公开(公告)号：US08806572B2

公开(公告)日：2014-08-12

申请号：US12475486

申请日：2009-05-30

申请人： David A. McGrew ,  Sandeep Rao

发明人： David A. McGrew ,  Sandeep Rao

IPC分类号： H04L29/06

CPC分类号： H04L63/1408 ,  H04L63/08

摘要： Systems, methods, and other embodiments associated with authentication via monitoring are described. One example method includes detecting a data flow in which indicia of identity (DFWIOI) travel between a first endpoint and a second endpoint. The DFWIOI may be partially encrypted. The example method may also include collecting an identity data associated with the DFWIOI from the DFWIOI, the first endpoint, the second endpoint, and so on. The example method may also include making an authentication policy decision regarding the DFWIOI based, at least in part, on the identity data. The example method may also include controlling a networking device associated with the DFWIOI based, at least in part, on the authentication policy decision.

摘要翻译： 描述了通过监视与认证相关联的系统，方法和其他实施例。 一个示例性方法包括检测在第一端点和第二端点之间的身份标识（DFWIOI）行进的数据流。 DFWIOI可能被部分加密。 示例性方法还可以包括从DFWIOI，第一端点，第二端点等收集与DFWIOI相关联的身份数据。 该示例方法还可以包括至少部分地基于身份数据来做出关于DFWIOI的认证策略决定。 该示例方法还可以包括至少部分地基于认证策略决定来控制与DFWIOI相关联的联网设备。

公开(公告)号：US08356177B2

公开(公告)日：2013-01-15

申请号：US12604221

申请日：2009-10-22

申请人： David A. McGrew ,  Brian E. Weis ,  Fabio R. Maino

发明人： David A. McGrew ,  Brian E. Weis ,  Fabio R. Maino

IPC分类号： H04L9/00

CPC分类号： H04L9/0637 ,  H04L9/0822 ,  H04L9/0833 ,  H04L9/3242

摘要： A computer system for authenticating, encrypting, and transmitting a secret communication, where the encryption key is transmitted along with the encrypted message, is disclosed. In an embodiment, a first transmitting processor encrypts a plaintext message to a ciphertext message using a data key, encrypts the data key using a key encrypting key, and sends a communication comprising the encrypted data key and the ciphertext message. A second receiving processor receives the communication and then decrypts the encrypted data key using the key encrypting key and decrypts the ciphertext message using the data key to recover the plaintext message.

摘要翻译： 公开了一种用于认证，加密和发送秘密通信的计算机系统，其中加密密钥与加密消息一起发送。 在一个实施例中，第一发送处理器使用数据密钥将明文消息加密为密文消息，使用密钥加密密钥加密数据密钥，并发送包括加密数据密钥和密文消息的通信。 第二接收处理器接收通信，然后使用密钥加密密钥解密加密的数据密钥，并使用数据密钥解密密文消息以恢复明文消息。

公开(公告)号：US08341250B2

公开(公告)日：2012-12-25

申请号：US12475487

申请日：2009-05-30

申请人： Max Pritikin ,  David A. McGrew ,  Jan Vilhuber ,  Brian E. Weis

发明人： Max Pritikin ,  David A. McGrew ,  Jan Vilhuber ,  Brian E. Weis

IPC分类号： G06F15/177

CPC分类号： H04L41/0806 ,  H04L63/0823

摘要： Systems, methods and other embodiments associated with network device provisioning are described. One example method includes storing a set of device specific identification data in a network device. The example method may also include storing an association between the network device and a set of device specific provisioning data. The example method may also include providing the set of device specific provisioning data to the network device. The set of device specific provisioning data may be provided in response to receiving a provisioning data request from the network device.

摘要翻译： 描述了与网络设备供应相关联的系统，方法和其他实施例。 一个示例性方法包括将一组设备特定标识数据存储在网络设备中。 示例性方法还可以包括存储网络设备与一组设备特定供应数据之间的关联。 示例性方法还可以包括向网络设备提供设备特定供应数据集。 响应于从网络设备接收供应数据请求，可以提供该设备特定供应数据集。

公开(公告)号：US08166301B2

公开(公告)日：2012-04-24

申请号：US11843292

申请日：2007-08-22

申请人： Nancy Cam-Winget ,  Hao Zhou ,  Padmanabha C. Jakkahalli ,  Joseph Salowey ,  David A. McGrew

发明人： Nancy Cam-Winget ,  Hao Zhou ,  Padmanabha C. Jakkahalli ,  Joseph Salowey ,  David A. McGrew

IPC分类号： H04L29/06

CPC分类号： H04L63/0435 ,  H04L9/0822 ,  H04L9/0841 ,  H04L63/08 ,  H04L67/14

摘要： A method is disclosed for enabling stateless server-based pre-shared secrets. Based on a local key that is not known to a client, a server encrypts the client's state information. The client's state information may include, for example, the client's authentication credentials, the client's authorization characteristics, and a shared secret key that the client uses to derive session keys. By any of a variety of mechanisms, the encrypted client state information is provided to the client. The server may free memory that stored the client's state information. When the server needs the client's state information, the client sends, to the server, the encrypted state information that the client stored. The server decrypts the client state information using the local key. Because each client stores that client's own state information in encrypted form, the server does not need to store any client's state information permanently.

摘要翻译： 公开了一种实现无状态的基于服务器的预共享机密的方法。 基于客户端不知道的本地密钥，服务器加密客户端的状态信息。 客户端的状态信息可以包括例如客户端的认证凭证，客户端的授权特征以及客户端用于导出会话密钥的共享秘密密钥。 通过各种机制中的任一种，加密的客户端状态信息被提供给客户端。 服务器可以释放存储客户端状态信息的内存。 当服务器需要客户端的状态信息时，客户端向服务器发送客户端存储的加密状态信息。 服务器使用本地密钥解密客户端状态信息。 因为每个客户端都以加密形式存储客户端自己的状态信息，服务器不需要永久存储任何客户端的状态信息。

公开(公告)号：US20100064137A1

公开(公告)日：2010-03-11

申请号：US12231813

申请日：2008-09-05

申请人： David A. McGrew ,  Mark Baugher ,  Saul Adler ,  William C. Melohn

发明人： David A. McGrew ,  Mark Baugher ,  Saul Adler ,  William C. Melohn

IPC分类号： H04L9/00

CPC分类号： H04L63/0464 ,  H04L9/0833 ,  H04L9/3242 ,  H04L63/065

摘要： Systems, methods, and other embodiments associated with processing secure network traffic are described. One example method includes determining whether a device is a preconfigured member of a group key system. If the device is not a preconfigured member then the method selectively establishes membership in the group key system by requesting membership from a group controller. The example method may also include receiving a set of keys from the group controller and being assigned a role by the group controller. The method may further include processing secure network traffic as an inspection point, a rewriting point, and/or a validation point based on the received set of keys and the assigned role(s).

摘要翻译： 描述了与处理安全网络业务相关联的系统，方法和其他实施例。 一个示例性方法包括确定设备是组密钥系统的预配置成员。 如果设备不是预配置的成员，则该方法通过从组控制器请求成员资格来选择性地建立组密钥系统中的成员关系。 示例性方法还可以包括从组控制器接收一组密钥并由组控制器分配角色。 该方法还可以包括基于所接收的密钥集合和所分配的角色来将安全网络业务作为检查点，重写点和/或验证点进行处理。

公开(公告)号：US07509491B1

公开(公告)日：2009-03-24

申请号：US10867266

申请日：2004-06-14

申请人： W. Scott Wainner ,  James N. Guichard ,  Brian E. Weis ,  David A. McGrew

发明人： W. Scott Wainner ,  James N. Guichard ,  Brian E. Weis ,  David A. McGrew

IPC分类号： H04L9/00

CPC分类号： H04L63/0272 ,  H04L9/0833 ,  H04L9/321 ,  H04L63/0435 ,  H04L63/065 ,  H04L63/08 ,  H04L63/164

摘要： Conventional mechanisms exist for denoting such a communications group (group) and for establishing point-to-point, or unicast, secure connections between members of the communications group. In a particular arrangement, group members employ a group key operable for multicast security for unicast communication, thus avoiding establishing additional unicast keys for each communication between group members. Since the recipient of such a unicast message may not know the source, however, the use of the group key assures the recipient that the sender is a member of the same group. Accordingly, a system which enumerates a set of subranges (subnets) included in a particular group, such as a VPN, and establishing a group key corresponding to the group applies the group key to communications from the group members in the subnet. The group key is associated with the group ID by enumerating the address prefixes corresponding to each of the subnets in the group, and examining outgoing transmissions for destination addresses matching one of the address prefixes corresponding to the group.

摘要翻译： 存在用于表示这样的通信组（组）和用于在通信组的成员之间建立点对点或单播安全连接的常规机制。 在特定的布置中，组成员使用可用于单播通信的组播安全性的组密钥，从而避免为组成员之间的每个通信建立附加的单播密钥。 由于这样的单播消息的接收者可能不知道源，所以使用组密钥确保接收方发送者是同一组的成员。 因此，枚举包括在特定组（例如VPN）中的一组子范围（子网）的系统并且建立与该组相对应的组密钥的组密钥用于从子网中的组成员进行通信。 通过列举与组中的每个子网相对应的地址前缀，并且检查与对应于该组的一个地址前缀匹配的目的地地址的传出传输，组密钥与组ID相关联。

公开(公告)号：US07373502B2

公开(公告)日：2008-05-13

申请号：US10756633

申请日：2004-01-12

申请人： David A. McGrew

发明人： David A. McGrew

IPC分类号： H04L9/00

CPC分类号： H04L63/0435 ,  H04L9/0838 ,  H04L9/14 ,  H04L9/3226 ,  H04L63/0807 ,  H04L67/02 ,  H04L67/142 ,  H04L2209/80 ,  H04L2463/121 ,  Y10S707/99942 ,  Y10S707/99943

摘要： A method is disclosed for avoiding the storage of client state on a server. Based on a local key that is not known to a client, a server encrypts the client's state information. The client's state information may include, for example, the client's authentication credentials, the client's authorization characteristics, and a shared secret key that the server can use to encrypt and authenticate communication to and from the client. By any of a variety of mechanisms, the encrypted client state information is provided to the client. The server may free memory that stored the client's state information. When the server needs the client's state information, the client sends, to the server, the encrypted state information that the client stored. The server decrypts the client state information using the local key. Because each client stores that client's own state information in encrypted form, the server does not need to store any client's state information permanently.

摘要翻译： 公开了一种避免在服务器上存储客户端状态的方法。 基于客户端不知道的本地密钥，服务器加密客户端的状态信息。 客户端的状态信息可以包括例如客户端的认证凭证，客户端的授权特征以及服务器可以用来加密和认证与客户端的通信的共享秘密密钥。 通过各种机制中的任一种，加密的客户端状态信息被提供给客户端。 服务器可以释放存储客户端状态信息的内存。 当服务器需要客户端的状态信息时，客户端向服务器发送客户端存储的加密状态信息。 服务器使用本地密钥解密客户端状态信息。 因为每个客户端都以加密形式存储客户端自己的状态信息，服务器不需要永久存储任何客户端的状态信息。

公开(公告)号：US07346773B2

公开(公告)日：2008-03-18

申请号：US10756634

申请日：2004-01-12

申请人： Nancy Cam-Winget ,  Hao Zhou ,  Padmanabha C. Jakkahalli ,  Joseph Salowey ,  David A. McGrew

发明人： Nancy Cam-Winget ,  Hao Zhou ,  Padmanabha C. Jakkahalli ,  Joseph Salowey ,  David A. McGrew

IPC分类号： H04L9/00 ,  G06F15/16

CPC分类号： H04L63/0435 ,  H04L9/0822 ,  H04L9/0841 ,  H04L63/08 ,  H04L67/14

摘要： A method is disclosed for enabling stateless server-based pre-shared secrets. Based on a local key that is not known to a client, a server encrypts the client's state information. The client's state information may include, for example, the client's authentication credentials, the client's authorization characteristics, and a shared secret key that the client uses to derive session keys. By any of a variety of mechanisms, the encrypted client state information is provided to the client. The server may free memory that stored the client's state information. When the server needs the client's state information, the client sends, to the server, the encrypted state information that the client stored. The server decrypts the client state information using the local key. Because each client stores that client's own state information in encrypted form, the server does not need to store any client's state information permanently.

摘要翻译： 公开了一种实现无状态的基于服务器的预共享机密的方法。 基于客户端不知道的本地密钥，服务器加密客户端的状态信息。 客户端的状态信息可以包括例如客户端的认证凭证，客户端的授权特征以及客户端用于导出会话密钥的共享秘密密钥。 通过各种机制中的任一种，加密的客户端状态信息被提供给客户端。 服务器可以释放存储客户端状态信息的内存。 当服务器需要客户端的状态信息时，客户端向服务器发送客户端存储的加密状态信息。 服务器使用本地密钥解密客户端状态信息。 因为每个客户端都以加密形式存储客户端自己的状态信息，服务器不需要永久存储任何客户端的状态信息。

公开(公告)号：US08867747B2

公开(公告)日：2014-10-21

申请号：US12414772

申请日：2009-03-31

申请人： David A. McGrew ,  Brian E. Weis

发明人： David A. McGrew ,  Brian E. Weis

IPC分类号： H04L9/08

CPC分类号： H04L9/0869 ,  H04L9/083

摘要： Systems, methods, and other embodiments associated with key generation for networks are described. One example method includes configuring a key server with a pseudo-random function (PRF). The key server may provide keying material to gateways. The method may also include controlling the key server to generate a cryptography data structure (e.g., D-matrix) based, at least in part, on the PRF and a seed value. The method may also include controlling the key server to selectively distribute a portion of the cryptography data structure and/or data derived from the cryptography data structure to a gateway. The gateway may then encrypt communications based, at least in part, on the portion of the cryptography data structure. The method may also include selectively distributing an epoch value to members of the set of gateways that may then decrypt an encrypted communication based, at least in part, on the epoch value.

摘要翻译： 描述了与网络的密钥生成相关联的系统，方法和其他实施例。 一个示例性方法包括配置具有伪随机函数（PRF）的密钥服务器。 密钥服务器可以向网关提供密钥材料。 该方法还可以包括：至少部分地基于PRF和种子值来控制密钥服务器以生成加密数据结构（例如，D矩阵）。 该方法还可以包括控制密钥服务器以选择性地将加密数据结构的一部分和/或从加密数据结构导出的数据分发到网关。 网关可以至少部分地基于加密数据结构的一部分加密通信。 该方法还可以包括选择性地将时代值分配到该组网关的成员，该网关组可以至少部分地基于时期值来解密加密的通信。

公开(公告)号：US08473757B2

公开(公告)日：2013-06-25

申请号：US12388387

申请日：2009-02-18

申请人： Philip John Steuart Gladstone ,  David A. McGrew

发明人： Philip John Steuart Gladstone ,  David A. McGrew

IPC分类号： G06F21/00

CPC分类号： H04L9/0891 ,  H04L9/0894

摘要： Digital data, such as images on a digital camera, is typically protected (e.g., encrypted and/or authenticated) based on a master key stored off the device. The original master key can be acquired in a number of different ways, including being generated by the device or by another device. A one-way, progressive series of keys are derived from the master key such that only images or data of a same session can be authenticated or decrypted for viewing, export or manipulation of the decrypted image/data. In order to decrypt images or data of a previous session on the device, the master key must be imported to the device, such as by, but not limited to, taking a picture of a representation of the key and interpreting the image to reacquire the master key.

摘要翻译： 数字数据，例如数字照相机上的图像，通常基于存储在设备上的主密钥进行保护（例如，加密和/或认证）。 原始主密钥可以以多种不同的方式获取，包括由设备或另一设备生成。 从主密钥导出单向，渐进的一系列密钥，使得仅能够认证或解密相同会话的图像或数据以查看，导出或操纵解密的图像/数据。 为了对设备上的先前会话的图像或数据进行解密，主密钥必须被导入到设备中，例如通过但不限于获取密钥的表示的图片并解释图像来重新获取 主密钥。