算秘密S1,每个哈希函数的新种子计算如下。 令x = 1 + index1(与最低阶哈希函数关联的种子的索引)。 对于每个散列函数嗨,如果x> indexi,那么hi应用于seedi。 如果所得到的indexi大于indexi + 1,则与hashi + 1相关联的(indexi + 1,valuei + 1)被复制到与hashi相关联的(index,value)中。 否则,种子由hi(seedi)代替。
-
85.发明申请AUTOMATIC DATA REVOCATION TO FACILITATE SECURITY FOR A PORTABLE COMPUTING DEVICE 审中-公开自动数据转移,为便携式计算机设备提供安全保障公开(公告)号:US20090019293A1
公开(公告)日:2009-01-15
申请号:US11865308
申请日:2007-10-01
申请人: Radia J. Perlman
发明人: Radia J. Perlman
IPC分类号: G06F12/14
CPC分类号: G06F21/88 , G06F2221/2103 , G06F2221/2143
摘要: Some embodiments of the present invention provide a system that automatically revokes data on a portable computing device. During operation, the system uses a key K1 to encrypt data on the portable computing device. The system then attempts verify that the portable computing device is secure. If the attempt to verify that the portable computing device is secure fails, the system causes K1 to be removed from the portable computing device.
摘要翻译: 本发明的一些实施例提供了一种在便携式计算设备上自动撤销数据的系统。 在操作期间,系统使用密钥K1来加密便携式计算设备上的数据。 然后系统尝试验证便携式计算设备是否安全。 如果验证便携式计算设备安全的尝试失败,则系统使得从便携式计算设备中移除K1。
-
86.发明授权Method and system for proving membership in a nested group using chains of credentials 有权使用凭证链验证嵌套组成员资格的方法和系统公开(公告)号:US07213262B1
公开(公告)日:2007-05-01
申请号:US09310165
申请日:1999-05-10
CPC分类号: G06F21/6218 , G06F2221/2115
摘要: In accordance with the invention, a presenter of credentials presents to a recipient of credentials one or more chains of group credentials to prove entity membership or non-membership in a nested group in a computer network. The ability to present a chain of credentials is particularly important when a client is attempting the prove membership or non-membership in a nested group and one or more of the group servers in the family tree are off-line. A chain of group credentials includes two or more proofs of group membership and/or proofs of group non-membership Furthermore, the proofs of group membership may include one or more group membership certificates and/or one or more group membership lists; and proofs of group non-membership may include one or more group non-membership certificates and/or one or more group membership lists.
摘要翻译: 根据本发明,凭证的呈现者向凭证的接收者呈现一个或多个组凭证链以证明计算机网络中的嵌套组的实体成员资格或非成员资格。 当客户端尝试证明成员身份或嵌套组中的非成员身份并且家庭树中的一个或多个组服务器离线时,呈现证书链的能力尤其重要。 一组组凭证包括两个或多个组成员资格证明和/或组非会员证明。此外,组成员资格的证明可以包括一个或多个组成员证书和/或一个或多个组成员资格表; 并且组非隶属的证明可以包括一个或多个组非会员证书和/或一个或多个组成员资格列表。
-
87.发明授权Method and apparatus for facilitating instant failover during packet routing 有权用于在分组路由期间促进即时故障转移的方法和装置公开(公告)号:US07068595B2
公开(公告)日:2006-06-27
申请号:US09834771
申请日:2001-04-13
IPC分类号: H04L12/26
摘要: One embodiment of the present invention provides a system that facilitates instant failover during packet routing by employing a flooding protocol to send packets between a source and a destination. Upon receiving a packet containing data at an intermediate node located between the source and the destination, the system determines whether the packet has been seen before at the intermediate node. If not, the system forwards the packet to neighboring nodes of the intermediate node. In one embodiment of the present invention, forwarding the packet to neighboring needs involves forwarding the packet to all neighboring nodes except the node from which the packet was received. In one embodiment of the present invention, determining whether the packet has been seen before involves examining a sequence number, SR, contained within the packet to determine whether the sequence number has been seen before.
摘要翻译: 本发明的一个实施例提供了一种通过采用洪泛协议在源和目的地之间发送分组来促进分组路由期间的即时故障转移的系统。 在接收到位于源和目的地之间的中间节点处的包含数据的分组时,系统确定在中间节点之前是否已经看到分组。 如果不是,则系统将该分组转发到中间节点的相邻节点。 在本发明的一个实施例中,将分组转发到相邻需求涉及将分组转发到除了接收分组的节点之外的所有相邻节点。 在本发明的一个实施例中,确定分组之前是否已经被看到涉及检查包含在分组内的序列号,以确定序列号是否已经被看到。
-
公开(公告)号:US06912205B2
公开(公告)日:2005-06-28
申请号:US09727223
申请日:2000-11-30
申请人: Radia J. Perlman , Eric A. Guttman
发明人: Radia J. Perlman , Eric A. Guttman
CPC分类号: H04L29/12207 , H04L29/12009 , H04L29/12801 , H04L45/02 , H04L45/44 , H04L61/20 , H04L61/6004
摘要: In automatically configuring network-layer addresses for network nodes in a network region, a specified router on each link generates link number request messages for the link. An address-assigning node assigns a region-wise unique link number to each link identified in a request message, and returns link number assignment messages containing the assigned link numbers. Each specified router assigns the link number from a received link number assignment message to a field of the network-layer addresses of the nodes on the associated link. According to a variation of the method, each specified router self-selects a link number and communicates with the other specified routers to avoid conflicts. Each specified router receives messages from the other specified routers containing numbers selected as region-wise unique link numbers for other links. Each specified router stores the received link numbers in association with the respective links in a local database. To configure a link number for the local link, a specified router selects a candidate region-wise unique link number not already associated with another link in the local database, generates a message containing the selected number, and propagates the message within the network region. Each specified router monitors the messages to detect when another specified router has selected the same link number. When this occurs, the specified router evaluates a conflict-resolution criterion to determine which router is entitled to keep a duplicate link number, and selects a new link number if necessary.
摘要翻译: 在网络区域中为网络节点自动配置网络层地址时,每个链路上的指定路由器会生成链路的链路号请求消息。 地址分配节点向请求消息中标识的每个链路分配区域唯一的链路号,并且返回包含所分配的链路号的链路号分配消息。 每个指定的路由器将链路号从接收的链路号分配消息分配给相关链路上的节点的网络层地址的字段。 根据该方法的变化,每个指定的路由器自行选择一个链路号,并与其他指定的路由器进行通信,以避免冲突。 每个指定的路由器从其他指定的路由器接收包含其他链接选择为区域唯一链接号的数字的消息。 每个指定的路由器将接收到的链路号与本地数据库中的相应链路相关联。 为了配置本地链路的链路号,指定的路由器选择尚未与本地数据库中的另一个链路相关联的候选区域唯一链路号,生成包含所选号码的消息,并在网络区域内传播消息。 每个指定的路由器监视消息以检测另一个指定路由器是否选择了相同的链路号。 当发生这种情况时,指定的路由器会评估冲突解决标准,以确定哪个路由器有权保留重复的链路号,并在必要时选择新的链路号。
-
公开(公告)号:US06768740B1
公开(公告)日:2004-07-27
申请号:US09633969
申请日:2000-08-08
IPC分类号: H04L1228
摘要: A central node in a network computes for, and sends to, each node a forwarding table which consists of the set of neighbors to which the node should forward a message intended for a particular destination. The message includes a version number in the packet field header indicating which forwarding table version the node should use to forward the packet. The node does not begin marking and forwarding packets according to the new version number immediately. The node may wait a period of time after receiving the new table or may wait until receiving notification from the fabric manager to begin using the new version number. When a node receives a message from an end node, it inserts either the most recently received version number in one embodiment or uses the version dictated by the fabric manager in another embodiment. If the node receives a message from another node with a forwarding table version not resident at the node, the node will forward the packet with the most recent version of the forwarding table it has resident and change the version in the message accordingly prior to forwarding.
摘要翻译: 网络中的中心节点为每个节点计算并向每个节点发送转发表,该转发表由该节点应转发用于特定目的地的消息的一组邻居组成。 消息包括分组字段首部中的版本号,指示节点应该用于转发分组的转发表版本。 该节点不会立即根据新版本号码开始标记和转发数据包。 该节点可能在接收到新表之后等待一段时间,或者可以等待直到从Fabric管理器接收到开始使用新版本号的通知。 当节点从终端节点接收到消息时,它将在一个实施例中插入最近接收的版本号,或者在另一实施例中使用由架构管理器指定的版本。 如果节点从另一个节点接收到具有不驻留在节点处的转发表版本的消息,则节点将转发具有其驻留的转发表的最新版本的分组,并且在转发之前相应地更改该消息中的版本。
-
公开(公告)号:US06546486B1
公开(公告)日:2003-04-08
申请号:US09510912
申请日:2000-02-23
IPC分类号: H04L936
CPC分类号: H04L63/0209 , H04L63/0442 , H04L63/1408
摘要: One embodiment of the present invention provides a system that performs, content screening on a message that is protected by end-to-end encryption. The system operates by receiving an encrypted message at a firewall from a source outside of the firewall, the encrypted message having been formed by encrypting the message with a message key. In order to restore the message, the system procures the message key and decrypts the encrypted message with the message key. Next, the system screens the message within the firewall to determine whether the message satisfies a screening criterion. If so, the system allows a destination within the firewall to process the message. In one embodiment of the present invention, procuring the message key includes allowing the source and the destination to negotiate the message key, which is then sent to the firewall. In one embodiment of the present invention, the firewall procures the message key by receiving an encrypted message key along with the encrypted message, the encrypted message key having been formed by encrypting the message key. Next, the firewall sends the encrypted message key to the destination, and allows the destination to decrypt the encrypted message key to restore the message key. Finally, the destination returns the message key to the firewall so that the firewall can decrypt the message.
摘要翻译: 本发明的一个实施例提供一种对通过端到端加密保护的消息执行内容筛选的系统。 该系统通过从防火墙之外的源接收来自防火墙的加密消息,通过用消息密钥加密消息形成加密消息。 为了恢复消息,系统采用消息密钥,并使用消息密钥解密加密的消息。 接下来,系统在防火墙内屏蔽消息,以确定消息是否满足筛选标准。 如果是这样,系统允许防火墙内的目的地处理消息。 在本发明的一个实施例中,采购消息密钥包括允许源和目的地协商消息密钥,然后将消息密钥发送到防火墙。 在本发明的一个实施例中,防火墙通过接收加密的消息密钥以及加密的消息来获取消息密钥,加密的消息密钥是通过加密消息密钥形成的。 接下来,防火墙将加密的消息密钥发送到目的地,并允许目的地解密加密的消息密钥以恢复消息密钥。 最后,目的地将消息密钥返回给防火墙,以便防火墙能够解密该消息。
-
-
-
-
-
-
-
-
-
搜索结果
102 条记录 (耗时 0.039 秒)
