公开(公告)号：US08544077B2

公开(公告)日：2013-09-24

申请号：US12490124

申请日：2009-06-23

Applicant: Eric J. Sprunk ,  Paul Moroney ,  Alexander Medvinsky ,  Steven E. Anderson ,  Jonathan A. Fellows

Inventor： Eric J. Sprunk ,  Paul Moroney ,  Alexander Medvinsky ,  Steven E. Anderson ,  Jonathan A. Fellows

IPC: G06F7/04

CPC classification number: H04L29/06027 ,  G06F12/1408 ,  G06F21/606 ,  G06F2207/7219 ,  G06F2211/008 ,  G06F2221/2129 ,  H04L9/083 ,  H04L9/0841 ,  H04L9/3213 ,  H04L9/3263 ,  H04L63/0435 ,  H04L63/0442 ,  H04L63/061 ,  H04L63/062 ,  H04L63/0807 ,  H04L63/12 ,  H04L65/1043

Abstract: A secure Internet Protocol (IP) telephony system, apparatus, and methods are disclosed. Communications over an IP telephony system can be secured by securing communications to and from a Cable Telephony Adapter (CTA). The system can include one or more CTAs, network servers, servers configured as signaling controllers, key distribution centers (KDC), and can include gateways that couple the IP telephony system to a Public Switched Telephone Network (PSTN). Each CTA can be configured as secure hardware and can be configured with multiple encryption keys that are used to communicate signaling or bearer channel communications. The KDC can be configured to periodically distribute symmetric encryption keys to secure communications between devices that have been provisioned to operate in the system and signaling controllers. The secure devices, such as the CTA, can communicate with other secure devices by establishing signaling and bearer channels that are encrypted with session specific symmetric keys derived from a symmetric key distributed by a signaling controller.

公开(公告)号：US08356314B2

公开(公告)日：2013-01-15

申请号：US11250352

申请日：2005-10-14

Applicant: Eric J. Sprunk

Inventor： Eric J. Sprunk

IPC: H04N7/16 ,  H04N7/167

CPC classification number: H04L63/08 ,  H04N7/1675 ,  H04N21/23476 ,  H04N21/2541 ,  H04N21/4117 ,  H04N21/435 ,  H04N21/4424 ,  H04N21/4623 ,  H04N21/8166 ,  H04N21/835 ,  H04N21/8355 ,  H04N2005/91364

Abstract: A method for securing a plaintext object within a content receiver is described. In one step, a secure portion of a secure object and a plaintext remainder of the secure object are received. Which portion of the secure object is the secure portion is determined. The secure portion is decrypted to provide a plaintext portion. The plaintext object that comprises the plaintext portion and the plaintext remainder is formed. The plaintext object is stored including authentication and authorization.

Abstract translation: 描述了用于保护内容接收器内的明文对象的方法。 在一个步骤中，接收安全对象的安全部分和安全对象的明文剩余部分。 确定安全对象的哪一部分是安全部分。 解密安全部分以提供明文部分。 形成包含明文部分和明文余数的明文对象。 存储明文对象包括认证和授权。

公开(公告)号：US08321663B2

公开(公告)日：2012-11-27

申请号：US12650943

申请日：2009-12-31

Applicant: Alexander Medvinsky ,  Tat Keung Chan ,  Eric J. Sprunk

Inventor： Alexander Medvinsky ,  Tat Keung Chan ,  Eric J. Sprunk

IPC: H04L9/00

CPC classification number: H04L9/3263 ,  H04L9/3247 ,  H04L63/0823 ,  H04L63/162 ,  H04L2209/60 ,  H04L2209/80 ,  H04W12/06

Abstract: A method is provided for enhancing security of a communication session between first and second endpoints which employs a key management protocol. The method includes sending a first message to a first end point over a communications network requesting a secure communication session therewith. The message includes an identity of a second end point requesting the authenticated communication session. A digital certificate is received from the first endpoint over the communications network. The digital certificate is issued by a certifying source verifying information contained in the digital certificate. The digital certificate includes a plurality of fields, one or more of which are transformed in accordance with a transformation algorithm. A reverse transform is applied to the one or more transformed fields to obtain the one or more fields. The digital certificate is validated and a second message is sent to the first endpoint indicating that validation is complete.

Abstract translation: 提供了一种用于增强使用密钥管理协议的第一和第二端点之间的通信会话的安全性的方法。 该方法包括通过通信网络向第一终端发送请求与其的安全通信会话的第一消息。 该消息包括请求认证通信会话的第二端点的标识。 通过通信网络从第一端点接收数字证书。 数字证书由认证来源验证数字证书中包含的信息。 数字证书包括多个字段，其中一个或多个字段根据变换算法进行变换。 对一个或多个变换字段应用反向变换以获得一个或多个字段。 验证数字证书，并将第二个消息发送到第一个端点，表示验证完成。

公开(公告)号：US20110161661A1

公开(公告)日：2011-06-30

申请号：US12650943

申请日：2009-12-31

Applicant: Alexander Medvinsky ,  Tat Keung Chan ,  Eric J. Sprunk

Inventor： Alexander Medvinsky ,  Tat Keung Chan ,  Eric J. Sprunk

IPC: H04L9/32 ,  H04L29/06 ,  H04L9/28

CPC classification number: H04L9/3263 ,  H04L9/3247 ,  H04L63/0823 ,  H04L63/162 ,  H04L2209/60 ,  H04L2209/80 ,  H04W12/06

Abstract: A method is provided for enhancing security of a communication session between first and second endpoints which employs a key management protocol. The method includes sending a first message to a first end point over a communications network requesting a secure communication session therewith. The message includes an identity of a second end point requesting the authenticated communication session. A digital certificate is received from the first endpoint over the communications network. The digital certificate is issued by a certifying source verifying information contained in the digital certificate. The digital certificate includes a plurality of fields, one or more of which are transformed in accordance with a transformation algorithm. A reverse transform is applied to the one or more transformed fields to obtain the one or more fields. The digital certificate is validated and a second message is sent to the first endpoint indicating that validation is complete.

Abstract translation: 提供了一种用于增强使用密钥管理协议的第一和第二端点之间的通信会话的安全性的方法。 该方法包括通过通信网络向第一终端发送请求与其的安全通信会话的第一消息。 该消息包括请求认证通信会话的第二端点的标识。 通过通信网络从第一端点接收数字证书。 数字证书由认证来源验证数字证书中包含的信息。 数字证书包括多个字段，其中一个或多个字段根据变换算法进行变换。 对一个或多个变换字段应用反向变换以获得一个或多个字段。 验证数字证书，并将第二个消息发送到第一个端点，表示验证完成。

公开(公告)号：US06810525B1

公开(公告)日：2004-10-26

申请号：US09631328

申请日：2000-08-03

Applicant: Reem Safadi ,  Eric J. Sprunk ,  Doug Makofka ,  Ray Bontempi

Inventor： Reem Safadi ,  Eric J. Sprunk ,  Doug Makofka ,  Ray Bontempi

IPC: H04N7173

CPC classification number: H04N21/47211 ,  G06Q20/12 ,  G06Q20/145 ,  G06Q20/3674 ,  G07F17/16 ,  H04N7/165 ,  H04N7/1675 ,  H04N21/2543 ,  H04N21/25875 ,  H04N21/478 ,  H04N21/6125 ,  H04N21/63345 ,  H04N2007/1739

Abstract: A method and system are provided for impulse purchasing of services over a communication network, such as a cable or satellite television network. Such services can include games or information accompanying television programming, home-shopping, e-mail services, streaming media and the like. Security is provided through entitlements generated by the access controller 14 and entitlement tokens generated by a secure processor. The secure processor is located at a subscriber terminal 16 through which a subscriber orders and obtains the services. A token is generated when the subscriber either selects the service, if pre-authorized, or when the service is purchased on impulse. The token is secure and signed, and may be used by a policy/proxy server 18 subtending to the Network Operator's ISP and associated services to further facilitate offering these services to the subscribers.

Abstract translation: 提供了一种方法和系统，用于通过诸如有线电视或卫星电视网络的通信网络的脉冲购买服务。 这样的服务可以包括伴随电视节目，家庭购物，电子邮件服务，流媒体等的游戏或信息。 通过由访问控制器14产生的授权和由安全处理器产生的授权令牌来提供安全性。 安全处理器位于用户终端16，用户通过该终端订购并获得服务。 当用户选择服务时，如果预先授权，或者服务是按冲动购买的，则产生一个令牌。 该令牌是安全和签名的，并且可以被对准网络运营商的ISP和相关联的服务的策略/代理服务器18使用，以进一步促进向订户提供这些服务。

公开(公告)号：US06804782B1

公开(公告)日：2004-10-12

申请号：US09373866

申请日：1999-08-13

Applicant: Xin Qiu ,  Eric J. Sprunk ,  Daniel Z. Simon ,  Lawrence Tang ,  Lawrence R. Cook

Inventor： Xin Qiu ,  Eric J. Sprunk ,  Daniel Z. Simon ,  Lawrence Tang ,  Lawrence R. Cook

IPC: G06F1130

CPC classification number: G06F9/3001 ,  G06F2207/7219 ,  H04L9/003 ,  H04L9/005 ,  H04L9/3013 ,  H04L9/302

Abstract: A cryptography circuit provides secure processing of data by utilizing countermeasures that combat timing and power attacks. Superfluous operations such as multiplication operations, modular reductions by an integer, storage of data to memory are available for use by a processor to disguise the amount of power usage and the amount of time required to perform a cryptographic operation. A cryptographic key is available for use in order to trigger when these emulated operations occur. The occurrences of the emulated operations is controlled by the user to provide the preferred tradeoff between security and use of resources.

Abstract translation: 加密电路通过利用对抗定时和电源攻击的对策来提供对数据的安全处理。 多余的操作，例如乘法运算，整数模块化减少，数据存储到存储器可供处理器使用，以掩盖功率使用量和执行加密操作所需的时间。 可以使用加密密钥来在这些仿真操作发生时触发。 仿真操作的发生由用户控制，以提供资源的安全性和使用之间的首选权衡。

公开(公告)号：US07929701B1

公开(公告)日：2011-04-19

申请号：US10049812

申请日：2000-01-28

Applicant: Eric J. Sprunk ,  Paul Moroney

Inventor： Eric J. Sprunk ,  Paul Moroney

IPC: H04L9/00 ,  H04L29/06

CPC classification number: H04L29/06027 ,  G06F12/1408 ,  G06F21/606 ,  G06F2207/7219 ,  G06F2211/008 ,  G06F2221/2129 ,  H04L9/3263 ,  H04L63/0435 ,  H04L63/062 ,  H04L63/30 ,  H04L65/1043 ,  H04L2209/56 ,  Y02E50/17

Abstract: Multiple public/private key pairs of varying levels of security are used to provide a high level of security while still allowing fast processing of encrypted information. The lower-security level includes keys that are small in length, that are changed relatively often, and that require less or fewer resources to implement their functions. When it is required to change key pairs of low security, a key pair at a higher security level (i.e., longer length keys) than the lower-security level keys is used to transfer the new lower-security public keys to devices using those keys. The higher-security keys can, in turn, be changed at a frequency lower than the lower-security keys. The higher-security keys require a higher level of resources to perform their coding operations. This approach of using keys of escalating levels of security to replace lower-security keys, where the higher-security keys require more resources, are more secure, and are replaced less often than the lower-security keys, can be followed as many times as is desired to create a hierarchy of public key uses with the result that the lower-security operations can be performed quickly while the overall system security is high.

Abstract translation: 使用不同级别的安全性的多个公钥/私钥对来提供高水平的安全性，同时仍然允许加密信息的快速处理。 较低安全级别包括长度较小的密钥，相对频繁地更改，并且需要较少或较少的资源来实现其功能。 当需要更改低安全性的密钥对时，使用比较低安全级别密钥更高的安全级别的密钥对（即较长的密钥）将新的较低安全性的公钥传输到使用这些密钥的设备 。 更高安全性的密钥又可以以低于较低安全密钥的频率进行更改。 较高安全性的密钥需要更高级别的资源来执行编码操作。 使用升级级别的安全性的密钥替代较低安全性密钥（其中较高安全性密钥需要更多资源）的方法更安全，并且被替换的次数低于较低安全密钥，可以跟随多次 需要创建公共密钥使用的层次结构，结果是可以在整个系统安全性较高的情况下快速执行较低安全性的操作。

公开(公告)号：US07305555B2

公开(公告)日：2007-12-04

申请号：US10109111

申请日：2002-03-27

Applicant: John I. Okimoto ,  Eric J. Sprunk ,  Lawrence W. Tang ,  Annie On-yee Chen ,  Bridget Kimball ,  Douglas Petty

Inventor： John I. Okimoto ,  Eric J. Sprunk ,  Lawrence W. Tang ,  Annie On-yee Chen ,  Bridget Kimball ,  Douglas Petty

IPC: H04L9/00 ,  H04K1/00 ,  G06F11/30 ,  G06F12/14 ,  G06Q40/00 ,  H04L9/32 ,  H04N7/167 ,  H04N1/44 ,  H04K1/02

CPC classification number: H04N21/254 ,  H04N7/163 ,  H04N21/2543 ,  H04N21/26609 ,  H04N21/4181 ,  H04N21/4367 ,  H04N21/4623

Abstract: A system is described for uniquely mating components of a communication network such as a smartcard and a set-top box. When mated, the smartcard and set-top box are tied together and have a single identity. Further, the smartcard operates properly only when inserted into an authorized set-top box. Exchanges of information between both components are secured by encryption and authentication to guard against piracy of the exchanged information. The system provides the same authentication key to the set-top box and the smartcard. This key is used for authenticating communication between the set-top box and the smartcard. First, the authentication key is encrypted by a set-top box mating key. The set-top box employs this mating key to decrypt the authentication key. After it is derived, the authentication key is stored in the set-top box's memory. Further, the same authentication key is encrypted by a smartcard mating key. Thereafter, the smartcard employs the smartcard mating key to extract the authentication key. The clear authentication key is stored in the smartcard's memory as well. In this manner, the authentication key is used for securing all communication between the set-top box and the smart-card. For example, the set-top box may request control words from the smartcard. Only after authenticating the request, are the control words for decrypting digital content provided to the set-top box. If the smartcard authentication key is different from the set-top box key, the request for control words is denied.

Abstract translation: 描述了用于唯一地匹配诸如智能卡和机顶盒之类的通信网络的组件的系统。 当配对时，智能卡和机顶盒被捆绑在一起并具有单一身份。 此外，仅当插入授权的机顶盒时，智能卡才能正常运行。 通过加密和认证来确保两个组件之间的信息交换，以防止所交换信息的盗版。 系统向机顶盒和智能卡提供相同的认证密钥。 该密钥用于认证机顶盒和智能卡之间的通信。 首先，认证密钥由机顶盒配对密钥加密。 机顶盒采用这种配对密钥来解密认证密钥。 导出后，身份验证密钥存储在机顶盒的内存中。 此外，相同的认证密钥由智能卡配对密钥加密。 此后，智能卡采用智能卡配对密钥来提取认证密钥。 清除认证密钥也存储在智能卡的存储器中。 以这种方式，认证密钥用于保护机顶盒和智能卡之间的所有通信。 例如，机顶盒可以从智能卡请求控制字。 只有在认证请求之后，才是解密提供给机顶盒的数字内容的控制字。 如果智能卡认证密钥与机顶盒密钥不同，则拒绝对控制字的请求。

公开(公告)号：US06961427B1

公开(公告)日：2005-11-01

申请号：US09717761

申请日：2000-11-21

Applicant: Xin Qiu ,  Eric J. Sprunk

Inventor： Xin Qiu ,  Eric J. Sprunk

IPC: H04L9/26 ,  H04L9/04

CPC classification number: H04L9/0668 ,  H04L2209/125

Abstract: Methods and apparatus for the generation of a cryptographic one way function (a key or keystream generator) for use in encrypting or decrypting binary data. A non-linear key or keystream generation algorithm using multiple feedback shift registers is provided. The feedback shift registers may be constructed utilizing an advanced mathematical construct called an extended Galois Field GF(2m). The key or keystream is generated as a non-linear function of the outputs of the multiple feedback shift registers, which may be a combination of static feedback shift registers and dynamic feedback shift registers. Dense primitive polynomials with many coefficients may be used to produce a cryptographically robust keystream for use as an encryption or decryption key.

Abstract translation: 用于生成用于加密或解密二进制数据的加密单向函数（密钥或密钥流生成器）的方法和装置。 提供了使用多个反馈移位寄存器的非线性密钥或密钥流生成算法。 反馈移位寄存器可以利用称为扩展Galois Field GF（2MM）的高级数学结构来构造。 密钥或密钥流作为多反馈移位寄存器的输出的非线性函数产生，其可以是静态反馈移位寄存器和动态反馈移位寄存器的组合。 可以使用具有许多系数的密集原始多项式来产生用作加密或解密密钥的加密鲁棒密钥流。

公开(公告)号：US06711684B1

公开(公告)日：2004-03-23

申请号：US09394765

申请日：1999-09-13

Applicant: Paul Moroney ,  Eric J. Sprunk ,  Adam L. Rappoport ,  Lawrence W. Tang

Inventor： Paul Moroney ,  Eric J. Sprunk ,  Adam L. Rappoport ,  Lawrence W. Tang

IPC: G06F1214

CPC classification number: G06F21/572 ,  G06F8/66 ,  G06F12/1408 ,  G06F21/64 ,  G06F21/71 ,  G06F21/72 ,  G06F21/73 ,  G06F21/74 ,  G06F2207/7219 ,  G06F2221/2105 ,  G06F2221/2129 ,  G06F2221/2147

Abstract: Methods and an apparatus for storing information in a processing device with flexible security are disclosed. In one embodiment, a method stores information within the processing device. The method receives a download via a first input path which includes a first breakable link and stores the download within the processing device. At some point, a key is also stored within the processing device. A ciphertext download is received via a second input path which includes a second breakable link. The ciphertext download is decrypted utilizing the key and the resulting plaintext download is stored within the processing device.

Abstract translation: 公开了一种在具有灵活安全性的处理设备中存储信息的方法和装置。 在一个实施例中，方法将信息存储在处理设备内。 该方法经由包括第一可破坏链路的第一输入路径接收下载，并将该下载存储在处理设备内。 在某一点上，密钥也存储在处理设备内。 经由包括第二可破坏链路的第二输入路径接收密文下载。 使用密钥对密文下载进行解密，并将所得到的明文下载存储在处理设备内。