公开(公告)号：US20100263023A1

公开(公告)日：2010-10-14

申请号：US12742618

申请日：2008-11-14

申请人： Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

发明人： Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

IPC分类号： H04L29/06 ,  H04L9/32 ,  H04W12/08

CPC分类号： H04L41/0893 ,  H04L63/0823 ,  H04L63/0876 ,  H04L63/102 ,  H04L63/20

摘要： A trusted network access controlling method based upon tri-element peer authentication comprises: Firstly initializing creditability collectors and a creditability verifier; then carrying out a tri-element peer authentication protocol among a network access requester, a network access controller and an authentication strategy server in a network access control layer to realize bi-directional user authentication between the access requester and the access controller; When authentication is successful or the locale strategy requires to carry out a when a platform creditability evaluation process, the TNC terminal, TNC server and evaluation strategy server in a trusted platform evaluation layer performing the tri-element peer authentication protocol to realize bi-directional platform creditability authentication between the access requester and the access controller; Finally the access requester and the access controller controlling ports according to the recommendation generated by the TNAC client terminal and the TNAC service terminal. The invention solves the technical problem about poor expandability in background, and further solves the problem about complex key negotiation and relatively low safety.

摘要翻译： 基于三元素对等认证的可信网络访问控制方法包括：首先初始化信用收集者和信用验证者; 然后在网络访问控制层中的网络访问请求者，网络访问控制器和认证策略服务器之间执行三元素对等认证协议，以实现访问请求者和访问控制器之间的双向用户认证; 当认证成功或者区域设置策略需要在平台可信度评估过程中执行时，TNC终端，TNC服务器和评估策略服务器在可信平台评估层中执行三元素对等认证协议，实现双向平台 访问请求者和访问控制器之间的可信度认证; 最后根据由TNAC客户终端和TNAC服务终端生成的建议，访问请求者和访问控制器控制端口。 本发明解决了背景下可扩展性差的技术问题，进一步解决了复杂密钥协商和安全性相对较低的问题。

公开(公告)号：US20100251334A1

公开(公告)日：2010-09-30

申请号：US12743170

申请日：2008-11-14

申请人： Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

发明人： Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

IPC分类号： H04L9/32 ,  H04L29/06 ,  H04L12/28

CPC分类号： H04L63/20 ,  H04L41/0893 ,  H04L63/0823 ,  H04L63/0876 ,  H04L63/102 ,  H04L63/126

摘要： A trusted network access control system based on ternary equal identification is provided. The system includes access requestor AR, access controller AC and policy manager PM as well as the protocol interface among them. The protocol interface between the AR and AC includes a trusted network transmission interface (IF-TNT) and IF-TNACCS interface between TNAC client and TNAC server. The protocol interface between the AC and PM includes an identification policy service interface IF-APS, evaluation policy service interface IF-EPS and a trust measurement interface IF-TM. The protocol interface between the AR and PM includes a trust measurement interface IF-TM.

摘要翻译： 提供了基于三元等同识别的可信网络访问控制系统。 该系统包括访问请求者AR，访问控制器AC和策略管理器PM以及它们之间的协议接口。 AR和AC之间的协议接口包括TNAC客户端和TNAC服务器之间的可信网络传输接口（IF-TNT）和IF-TNACCS接口。 AC和PM之间的协议接口包括识别策略服务接口IF-APS，评估策略服务接口IF-EPS和信任测量接口IF-TM。 AR和PM之间的协议接口包括信任测量接口IF-TM。

公开(公告)号：US08631232B2

公开(公告)日：2014-01-14

申请号：US12863272

申请日：2009-01-14

申请人： Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang ,  Bianling Zhang ,  Zhiqiang Qin ,  Qizhu Song

发明人： Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang ,  Bianling Zhang ,  Zhiqiang Qin ,  Qizhu Song

IPC分类号： H04L29/00

CPC分类号： H04W12/04 ,  H04L63/205 ,  H04W12/06

摘要： A wireless personal area network accessing method is provided, the method includes that: a coordinator broadcasts a beacon frame, the beacon frame includes the information about whether the coordinator sends an authentication requirement, the beacon frame also includes the authentication supported by the coordinator and key management package when a device receipts the authentication requirement, the device receives the beacon frame, the authentication between the coordinator and the device is made by using a authentication method corresponding to the authentication supported by the coordinator and key management package, when the device determines that the coordinator and the device is directly made according to the authentication result, or the association between the coordinator and the device is made after making session key negotiation.

摘要翻译： 提供了无线个人区域网络访问方法，该方法包括：协调器广播信标帧，信标帧包括关于协调器是否发送认证要求的信息，信标帧还包括由协调器和密钥支持的认证 管理包，当设备收到认证要求时，设备收到信标帧，协调器和设备之间的认证是通过使用与协调器和密钥管理包所支持的认证相对应的认证方法进行的，当设备确定 协调器和设备根据认证结果直接进行，或者在进行会话密钥协商之后进行协调器与设备之间的关联。

公开(公告)号：US20130133030A1

公开(公告)日：2013-05-23

申请号：US13813291

申请日：2011-05-26

申请人： Yonggang Xue ,  Runtian Kan ,  Yuelei Xiao ,  Jun Cao ,  Zhenhai Huang ,  Ke Wang ,  Guoqiang Zhang ,  Kelong Yuan ,  Lin Zhu ,  Xiaoyong Liu

发明人： Yonggang Xue ,  Runtian Kan ,  Yuelei Xiao ,  Jun Cao ,  Zhenhai Huang ,  Ke Wang ,  Guoqiang Zhang ,  Kelong Yuan ,  Lin Zhu ,  Xiaoyong Liu

IPC分类号： H04L29/06

CPC分类号： H04L63/20 ,  G06F21/57 ,  H04L63/0876 ,  H04L63/10 ,  H04L63/1433

摘要： Provided are a platform authentication strategy management method for trusted connection architecture (TCA), and the trusted network connection (TNC) client, TNC access point and evaluation strategy service provider for implementing the method in the TCA. In the embodiments of the present invention, the platform authentication strategy for the access requester can be configured in the TNC access point or the evaluation strategy service provider, and the platform authentication strategy for the access requester configured in the evaluation strategy service provider can be delivered to the TNC access point. Moreover, a component-type-level convergence platform evaluation strategy can be executed in the TNC access point or the evaluation strategy service provider, to ensure that the realization of the TCA platform authentication has good application extensibility.

摘要翻译： 提供了一种用于可信连接架构（TCA）和可信网络连接（TNC）客户端，TNC接入点和评估策略服务提供商的平台认证策略管理方法，用于在TCA中实现该方法。 在本发明的实施例中，可以在TNC接入点或评估策略服务提供者中配置用于接入请求者的平台认证策略，并且可以在评估策略服务提供商中配置的接入请求者的平台认证策略 到TNC接入点。 此外，TNC接入点或评估策略服务提供商可以执行组件级融合平台评估策略，确保TCA平台认证的实现具有良好的应用可扩展性。

公开(公告)号：US08271780B2

公开(公告)日：2012-09-18

申请号：US12671575

申请日：2008-07-21

申请人： Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

发明人： Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

IPC分类号： H04L9/00

CPC分类号： H04L63/0869 ,  H04L9/0844 ,  H04L9/3247 ,  H04L9/3263 ,  H04L41/0893 ,  H04L63/0876 ,  H04L63/105 ,  H04L63/20 ,  H04L2209/127

摘要： A trusted network connect method for enhancing security, it pre-prepares platform integrity information, sets an integrity verify demand. A network access requestor initiates an access request, a network access authority starts a process for bi-directional user authentication, begins to perform the triplex element peer authentication protocol with a user authentication service unit. After the success of the bi-directional user authentication, a TNC server and a TNC client perform bi-directional platform integrity evaluation. The network access requestor and the network access authority control ports according to their respective recommendations, implement the mutual access control of the access requestor and the access authority. The present invention solves the technical problems in the background technologies: the security is lower relatively, the access requestor may be unable to verify the validity of the AIK credential and the platform integrity evaluation is not parity. The present invention may simplify the management of the key and the mechanism of integrity verification, expand the application scope of the trusted network connect.

摘要翻译： 一种可靠的网络连接方法，用于增强安全性，预先准备平台完整性信息，设置完整性验证需求。 网络访问请求者发起访问请求，网络访问权限启动用于双向用户认证的过程，开始与用户认证服务单元一起执行三重元素对等认证协议。 在双向用户认证成功之后，TNC服务器和TNC客户端执行双向平台完整性评估。 网络访问请求者和网络访问权限控制端口根据各自的建议，实现访问请求者和访问权限的相互访问控制。 本发明解决了后台技术中的技术问题：安全性相对较低，访问请求者可能无法验证AIK凭据的有效性，平台完整性评估不是奇偶校验。 本发明可以简化密钥的管理和完整性验证的机制，扩大可信网络连接的应用范围。

公开(公告)号：US08225092B2

公开(公告)日：2012-07-17

申请号：US11816743

申请日：2006-02-21

申请人： Xiaolong Lal ,  Jun Cao ,  Hong Guo ,  Zhenhai Huang ,  Bianling Zhang

发明人： Xiaolong Lal ,  Jun Cao ,  Hong Guo ,  Zhenhai Huang ,  Bianling Zhang

IPC分类号： H04L29/06

CPC分类号： H04L63/0823 ,  H04L9/083 ,  H04L9/0891 ,  H04L9/3263 ,  H04L9/3273 ,  H04L2209/80

摘要： An access authentication method includes pre-establishing a security channel between the authentication server of the access point and the authentication server of the user terminal and performing the authentication process at user terminal and access point. The authentication process includes 1) the access point sending the authentication_activating message; 2) the user terminal sending the authentication server of user terminal request message; 3) the authentication server of the user terminal sending to the user terminal response message; and 4) completing the authentication.

摘要翻译： 访问认证方法包括在接入点的认证服务器和用户终端的认证服务器之间预先建立安全信道，并在用户终端和接入点执行认证过程。 认证过程包括：1）接入点发送认证激活消息; 2）用户终端发送用户终端请求消息的认证服务器; 3）用户终端的认证服务器发送给用户终端应答消息; 和4）完成认证。

公开(公告)号：US08176325B2

公开(公告)日：2012-05-08

申请号：US11816715

申请日：2006-02-21

申请人： Xiaolong Lai ,  Jun Cao ,  Bianling Zhang ,  Zhenhai Huang ,  Hong Guo

发明人： Xiaolong Lai ,  Jun Cao ,  Bianling Zhang ,  Zhenhai Huang ,  Hong Guo

IPC分类号： H04L29/06

CPC分类号： H04L63/0869 ,  H04L9/0894 ,  H04L9/321 ,  H04L2209/80

摘要： A port based peer access control method, comprises the steps of: 1) enabling the authentication control entity; 2) two authentication control entities authenticating each other; 3) setting the status of the controlled port. The method may further comprise the steps of enabling the authentication server entity, two authentication subsystems negotiating the key. By modifying the asymmetry of background technique, the invention has advantages of peer control, distinguishable authentication control entity, good scalability, good security, simple key negotiation process, relatively complete system, high flexibility, thus the invention can satisfy the requirements of central management as well as resolve the technical issues of the prior network access control method, including complex process, poor security, poor scalability, so it provides essential guarantee for secure network access.

摘要翻译： 一种基于端口的对等接入控制方法，包括步骤：1）启用认证控制实体; 2）两个认证控制实体相互认证; 3）设置受控端口的状态。 该方法还可以包括以下步骤：启用认证服务器实体，两个认证子系统协商该密钥。 通过修改背景技术的不对称性，本发明具有对等控制，可区分认证控制实体，良好的可扩展性，良好的安全性，简单的密钥协商过程，系统相对完整，灵活性高等优点，因此本发明可以满足中央管理的要求 解决现有网络访问控制方法的技术问题，包括复杂过程，安全性差，可扩展性差，为安全网络访问提供了必要的保证。

公开(公告)号：US20110238996A1

公开(公告)日：2011-09-29

申请号：US13132842

申请日：2009-12-08

申请人： Yuelei Xiao ,  Jun Cao ,  Li Ge ,  Zhenhai Huang

发明人： Yuelei Xiao ,  Jun Cao ,  Li Ge ,  Zhenhai Huang

IPC分类号： H04L9/32

CPC分类号： H04L63/0823 ,  G06F21/445 ,  H04L63/061 ,  H04L63/0876 ,  H04L63/105 ,  H04L63/123

摘要： A trusted network connect handshake method based on tri-element peer authentication is provided, which comprises the following steps. An access controller (AC) sends message 1 for handshake activation to an Access Requestor (AR). The AR sends message 2 for access handshake request to the AC after receiving message 1. The AC sends message 3 for certificate authentication and integrity evaluation request to a Policy Manager (PM) after receiving message 2. The PM sends message 4 for certificate authentication and integrity evaluation response to the AC after receiving message 3. The AC sends message 5 for access handshake response to the AR after receiving message 4. The trusted network connect handshake is completed after the AR receives message 5.

摘要翻译： 提供了一种基于三元对等体认证的可信网络连接握手方法，包括以下步骤。 访问控制器（AC）向接入请求者（AR）发送用于握手激活的消息1。 AR在接收到消息1后向AC发送接入握手请求消息2.AC在接收到消息2后向策略管理器（PM）发送证书认证和完整性评估请求消息3.PM发送消息4进行证书认证， 在接收到消息3之后，AC对AC进行完整性评估响应.AC在接收到消息4后向AC发送接入握手响应消息5.可信网络连接握手在AR收到消息5后完成。

公开(公告)号：US20110162042A1

公开(公告)日：2011-06-30

申请号：US13059798

申请日：2009-08-20

申请人： Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

发明人： Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

IPC分类号： G06F15/16

CPC分类号： H04L41/28 ,  H04L9/3234 ,  H04L9/3263 ,  H04L63/0823 ,  H04L63/0876 ,  H04L63/105 ,  H04L63/20 ,  H04L2209/127 ,  H04L2209/76

摘要： A trusted network management method of trusted network connections based on tri-element peer authentication. A trusted management proxy and a trusted management system are respectively installed and configured on a host to be managed and a management host, and are verified as local trusted. When the host to be managed and the management host are not connected to the trusted network, they use the trusted network connection method based on the tri-element peer authentication to connect to the trusted network respectively, and subsequently perform the authentications and the cipher key negotiations of the trusted management proxy and the trusted management system; when the host to be managed and the management host have not completed the user authentication and the cipher key negotiation process, they use the tri-element peer authentication protocol to complete the user authentication and the cipher key negotiation process, then use the tri-element peer authentication protocol to implement the remote trust of the trusted management proxy and the trusted management system, and finally perform network management. The present invention can actively defend attacks, reinforce the safety of the trusted network management architecture, and realize the trusted network management of distributed control and centralized management.

摘要翻译： 基于三元对等认证的可信网络连接的可信网络管理方法。 分别在要管理的主机和管理主机上安装和配置可信管理代理和可信管理系统，并将其验证为本地可信。 当要管理的主机和管理主机没有连接到可信网络时，他们使用基于三元对等认证的可信网络连接方法分别连接到可信网络，然后执行认证和密码密钥 可信管理代理和可信管理系统的协商; 当要管理的主机和管理主机尚未完成用户认证和密钥协商过程时，他们使用三元素对等体认证协议完成用户认证和密钥协商过程，然后使用三元素 对等体认证协议，实现可信管理代理和可信管理系统的远程信任，最终执行网络管理。 本发明可以积极防御攻击，加强可信网管理架构的安全性，实现分布式控制和集中管理的可信网络管理。

公开(公告)号：US20110145425A1

公开(公告)日：2011-06-16

申请号：US13058988

申请日：2009-08-20

申请人： Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

发明人： Yuelei Xiao ,  Jun Cao ,  Xiaolong Lai ,  Zhenhai Huang

IPC分类号： G06F15/16

CPC分类号： H04L41/28 ,  H04L63/0823 ,  H04L63/0876 ,  H04L63/105 ,  H04L63/20

摘要： A trusted network management method based on TCPA/TCG trusted network connection is provided. A trusted management agent and a trusted management system are installed and configured on a managed host and a managing host respectively and verified to be creditable locally; when the managed host and the managing host have not yet connected into a trusted network, they connect into the trusted network separately by using a method based on TCPA/TCG trusted network connection and then performs authentication and key negotiation procedure between the trusted management agent and the trusted management system; when the managed host and the managing host have not yet performed the user authentication and key negotiation procedure, they perform user authentication and key negotiation procedure, then realize the remote creditability of the trusted management agent and the trusted management system, and finally, perform network management.

摘要翻译： 提供了基于TCPA / TCG可信网络连接的可信网络管理方法。 在受管主机和管理主机上分别安装和配置可信管理代理和可信管理系统，并验证其在本地可信; 当托管主机和管理主机尚未连接到可信网络时，通过使用基于TCPA / TCG可信网络连接的方法，分别连接到可信网络中，然后在可信管理代理和 可信管理系统; 当托管主机和管理主机尚未执行用户认证和密钥协商过程时，进行用户认证和密钥协商过程，实现可信管理代理和可信管理系统的远程可信性，最后执行网络 管理。